Outsmarting and Instagram hacker?

[veebs]

I have come here to seek advice from the hacking experts. Is there a way to protect an Instagram account that is repeatedly being hacked/stolen? In the last week our company's account has been hacked 5 times and we have gone through all the steps (that we know of) to eliminate the variables: changed passwords/emails, revoked access to other apps, logged in with new devices etc. Can anyone give me advice and help to eliminate this hassle? Thanks

[Stackprotector]

Lol, you probably have a leak somewhere. When you tried everything from re-installing to only using the account on a different PC on a different network with a specially made email account, then i assume it's somebody you know who is doing it. Can you get the IP of the hacker that log's into the twitter account? Can you set-up 2 way verification?

[veebs]

I know very little about coding and hacking however we believe this person is finding a way in through the access_token, which is evidently a weak spot in Instagram/Facebook's security. We are positive it is not someone we know because at this point only one person has the login information. Bear with me now as I ask: how might I figure out "the IP of the hacker that log's into the (instagram) account" and how could we set up 2 way verification for Instagram?

[veebs]

It looks like Instagram doesn't have an option for 2-way verification.

[rasenove]

It could be that the Instagram itself is vulnerable and the hacker is exploring it. Use another Instagram if possible and see what happens..

[proxx]

I know very little about coding and hacking however we believe this person is finding a way in through the access_token, which is evidently a weak spot in Instagram/Facebook's security. We are positive it is not someone we know because at this point only one person has the login information. Bear with me now as I ask: how might I figure out "the IP of the hacker that log's into the (instagram) account" and how could we set up 2 way verification for Instagram?

Not saying it is unhackable but don't exepect bugs like that to exist very long.
I agree with Factionwars.
Either a pc is infected with malware and or contains a backdoor of some kind.
That or there is somenoe in your email account so he can reset the password.

[Pak_Track]

Yep, most likely a problem on your end. I know someone who used a phishing page to get his friends login info, about 3 times in a row. The dude ended up changing his account
Who knows of the login info?

[veebs]

So here is the history of the situation: About three months ago our company purchased the Instagram handle from a user. He dropped the name while we simultaneously changed our existing profile to the new handle. At that time we had only two iPhone devices that ever logged into the application and one email address connected. Once the hacking began (last week) we got the account back with the help of Instagram admin and changed the password as well as email address associated. We also narrowed the devices down to one iPhone logging in AND the new email was accessed from a different Mac computer. Since then our account has been re-hacked probably 10 times, we have tried creating brand new email addresses, using emails of people outside of the company's network, etc. We have also reset our company's wifi information as an additional paranoid remedy.


Back to the user access_token theory: If at one point one of our devices granted access to a third party claiming to be an app, a hacker could have retrieved our token, and as I understand, has access to our profile eternally or until we revoke access. I followed this process as outlined on Instagrams support page as though I was a third party app (http://instagram.com/developer/authentication/) and retrieve my own Client ID and Client Secret by sending myself an OAuth request. OAuth basically masks the request to login as though it is Instagram asking and once a user logs in you can retrieve their ID when it redirects you to whatever website you have requested. Here is someone doing that same thing: " http://www.breaksec.com/?p=6164 ". At this point I'm trying to figure out how to revoke the access_token even though there is no physical app attached.   Did any of that make sense?