EvilZone

So here is the history of the situation: About three months ago our company purchased the Instagram handle from a user. He dropped the name while we simultaneously changed our existing profile to the new handle. At that time we had only two iPhone devices that ever logged into the application and one email address connected. Once the hacking began (last week) we got the account back with the help of Instagram admin and changed the password as well as email address associated. We also narrowed the devices down to one iPhone logging in AND the new email was accessed from a different Mac computer. Since then our account has been re-hacked probably 10 times, we have tried creating brand new email addresses, using emails of people outside of the company's network, etc. We have also reset our company's wifi information as an additional paranoid remedy.


Back to the user access_token theory: If at one point one of our devices granted access to a third party claiming to be an app, a hacker could have retrieved our token, and as I understand, has access to our profile eternally or until we revoke access. I followed this process as outlined on Instagrams support page as though I was a third party app (http://instagram.com/developer/authentication/) and retrieve my own Client ID and Client Secret by sending myself an OAuth request. OAuth basically masks the request to login as though it is Instagram asking and once a user logs in you can retrieve their ID when it redirects you to whatever website you have requested. Here is someone doing that same thing: " http://www.breaksec.com/?p=6164 ". At this point I'm trying to figure out how to revoke the access_token even though there is no physical app attached.   Did any of that make sense?

I know very little about coding and hacking however we believe this person is finding a way in through the access_token, which is evidently a weak spot in Instagram/Facebook's security. We are positive it is not someone we know because at this point only one person has the login information. Bear with me now as I ask: how might I figure out "the IP of the hacker that log's into the (instagram) account" and how could we set up 2 way verification for Instagram?