My friends Instagram was hacked and deep-fake videos posted in less than 6 hours

Instagram is a dumpster fire.

I have a 3 letter instagram name and the amount of spam and attacks I get is insane... I get hundreds of password reset emails from instagram daily and constant DMs and follow requests from scammer and bot accounts.

I've tried contacting instagram about it several times but they never respond. Had to blackhole emails from security@mail.instagram.com to prevent my mail server filling up.

guiambros · 4 years ago

This episode [1] of Darknet Diaries tells the story of someone with an early Twitter/Instagram account, and how it was targeted by scammers. Pretty scary.

[1] https://darknetdiaries.com/episode/97/

simonebrunozzi · 4 years ago

I had my own "mobile + twitter hacked" story [0]. Solved it in several months. Yes, months, not days, not hours.

[0]: https://simon.medium.com/mobile-twitter-hacked-please-help-2...

wpietri · 4 years ago

Wow. I have an early Twitter handle and they let me turn off password resets without additional information. (I think you have to enter the email under which I've registered before it will send the request.)

nevster · 4 years ago

I have a 3 letter twitter username and I definitely get password reset requests but not too often - about 1 or 2 a month

bredren · 4 years ago

How early? My main is in the first 12,000.

registeredcorn · 4 years ago

I'm glad to know I'm not the only one who gets hit with password reset attempts. It's strange because I don't have a short username; mine is noticeably long and weirdly specific.

I've noticed that the reset attempts seem to come in waves. I haven't charted it, but sometimes I'll get somewhere between 20-30 reset attempts in 24 hours, and at other times, I won't get any reset attempts for a full week or so. The whole thing is very bizarre.

qazxcvbnmlp · 4 years ago

Same. I just ignore them.

roomey · 4 years ago

I got a 4 letter one I never use and the amount of resets per day is crazy.

I don't share my daily email with websites but for whatever reason I used it with this Instagram account. It's the only spam I get at this point. 20 email resets per day!! It can't be hard to fix that

jhugo · 4 years ago

I had a 3 letter as well. I was getting daily password resets for years and then one day it was stolen despite 2FA and a random 32-char password. No idea how they did it. I wasn't a heavy user and Instagram doesn't seem to offer any support so I just created another account and moved on.

kingcharles · 4 years ago

Some sort of social engineering I guess :(

x0n · 4 years ago

Same, I also have a three letter nick. Constant reset attempts, spam, fake offers of thousands of USD to transfer it.

tdrdt · 4 years ago

Doesn't this apply to the whole internet? Internet connects both good and bad people.

The moment you create something that can be used to upload any type of content, some people will exploit it.

staticassertion · 4 years ago

Sort of. Tech companies have an incredible lack of investment in actual customer service though. With many services it's easy to get on the line with a human - even if it can take a while there's a straightforward path.

Tech companies seem to invest far less into customer service, make it impossible to get on the phone with someone, resolve issues in a sane way, etc.

rdl · 4 years ago

Same. Eventually (after 30-40?) they give you a link to turn off password resets attempts (or notifications of?) from devices you haven't logged on from in the past 90 days (I think?).

dawnerd · 4 years ago

I just have a junk instagram account to get around the login walls and get flooded with reset requests too. You'd think they'd be able to solve for this.

sneak · 4 years ago

Yet you still use Facebook's censored spyware, even with this terrible UX?

almostdigital · 4 years ago

This account is going to be a heirloom NFT in the metaverse some day :P

This happened to my wife too and her IG profile was used to create a deepfake on onlyfans

throw__away7391 · 4 years ago

Had an account not hacked, but copied pictures (only using bikini pictures), choose a similar username and followed all followers with an invite to a porn site (though I did not follow the link to see, it could not have been more explicit in what was being offered). Instagram "reviewed the report and decided it did not violate their terms of service" and refused to take any further action.

colejohnson66 · 4 years ago

If they’re reposting one’s own pictures, a DMCA claim would be a good way to solve the issue. It shouldn’t be needed, but Instagram will obey the claim

dan353hehe · 4 years ago

This happened to someone I know as well. The only reason they knew about it was some of us saw it and alerted her.

Really messed up stuff.

k4runa · 4 years ago

I haven't even thought about them using the content across platforms now that they have the video samples already... but perhaps the followers are more important. You only really hear about celebrity deep-fakes on the news.

sorenjan · 4 years ago

How does these scammers get their hands on the money? Doesn't Onlyfans require photo ID and personal banking details?

rndgermandude · 4 years ago

You'd be surprised at how many people upload pictures showing their id to public sites. And even if it's not that, then it might be an inside job by a family member, friend, co-worker, etc who had once enough access to the id to snap a pic of it.

Also, chances are that if you can convincingly create deepfakes in general you can (deep)fake a picture of an id to a degree it will be accepted by OnlyFans and other services, especially if these ids are from places the staff might not be entirely familiar with. Do you know for example what a Columbian or Polish or Turkish or Cambodian id should look like and what security features that you could see on a mere picture of it should be present, if there are even such features?

I've seen such id fakes done in practice, though that wasn't related to OnlyFans. That's why when I was in a position where I sometimes had to verify identities, I would not accept pictures of ids, I would ask for a "proof-of-life"/"timestamp" style pictures you see commonly used on pseudonymous sites like reddit or 4chan to establish authenticity of a poster. Those are not impossible to fake, but a lot harder, especially if you limit the time in which the other party can respond.

I don't know if OnlyFans adopted such a method of verification by now, but I know they used to accept just ids.

I also online-know a guy who says he used to run an OnlyFans scam where he would seek out underrated accounts, steal their content and republish it under his own accounts. That obviously required he create a lot of verified accounts with valid ways to pay out, of course. He never went into details on that. He could be lying about the thing, but when it came to other things he claimed over the years, a lot of it was verifiable true, so I don't know.

You can also buy verified OnlyFans accounts on the black market (hacked usually) or compromise accounts yourself. A lot of OnlyFans accounts are completely inactive, abandoned by the original owners, so they will probably not even notice if it gets taken. From there you can replace all the account content as you please, and I believe in the case of OnlyFans even change the user name and probably update the payout method and information as well.

As for banking information... that's harder, but there are probably some ways left. The question is if the OnlyFans account in this case was even made for financial gain, or just to cause humiliation, in which case subscriptions might have been free or the money might have never been collected by whoever created the account.

Dead Comment

hooande · 4 years ago

this sounds horrible. did they eventually take it down?

artur_makly · 4 years ago

yes but only after she spoke with a journalist from VICE

Dead Comment

jcims · 4 years ago

Example from a news story. After seeing the video, I must admit I’m not sure if I believe the guy or not, which is scary.

Edit: Better link from deadmutex below - https://www.youtube.com/watch?v=vqr0oER03SE

https://www.wfla.com/8-on-your-side/better-call-behnken/inst...

echelon · 4 years ago

I work really closely on deep fake tech [1] and I'd say I'm relatively current with the state of the art in the literature. This was not deepfaked. The person recorded it themselves and is lying.

The video quality is too good. The lighting and movements lack mistakes. It can't be first order model, wav2lip, or any of the relatively new audio to video models.

The audio doesn't suffer from spectral noise, and it matches the lip movements close enough to not be TTS. Voice conversion (VC) introduces pitch issues that are readily apparent, and it's incredibly hard to train VC models without a ton of parallel audio data from source and target speakers.

This is absolutely a lie (not a deepfake) and I'd bet money on it.

[1] I created https://fakeyou.com cartoon and celebrity TTS, real time voice to voice mapping for VTubers, and am currently working on ML blendshapes.

devenson · 4 years ago

Friend was suckered by the exact same scam. Hers was NOT a deepfake, although I assumed it was at first. They cajoled her into making the video. She did so reluctantly, so she seemed a bit "off" in the video, but it was indeed her. She was out $300, was super embarrassed, and then completely tormented by how helpless she was in trying to recover her account.

blueblisters · 4 years ago

I agree. I think the most telling sign is the hand gesture for the number 3 when he says "just invested 300 bucks". Don't think Deepfake models can understand intent yet.

The perfection in the audio is precisely what made me skeptical.

It's exactly the same situation with my friend. “I just invested $300 into Bitcoin and got $10,000 back. Gotta try it,” except the numbers are higher... but she actually says it in the video too.

lelandfe · 4 years ago

Telling that a major news outlet can't get anything more than a "we're looking into it" response from IG support.

stjohnswarts · 4 years ago

I mean what if they are looking into it though? Would you prefer a half baked response?

deadmutex · 4 years ago

Another link, same story: https://www.youtube.com/watch?v=vqr0oER03SE

pangolinplayer · 4 years ago

Yeah. It's almost like the post is a scam and we are all being duped into promoting the non-deepfake crypto scam.

moyix · 4 years ago

Would you be willing to share one of these videos? Our research group is studying the use and abuse of DeepFakes in the wild and we'd love to be able to do some analysis on this incident. Feel free to shoot me an email at brendandg@nyu.edu

It's likely not a deepfake. My friend fell for the exact same scam--they managed to get her to make the video herself.

I will ask for her permission to share it with you.

Thanks!

muthdra · 4 years ago

That's very kind but it seems like consent is a ship that has already sailed in this case.

hansolosays · 4 years ago

I was doxxed and harassed for my Insta account. Eventually one day it was just taken even though I had 2 factor auth on Insta and email. There is basically no recourse.

Oh and it was given to one of mr beasts (from YouTube) helpers…

whywhywhywhy · 4 years ago

Probably inside job at IG tbh. Multiple reports over the years of desirable IG usernames being taken from legit users and handed to the friends of IG employees

resonious · 4 years ago

I remember Facebook used to let any dev access the whole production DB as an effort to "remove red tape" and allow quick solutions to problems. That lack of red tape resulted in multiple stories of employees using that privilege to stalk people in real life.

mitemte · 4 years ago

Pretty disgusting behaviour. Reminds me of this high profile case: https://www.businessinsider.com/andres-iniesta-claims-instag...

quickthrower2 · 4 years ago

How does this mafia operate inside IG? Is there an honour code “don’t steal an account that a superior has stolen already”

ineedasername · 4 years ago

Fortunately, that's not something the current company Meta would allow to happen. That sounds like something that only Facebook would let fall through the cracks.

anm89 · 4 years ago

I can't tell if you are joking but I desperately hope you are.

nabakin · 4 years ago

This account? https://www.instagram.com/chucky/

Are you sure the account and username were given and not just the username?

Account was deleted and user name handed over

aspenmayer · 4 years ago

Was it SMS based 2fa or did you use some other method?

SMS 2fac to a google voice account with 2 fac

leeroyjenkins11 · 4 years ago

My insta got hacked from not original Instagram password after I had linked my account to Facebook. They were able to login with my username and password, but I was able to get in via FB. They disabled my account because they were noticing my baccount doing botlike things.

Writeup details etc in a medium post & repost here to HN? Not much, but at least a little extra bad publicity for IG & Mrbeast/associates

What was your account? Can you prove it?

Instagram.com/chucky

I have old password reset emails and probably some screen shots somewhere

pkaler · 4 years ago

I've had my account hacked, too. I used to own: https://www.instagram.com/kaler/

Have owned it since Instagram launched and it was connected to my Facebook account which I've had since 2005 or so.

There is no hope with contacting Instagram/Facebook support.

wombatpm · 4 years ago

Seems like it is time for a class action lawsuit

megablast · 4 years ago

Sue for what?? Accounts are free. Go make another one.

Had the same thing happen to me. Was in the closed beta and now there is no way to get it back.

donkarma · 4 years ago

Link doesn't show anything to me, was it deleted?

sova · 4 years ago

If you know someone who works there (Kafkaesque absurdity surrounding social-media operators) you can recover an account asking for help politely.

Sebb767 · 4 years ago

As far as I know, that's actually how these 'high profile' takeovers work. You know someone at Insta and politely ask/silently pay to get your account "back" or take over an "inactive" account.

timdaub · 4 years ago

same here. I had an account that is now selling bras under my name. Tried contacting FB support so many times, nothing ever happened.

dylan604 · 4 years ago

>It's possible they deep-faked her videos ahead of time but it seems like something you'd only spend resources on only if you knew the attack was successful.

I wonder if they had a list of account credentials, tested to find ones that worked without changing anything after verifying they were legit, and then once they had the content ready took over the account to ensure the work they had done was live for as long as possible..

This is a good tack, though the key is the gmail account. Presumably, the perp has multiple scams based on the content of the account.

Presuming much of the media creation is automated, they could also have run the process once the gmail account was owned.

Testing auth from unexpected locations in advance seems like an easy way to get noticed.

I'm not reading that they hacked/stole a gmail account. My understanding is that by taking over the account, they updated the associated email address used for contact within Insta. It just so happened that the email used by the attacker was a gmail account.

>Testing auth from unexpected locations in advance seems like an easy way to get noticed.

How many times we've received emails from online accounts notifying about login attempts? They are usually phishing attempts, but it occurs enough that most people don't believe the legitimate emails.

Wiseacre · 4 years ago

Facebook doesn't seem to care about deepfakes on Instagram since they promote "engagement".

I can't say I have too much advice other than to always use strong passwords, don't share passwords across sites, use VPNs on public routers, and stay away from posting videos of yourself on cancerous engagement metric-driven social media.

epolanski · 4 years ago

I have another, stop using those websites completely. Delete your accounts.

can16358p · 4 years ago

What if your target demographic is on those sites, and/or you use Instagram not for fun/entertainment but for business purposes because in this age >90% of your target audience is there and very few are going to visit your website in this age?

Many people aren't fans of Insta/FB but they need to use it for reaching their audience.

LordDragonfang · 4 years ago

Consumer boycotts of products have never worked. The only thing they effect is reputation[1], and social media companies clear don't care very much about theirs as long as they keep making money.

Collective action needs to be legislative or legal in order to actually change things.

[1] https://www.ipr.northwestern.edu/news/2017/king-corporate-bo...

analognoise · 4 years ago

This is the way.

systemvoltage · 4 years ago

Can we also lump Twitter and Tiktok with it? Is it me or there is a double-standard on HN where FB gets all the heat, but others don't.

I brought up Facebook because they own Instagram, but yes this applies to Twitter and TikTok.

LOL TikTok is worse. It lets you login with just a phone number and no password. I can actually log into the TikTok account of the previous owner of my phone number.

>Is it me

I think it's you, because I see criticism levied against TikTok here all the time.

I think that is good advice for someone who is more tech-savy and aware of the problem but I'm not sure the rest of the world is as well prepared, or what effect it might have on us or FB/IG reputation and engagement if it's becoming more automated and widespread.

xwolfi · 4 years ago

Dude, when I was 16, 15 years ago, I remember doing a school essay about the risk of social media and saying "social media is not the culprit, it's us being so addicted to this new way of manipulating people around us into thinking we're "social credit"-worthy by uploading everything we can in a never ending race to the vacuum. We'll end up with what we deserve: we'll have traded our ability not to be lab monkeys clicking on buttons for the pleasure of our observers in exchange for the vain pleasure of sticking it to our ex/neighbour/psychotic mom/more beautiful colleague/whomever else insecure jealousy pushed us to addiction.

I feel we're just reaping the reward of our vacuity.