Lakewood residents are calling me regarding several incidents in which their Instagram, Facebook and Twitter accounts were hacked and they were unable to regain access to their accounts. In all of these cases, the users did not enable multi-factor authentication (MFA), also referred to as two-factor authentication, prior to the compromise. As I have advised multiple times that this is essential for all accounts.

You will need to login to your account and go to privacy and security settings and select two-factor or multi-factor authentication and how you want to receive your verification code: Text, email or phone. You will get a test message, reply and you’re done.

What Is Multi Factor Authentication?

Multi Factor Authentication is a security precaution that you set up in your account. It works like this. When you login, you have the app send you a text, phone call or email with a code that you enter to complete the login process. Since you are the only one with the phone number or email address. No one else can gain access. (That is if you are not infected with ley-logger software – but that’s another story). You can also add a passphrase which is known only to you in addition to the call or email. Using just a passphrase is not recommended.

Why Is Multi Factor Authentication a Must Do?

The attacker generally gets access to your account by obtaining the password. This is done by various means which I will not get into detail about but suffice it to say that these techniques are known as credential stuffing, password spraying, or credential phishing attacks. The methodology and techniques are varied, and new methods appear every day. What happens? If the attack is successful the user’s password is changed and even the account details, such as the associated email address and phone number which enables the MFA in the first place. The trick key here is that if MFA is NOT enabled in the first place, these account changes will prevent the legitimate account holder from easily regaining access to their account.

So, now you may ask the obvious question: what good is multi factor authentication if a hacker could get the info and change it at will? Well, if you don’t have MFA enabled in the first place all bets are off but if you do, the hacker may get your password, which is now useless to the attacker because they can’t change anything until AFTER YOU receive a code in your phone or email. The attacker will NOT get that information. End of story. But…..

If you don’t have MFA enabled, which is what these locals have not done, the Instagram, Facebook, Twitter, bank or credit card account is compromised.

As far as the social media platforms are concerned, a common scenario is that the hacker can send direct messages to your contacts in attempts to scam them, or they can post inappropriate and unauthorized content to your feed, pics and stories.

In likely the worst scenario, the hacker may demand a ransom in exchange for providing the account holder access again, with no promise that the hacker will follow through. As I reported in a previous post here on TLS, this is particularly damaging for business accounts, as this activity could discredit the business and cause it to lose followers and potential revenue. These same tactics and techniques can be used to target any social media accounts, like Facebook, Twitter and Instagram or even other personal accounts, such as those used for email.