A novel phishing technique obtains your Instagram backup codes

A recently discovered phishing campaign masquerades as a ‘copyright infringement’ email with the intention of illicitly obtaining the backup codes of Instagram users. These codes enable hackers to circumvent the two-factor authentication system implemented on the targeted accounts.

Two-factor authentication is a security measure that necessitates users to provide an extra form of verification during the login process. The verification typically takes the form of single-use passcodes transmitted via SMS text messages, authentication app codes, or hardware security keys.

Implementing two-factor authentication (2FA) enhances the security of your accounts in the event that your login information is compromised or acquired from a cybercrime marketplace. This is because the perpetrator would want access to your mobile device or email in order to gain entry to your protected account.

During the process of setting up two-factor authentication on Instagram, the platform will also generate eight-digit backup codes. These codes serve as a contingency plan to restore access to your account in case you are unable to authenticate your identity using the two-factor authentication method. There are other factors that could lead to this situation, including changing your mobile number, misplacing your phone, and losing access to your email account.

Nevertheless, backup codes pose a certain level of risk. If an unauthorized individual manages to obtain these codes, they can exploit them to gain control over Instagram accounts by utilizing unfamiliar devices, solely by possessing the target’s login information. This information can be acquired through phishing techniques or discovered in unrelated security breaches.