{"id":38858,"date":"2021-03-01T07:14:53","date_gmt":"2021-03-01T12:14:53","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=38858"},"modified":"2021-09-24T07:46:35","modified_gmt":"2021-09-24T11:46:35","slug":"suspicious-login-attempt-facebook-instagram","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/suspicious-login-attempt-facebook-instagram\/38858\/","title":{"rendered":"Who’s in your Facebook and Instagram accounts?"},"content":{"rendered":"

A notification pops up on your smartphone screen: \u201cWe detected an unusual login attempt from Rio de Janeiro, Brazil.\u201d Whether the login attempt occurs where you live, halfway around the world, on the kind of phone you use, or from a device you\u2019ve never heard of, what\u2019s really going on here is an attempt to make you panic. Don\u2019t panic.<\/p>\n

Either someone\u2019s been busted trying to log in to your account or not, and freaking out will not help. To help you remain calm and survive the incident with minimal losses, we are arming you with knowledge of what it might be and what to do.<\/p>\n

What it might be<\/h2>\n

To begin with, let\u2019s figure out how an outsider could have gained access to your account in the first place. It can happen in one of several ways.<\/p>\n

Data leak and credential stuffing<\/h3>\n

Data leaks and breaches pop up in the news quite often, and even if Facebook and Instagram weren\u2019t hit directly, if another website is breached and the compromised data included your account info, then cybercriminals possess your credentials. Using a list of e-mail usernames and passwords, they can carry out a credential-stuffing attack<\/a> \u2014 that is, they enter the stolen credentials on other sites. That works because people use the same password for multiple accounts<\/a>, an unforced but extremely common error.<\/p>\n

Alternatively, your Facebook or Instagram credentials might have leaked from an associated app. For example, in June of last year, SocialCaptain, a service for growing Instagram following through automation, leaked thousands of Instagram account passwords<\/a>. The service didn\u2019t encrypt client data, as it turned out. It is reasonable to assume that many SocialCaptain users have since encountered hacking attempts.<\/p>\n

Phishing<\/h3>\n

You could be looking at the results of a phishing scam, that your username and password landed in the hands of scammers. It happens. Maybe you clicked on a link and entered your credentials on a convincing fake Facebook or Instagram login screen. For example, just recently, our experts uncovered a phishing campaign that lured victims to fake login pages<\/a> by threatening to block their Facebook account for copyright infringement.<\/p>\n\n

Password theft<\/h3>\n

Malware can also steal credentials. For example, many Trojans come with a built-in keylogger<\/a>, a program that, as the name suggests, logs keystrokes on the keyboard. If you picked up malware that logs keystrokes, then cybercriminals have every username and password you\u2019ve entered since.<\/p>\n

Access token theft<\/h3>\n

Perhaps someone stole your access token. To avoid having to enter your password every time you sign in to Facebook or Instagram, the app saves a small piece of login information on your computer, known as an access token, or token for short. If a cybercriminal steals a valid token, they can access the account without a username and password.<\/p>\n

Tokens have been stolen through vulnerabilities in Facebook \u2014 for example, in 2018, attackers got hold of access tokens for 50 million Facebook accounts<\/a>. Tokens can also be stolen through browser extensions<\/a>.<\/p>\n

Login from another device<\/h3>\n

Nor is it inconceivable that you logged in to Facebook or Instagram from someone else\u2019s device \u2014 at a party, in an Internet caf\u00e9, in a hotel lobby \u2014 and did not log out afterwards. Or, for example, if you forget to sign out of your account on a device you later sell or give away, you may be giving someone else access to your account.<\/p>\n

False alarm (phishing again)<\/h3>\n

Perhaps your account was not hacked at all. It\u2019s also possible someone is trying to do precisely that, using a fake notification about a suspicious login attempt. That is phishing, as discussed above, but a slightly different variation. Instead of threatening to block your account, cybercriminals can use a fake login attempt notification with a link to a phishing site similar to the real login page. The hope is that the panic-stricken victim will go to the fake site and enter their credentials there.<\/p>\n

What to do<\/h2>\n

Now that you know the possible causes, it is time to act.<\/p>\n

First, log in to your account \u2014 but definitely not through the link in the notification (as we already know, it might point to a phishing site). Use the social network\u2019s mobile app or manually enter the address in your browser. If the password does not work and you are locked out, refer to our detailed guide on what to do if your account has already been hijacked<\/a>.<\/p>\n

If you were able to log in, go to your account settings and check the authenticity of the notification. Each social network has its own interface; here\u2019s how Facebook<\/a> and Instagram<\/a> manage messages.<\/p>\n

Then, proceed to Account logins<\/em>. If you see no suspicious entries, then the message was just phishing; delete and move on.<\/p>\n

If you do see something suspicious in the list of account logins, take action immediately to mitigate the damage:<\/p>\n