
T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account - el_duderino
https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/
======
paulrosenzweig
I was the victim mentioned in this story. If anyone has a friend at Instagram
who might be able to help restore the account, please let me know!

~~~
orf
Sorry to see you haven't got it back yet. What did the IG support say to you?
Have you contacted them?

~~~
paulrosenzweig
I contacted Instagram support within a few hours of the hack, but I have yet
to hear back. I've bumped the thread a few times, but still silence.

~~~
orf
Glad to see it's been resolved now!

------
elipsey
"It seems like by having the ability to change one’s [Instagram] password by
email or by mobile alone negates the second factor and it becomes either/or
from the attackers point of view."

I believe I have seen this version of "2FA" often enough that it might be
considered an anti-pattern. 0.5FA?

~~~
closeparen
Worse, it’s the most important accounts that support the weakest 2FA. U2F
support is a solid guarantee that the site has nothing of value. Anything
important, especially a bank, is guaranteed to be SMS/phone only.

------
kencausey
I too am a T-Mobile customer. On Sunday and Monday the 6th and 7th of this
month in two separate incidences my SIM number was also changed. I don't and
have never had an Instagram account.

In the first instance I received a notice that someone using my phone logged
into a Yahoo account I once setup for a test but never really used. During the
second instance I received an email with a Google verification number. I guess
that time I got the SIM changed back before anything could really happen.

So far there have been no ramifications in either case. No passwords were
changed (although I changed a bunch after that) and I've seen no other
effects. I've requested that T-Mobile look into the issue but have heard
nothing back yet and I have not checked back with them.

