This is the #1 problem with google/facebook/other giant companies - zero due process. They build a business around minimal human interaction with our staff and it shows when real problems come up.
I'm frankly sick of hacker news being a facebook/google/whatever ticketing system. And yet, there's no alternative.
I remember for a while after Meta bought Oculus, they still had a Human support system. People who's Facebook accounts had been hacked/reset/whatever were buying Quest/Quest2s so they could get support for their Facebook account. It's obnoxious the extremes we have to go to. Especially when these representations of ourselves might reflect on us poorly through no fault of our own, and we have no recourse.
I almost guarantee they have an inside man that they pay off to do this for them.
I mean, they are crypto bros. They can crypto pay someone under the table.
There's no transparency or even a support system. If the person gets caught, 99% chance facebook just lets them go. Their internal ticketing/debugging/support systems are very likely outsourced or low-pay workers or foreigners, and it won't be worth it to the company to sue them. Then people will know it happens.
The problem is, Due Process means a human - probably paid very little - gets the power to overrule any technical controls. So maybe your account is protected by $$$ A+ security, no chance it can be breached, but oops, the "Due Process" person was just handed $100 cash to override that and allow this random person to become Justsignedup.
So you might actually be better off with a Google situation where the company can't be bothered to hire anybody to be in that role, than a situation where they hire a bunch of minimum wage workers in the cheapest economy with plenty of Internet and don't care about oversight.
I disagree, I think the #1 problem with the people who run giant companies is they conspire with elected officials and others in the ruling class to keep and horde wealth and power over others.
One of the major problems with social networks is zero due process, and clearly corporate backed networks manipulate and censor their users in pursuit of the above (e.g., see Twitter Files), but lack of fairness is not unique to corporations. Moderators who are drawn to the role "out of the goodness of their hearts" are among the most vicious, petty, vindictive, capricious, hypocritical, narcissistic, and unjust arbiters I've ever encountered. They also are the best of the best, but those ones are few and far between, and many tend to burn out as communities grow whereas the former type are a dime a dozen and thrive in the role. This is the main reason why I'm not all that hopeful for mastodon or not-corporate social networks.
> So you're maybe thinking "Instagram must have a process for this, something you can do when your account is hacked?" and the answer is... kinda, but also it's completely useless. You follow the account hacked form on the website and it just endlessly redirects you to the "I need help logging in" page. If I follow the "I can't login" process for the handle they stole Instagram wants me to enter a previous password for the account, which I can't do because it's brand new (I tried).
My mom got hacked last week and I helped her recover her account and was absolutely appalled at the state of Instagram for this stuff.
* As they said, the official process to get your account back is an infinite loop back to the beginning of the process. If you follow the steps in their guide, you end up clicking a link that takes you back to the guide.
* Craziest to me, the "New Login to your account" email that you get when someone logs in from a new device includes a helpful "click here if this wasn't you" link, but that link is a 404.
* If someone hacks an account without 2FA, the first thing they do is enable 2FA on their own device, and the published process to recover your account no longer works whatsoever. The original owner is not able to turn 2FA off or to confirm it wasn't them. This makes 2FA weaponized as a hacking tool rather than a security tool.
* At this point, the only tool is an automated process where you submit a video of your face to prove it's your account. Online you can find endless complaints by people who run e.g. brand accounts because this facial recognition system doesn't have a face to key off of, and just fails on repeat. Plus I'm pretty sure I could use this to hack an account with a few NVIDIA tools.
I never used Instagram much (anything attached to Zuckerberg is rotten), but I recently tried to log in to check something via desktop. I have email-based 2FA set up, so it said to check my email for the code (while showing me my correct email address).
The email never arrived, I checked the spam folder and all that. After a while I clicked "Send a new code" and got the error "Select a valid choice. 0 is not one of the available choices." Oooooookay. I cleared cookies etc and tried again, and it continues to demand, while failing to send, a confirmation code. But this second login attempt did cause them to send me an automated "New login to Instagram" email.
Lastly, I clicked the Get Support link, and it just pops a dialog that says "If you’re unable to get the security code, you need to use the Instagram app to secure your account." I do not have the Instagram app, and newly installing it while my account is locked would be pointless.
So, I guess that account is unrecoverable now. Great work, Meta.
The underground marketplace for desirable social media handles (OG Handles) was explored in this excellent episode of Reply All: The Snapchat Thief [1].
In that story the basic technique was a SIM-swapping attack [2]. Fraudster calls the cell provider, claims to be the victim and that they lost their phone. Cell provider then ports the phone identity over to a new SIM. After that the fraudster just resets the account's password and gets the 2FA SMS (or even easier, one-time passwords) to their newly connected phone. Don't know if that same basic technique still applies nowadays, but in any case the most surprising part of the episode to me was how large and mature a black market there was for these account handles.
Love how using a VoIP number would totally cancel out that attack, but so many websites require you to have a 'real' phone number. I assume its mostly to weed out scammers.
There’s a black market business being run by Meta employees, selling the ability to take over these accounts from the inside for a price. They then funnel that cash back to family and friends and launder that cash through various other means.
Instagram itself does this kind of thing. Your handle isn't yours anyway, it's theirs. Instagram owns 100% of the handles and you just have to deal with that- same as every site, but Instagram is well-known for stealing your handle and giving it to someone else.
The took somebody's handle and just gave it to the "royal family" who I guess was so entitled beyond belief that they jut couldn't take the idea that they would need to pick a new name if the one they wanted was taken.
I read this thread, considered sharing here so I'm glad to see it discussed. If you follow the thread he comes to the "conclusion" or suspicion that it was an inside job.
Yeah, a lot of the discussion here is lamenting the lack of any support, but I'm fascinated to know how they possibly could have gained access.
Given the suspicion that it was an inside job, these two different points have something in common, namely an attempt to access the human infrastructure behind the interface. If that suspicion proves true then people compromising accounts are having better luck accessing Instagram's internal levers for account management.
I have a very short instagram handle that I've never used. People are constantly trying to take it over. I get the email "we've made it easy to get back on Instagram" sometimes hundreds of times per hour. I don't think they have any kind of rate limiting or account abuse protections. It's also true that you can disable Instagram 2FA without 2FA via various Facebook apps, which is ridiculous.
Meanwhile, I got locked out of the old FB account, with a passport scan being the only way they're going to open it again.
Strong password, 2FA, email, registered pgp key, and I still have access to everything, yet they still need to "verify", which makes no sense given they (supposedly) don't have any ID of mine from before.
Contrasting that to OP and yeah, an insider sounds like the more likely thing.
There was a story a while back about only fans bribing fb admins to ban competition or something. Would not be surprised if that was the route taken here.
Which was looking extremely suspect considering they were mentioning dates and times prior to the dates at least some of those supposedly bribed parties were even employed by Facebook. There may be truth in the story, but it is somewhat soured by the lies.
Just goes to show that the current state of web security is about analogous to those $5 Master Locks used on gym lockers. Enough to keep honest people honest, but even the slightest bit of intentional attack is all it takes to compromise everything.
It's obvious in retrospect that one of the main ways tech companies make money is scale, without the costs that physical based companies bear with scale.
For example, you go to a shop, and they have employees they have to pay. When the shop scales, so does the number of employees. Tech companies aren't like that though. You write software, then scale it to as many users as possible (billions, in some cases), but their cheat-code, is that they don't provide support of any meaningful kind.
They can get away with it because they're not bound by physical interaction, and nobody's holding them accountable. Law is always understandably slow to catch up, but hopefully we'll get some reasonable regulation around tech soon.
This happened to me with bit.ly, they just for without a reason removed my access to my own username which is username. My other one is from GitHub but the good thing is GitHub just changed my username from username to usernamex probably due to naming collision.
Are IG accounts worth something on the black market?
I don't doubt a few people would want the "Alex Stevenson-Price" alexprice. But, I'm guessing there are a lot more who want the "Other Famous Alex Prices" alexprice.
Yes. I know 4 letter ones (even just random gibberish) are going for ~$50-100. 3 letter ones are $500-1000 at least. So anything which is a dictionary word or a noticeable abbreviation are worth much much more
My IG handle is pretty desirable and was the title in a film. Every few months I get password reset notifications. I get DMed with offers. I also get occasionnal DMing thinking I'm the handle for the artist.
Same thing happened to me. I have the account and the password. But the password reset email is not one I ever used. Tried contacting them for verification and never heard back.
[+] [-] Justsignedup|3 years ago|reply
I'm frankly sick of hacker news being a facebook/google/whatever ticketing system. And yet, there's no alternative.
[+] [-] sircastor|3 years ago|reply
[+] [-] AtlasBarfed|3 years ago|reply
I mean, they are crypto bros. They can crypto pay someone under the table.
There's no transparency or even a support system. If the person gets caught, 99% chance facebook just lets them go. Their internal ticketing/debugging/support systems are very likely outsourced or low-pay workers or foreigners, and it won't be worth it to the company to sue them. Then people will know it happens.
[+] [-] tialaramex|3 years ago|reply
The problem is, Due Process means a human - probably paid very little - gets the power to overrule any technical controls. So maybe your account is protected by $$$ A+ security, no chance it can be breached, but oops, the "Due Process" person was just handed $100 cash to override that and allow this random person to become Justsignedup.
So you might actually be better off with a Google situation where the company can't be bothered to hire anybody to be in that role, than a situation where they hire a bunch of minimum wage workers in the cheapest economy with plenty of Internet and don't care about oversight.
[+] [-] throwawaylinux|3 years ago|reply
One of the major problems with social networks is zero due process, and clearly corporate backed networks manipulate and censor their users in pursuit of the above (e.g., see Twitter Files), but lack of fairness is not unique to corporations. Moderators who are drawn to the role "out of the goodness of their hearts" are among the most vicious, petty, vindictive, capricious, hypocritical, narcissistic, and unjust arbiters I've ever encountered. They also are the best of the best, but those ones are few and far between, and many tend to burn out as communities grow whereas the former type are a dime a dozen and thrive in the role. This is the main reason why I'm not all that hopeful for mastodon or not-corporate social networks.
[+] [-] criddell|3 years ago|reply
[+] [-] smsm42|3 years ago|reply
[+] [-] aqme28|3 years ago|reply
My mom got hacked last week and I helped her recover her account and was absolutely appalled at the state of Instagram for this stuff.
* As they said, the official process to get your account back is an infinite loop back to the beginning of the process. If you follow the steps in their guide, you end up clicking a link that takes you back to the guide.
* Craziest to me, the "New Login to your account" email that you get when someone logs in from a new device includes a helpful "click here if this wasn't you" link, but that link is a 404.
* If someone hacks an account without 2FA, the first thing they do is enable 2FA on their own device, and the published process to recover your account no longer works whatsoever. The original owner is not able to turn 2FA off or to confirm it wasn't them. This makes 2FA weaponized as a hacking tool rather than a security tool.
* At this point, the only tool is an automated process where you submit a video of your face to prove it's your account. Online you can find endless complaints by people who run e.g. brand accounts because this facial recognition system doesn't have a face to key off of, and just fails on repeat. Plus I'm pretty sure I could use this to hack an account with a few NVIDIA tools.
[+] [-] DamnInteresting|3 years ago|reply
The email never arrived, I checked the spam folder and all that. After a while I clicked "Send a new code" and got the error "Select a valid choice. 0 is not one of the available choices." Oooooookay. I cleared cookies etc and tried again, and it continues to demand, while failing to send, a confirmation code. But this second login attempt did cause them to send me an automated "New login to Instagram" email.
Lastly, I clicked the Get Support link, and it just pops a dialog that says "If you’re unable to get the security code, you need to use the Instagram app to secure your account." I do not have the Instagram app, and newly installing it while my account is locked would be pointless.
So, I guess that account is unrecoverable now. Great work, Meta.
[+] [-] ZantaWB|3 years ago|reply
In that story the basic technique was a SIM-swapping attack [2]. Fraudster calls the cell provider, claims to be the victim and that they lost their phone. Cell provider then ports the phone identity over to a new SIM. After that the fraudster just resets the account's password and gets the 2FA SMS (or even easier, one-time passwords) to their newly connected phone. Don't know if that same basic technique still applies nowadays, but in any case the most surprising part of the episode to me was how large and mature a black market there was for these account handles.
[1] https://gimletmedia.com/shows/reply-all/v4he6k
[2] https://en.wikipedia.org/wiki/SIM_swap_scam
e: Corrected, original post incorrectly said new number, not new SIM.
[+] [-] kayge|3 years ago|reply
[1] https://darknetdiaries.com/episode/97/
[2] https://darknetdiaries.com/episode/106/
[+] [-] belltaco|3 years ago|reply
Do you mean port the phone number to a new SIM? Because the SMS 2FA will go to the old number. Porting it to a new number won't do anything.
[+] [-] krolden|3 years ago|reply
[+] [-] s-video|3 years ago|reply
[+] [-] kjkjadksj|3 years ago|reply
[+] [-] D13Fd|3 years ago|reply
[+] [-] hobo_mark|3 years ago|reply
[+] [-] barbazoo|3 years ago|reply
[+] [-] edflsafoiewq|3 years ago|reply
[+] [-] gabereiser|3 years ago|reply
NYT reported about it last year.
[+] [-] supersour|3 years ago|reply
[+] [-] cryptoz|3 years ago|reply
The took somebody's handle and just gave it to the "royal family" who I guess was so entitled beyond belief that they jut couldn't take the idea that they would need to pick a new name if the one they wanted was taken.
https://fashionweekdaily.com/instagram-handle-sussexroyal-co...
[+] [-] dazc|3 years ago|reply
And, apparently, not any more?
[+] [-] josefresco|3 years ago|reply
[+] [-] glenstein|3 years ago|reply
Given the suspicion that it was an inside job, these two different points have something in common, namely an attempt to access the human infrastructure behind the interface. If that suspicion proves true then people compromising accounts are having better luck accessing Instagram's internal levers for account management.
[+] [-] jeffbee|3 years ago|reply
[+] [-] TSUTiger|3 years ago|reply
I know for me personally, if I was getting hounded by emails, I'd definitely look into getting rid of it somehow.
[+] [-] Legogris|3 years ago|reply
Strong password, 2FA, email, registered pgp key, and I still have access to everything, yet they still need to "verify", which makes no sense given they (supposedly) don't have any ID of mine from before.
Contrasting that to OP and yeah, an insider sounds like the more likely thing.
[+] [-] LightHugger|3 years ago|reply
It's most often a phone number, and as you point out, way worse on facebook where they demand government identification.
Please stop using facebook, people.
[+] [-] darth_avocado|3 years ago|reply
[+] [-] Twirrim|3 years ago|reply
[+] [-] D13Fd|3 years ago|reply
[+] [-] sergiotapia|3 years ago|reply
If Twitter sold verification for $5000, why should other large social networks be any different.
[+] [-] ramesh31|3 years ago|reply
[+] [-] ghusto|3 years ago|reply
It's obvious in retrospect that one of the main ways tech companies make money is scale, without the costs that physical based companies bear with scale.
For example, you go to a shop, and they have employees they have to pay. When the shop scales, so does the number of employees. Tech companies aren't like that though. You write software, then scale it to as many users as possible (billions, in some cases), but their cheat-code, is that they don't provide support of any meaningful kind.
They can get away with it because they're not bound by physical interaction, and nobody's holding them accountable. Law is always understandably slow to catch up, but hopefully we'll get some reasonable regulation around tech soon.
[+] [-] pindab0ter|3 years ago|reply
[+] [-] iamthejuan|3 years ago|reply
[+] [-] throwuxiytayq|3 years ago|reply
[+] [-] ThrowawayTestr|3 years ago|reply
[+] [-] blueyes|3 years ago|reply
[+] [-] afpx|3 years ago|reply
I don't doubt a few people would want the "Alex Stevenson-Price" alexprice. But, I'm guessing there are a lot more who want the "Other Famous Alex Prices" alexprice.
[+] [-] haunter|3 years ago|reply
https://files.catbox.moe/5jp5qw.png
https://files.catbox.moe/7gdx6k.png
[+] [-] brightball|3 years ago|reply
[+] [-] yardie|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] legohead|3 years ago|reply
The idea of unique handles is extremely annoying and an old problem.
[+] [-] kaishiro|3 years ago|reply
But presumably that's why I'm not running Meta and Mark is, well, a billionaire.
[+] [-] millzlane|3 years ago|reply
I just don't use instagram or facebook.