You are here

How Instagram’s two-factor authentication almost cost a retailer his critical account

Published September 14, 2022

 

A version of this article ran in the September issue of Bicycle Retailer & Industry News.

By Dan Roe

Allo Vélo’s 9,000-follower account became a crypto mining platform after Lamar Timmins fell victim to a common and sometimes irreversible Instagram hack. 

For the past decade, Timmons, who owns the Montreal shop, has used its Instagram account to promote urban cycling, showing followers around the globe how European-style cargo and electric bikes can bring convenience, community and relaxation.

He occasionally took out paid ads on the platform, but mostly used the account to project his passion to an organically grown audience. This June, he was using the account to organize Montreal’s first cargo bike criterium as part of Jackalope, the city’s annual action sports festival.

But hackers had other plans. In late June, Timmins lost access in a hack that spammed his main page and follower list with marketing materials for a crypto mining class. In the three-week ordeal of recovering his account, Timmins learned that Instagram’s own two-factor authentication features enabled the hack, and that the company has minimal infrastructure to help users who fall victim to the same type of scheme. 

“It’s like someone steals the key to your business and you can’t get in anymore,” Timmins said. 

On June 24, Timmins received a direct message from a friend who said he had just been “approved for IG verification blue badge” but needed Timmins’ help to finish verifying his account. Unbeknownst to Timmins, the friend had already been hacked by someone who then attempted to log into Timmins’ account via two-factor authentication. Using only Timmins’ username, the hacker prompted Instagram to send Timmins a text message with a login link to his own account, which the hacker instructed him to screenshot but not click on. 

Once Timmins sent the screenshot of the unique login link for the Allo Vélo account to the hacker, they logged into his account and changed the password, locking Timmins out. Canada’s Daily Hive, the news outlet that initially chronicled Timmins’ hack, found other recent instances of the same hack, including one hack that hit a custom jeweler who conducted a substantial portion of her business on the app

“We’re a small account but we’ve spent a few thousand dollars on ads,” Timmins said. “Think of all the business owners who for them, that’s their livelihood.”

Timmins followed Meta’s instructions for recovering his password. He had set up two-factor authentication with an email address and his phone number, and Meta prompted him to request a six-digit recovery code through the Instagram login screen. But when he tried Instagram’s recovery code, he ran into another level of security that the hacker enabled after taking Timmins’ account: Google Authenticator, a third-party, two-step verification system that Instagram supports within its security settings. 

With that, the unfortunate retailer became the victim of a popular Instagram phishing scam involving text message two-factor authentication and third-party authenticator apps. The hack has separated everyday users and businesses, tech bloggers and NFT collectives from their accounts since Instagram began supporting the third-party apps in 2018. 

Hackers move through follower lists, hacking into your friend’s account in order to hack your account and those of your followers, who get the same innocuous message from you. Posing as someone you know, the intruder sends you an Instagram DM asking for help verifying their account — all you have to do is screenshot a text message that Instagram sends you and send it back to them in the same chat, but don’t click the link. 

They tell you not to click the link because they just told Instagram that you forgot your password (only your public-facing username is needed for this step), thereby prompting the app to send you the text message with sensitive login information. Once you reply with the screenshot of the text message, the hacker logs into your account and changes the password, kicking you out. 

Timmins expected the hacker to change the email and phone number associated with his account, too, separating him from the two-factor authentication he set up through the app. Instead, the hacker left them in place but moved onto Google Authenticator. Users can enable the third-party app in Instagram’s security settings, and hackers can use it to redirect password recovery messages to their email address rather than yours. 

Numerous hack victims who posted their stories online said Instagram and Meta were unable to help them recover their accounts because the hacker used a third-party app — despite the fact that Instagram integrated those apps into their platform for additional security.

“They have no phone number, no type of support. I ended up emailing the email address they used to send me a passcode and tried to give information, but I got no response,” Timmins said. 

Instagram suggested he take a selfie that the app could use to match his face to the account, but Timmins rarely posted photos of himself to his Allo Vélo profile. After Facebook Business support staff escalated the matter, he received a call from an employee who walked him through the same steps the app recommends to all users. “He’s like, ‘this is not my department, I can’t do much more,’” Timmins said. “And he couldn’t give me another email or phone number.” 

On a whim, Timmins reached out to a popular Montreal influencer he knew from cycling to ask if she had any contacts or ideas. From her, he got the name of a high-up Meta employee who said he’d try to circulate the problem within his cohort at the company, but the employee made no promises. 

Timmins was out of ideas in mid-July when he decamped for Eurobike. Without access to the account, Timmins left his camera at home and spent his time at the tradeshow asking speakers at social media talks for advice, but he had no luck as he was preparing to fly back to Montreal. Then, on the last night of the event, Timmins tried to reset his password one more time. This time, Instagram sent the reset link to his business email rather than the email that the hacker had selected in the third-party authenticator. 

Timmins is still locked out of a smaller account for the shop’s Vancouver location. Before Timmins reclaimed his main account, a Meta corporate communications employee responded to BRAIN’s inquiry about the shop owner’s hack, requesting that Timmins provide a new email for recovery purposes. At press time, Meta hasn’t responded to BRAIN questions on how users can recover accounts that were hacked using third-party apps. 

During the three weeks Timmins couldn’t access his shop Instagram, the hacker sent messages to Allo Vélo followers to advertise the crypto mining courses, but they only posted once to his main page and story. The account lost 300 followers in the ordeal, and Timmins had to reach out to followers who were confused or upset by the account’s sudden pivot to crypto mining. 

Through the process of getting the account back and researching social media marketing more broadly, Timmins learned two lessons for other shop owners. “Be careful of who is messaging you,” he said. “And maybe consider TikTok. When I was in Amsterdam I did a quick video of a cargo bike with a car boot in a no-parking zone and on TikTok it got 16,000 views in a couple of days. On Instagram, it only got 500 views.”

Lamar Timmins in his store.