Security News > 2023 > December > New phishing attack steals your Instagram backup codes to bypass 2FA

A new phishing campaign pretending to be a 'copyright infringement' email attempts to steal the backup codes of Instagram users, allowing hackers to bypass the two-factor authentication configured on the account.

When configuring two-factor authentication on Instagram, the site will also provide eight-digit backup codes that can be used to regain access to accounts if you cannot verify your account using 2FA. This could happen for multiple reasons, such as switching your mobile number, losing your phone, and losing access to your email account.

Backup codes come with some risk, as if a threat actor can steal those codes, they can hijack Instagram accounts using unrecognized devices simply by knowing the target's credentials, which can be stolen through phishing or found in unrelated data breaches.

After siphoning these details, the phishing site asks the target if their account is protected by 2FA and, upon confirmation, requests the 8-digit backup code.

Despite the campaign being characterized by multiple signs of fraud, like the sender's address, the redirection page, and phishing page URLs, the convincing design and sense of urgency could still trick a significant percentage of targets into giving away their account credentials and backup codes.

If you still have access to your 2FA codes/keys, there's never a reason to enter your backup codes anywhere other than within the Instagram website or app.

News URL

https://www.bleepingcomputer.com/news/security/new-phishing-attack-steals-your-instagram-backup-codes-to-bypass-2fa/