Instagram name change...

This is the second time I receive an Instagram request for change to the wrong account and all. So I was thinking I could show this here.

It's actually not a bad idea from the hacker. They tell you that the name of your account changed (can it?! really?) and if you'd like to fix, click on this link here.

The problem in their message is that they include the old name which for about 100% of the users would look wrong. But who pays attention to that anyway?!

Then they send you to a form where you have to log backj in before you can fix your name back to normal. Only, that's not instagram, it's a hacked website. Armed with that info, you can then send you to the real Instagram. In the meantime, they've got a fresh copy of your password. Hopefully, you're not here reading about this AFTER you've entered your password. If so, make double sure to change your password after you sure went to your Instagram account.

Note: these may happen with your other account (i.e. Facebook, LinkedIn, GMail, Hotmail, etc.)


The links were:

https://instagram.com/accounts/disavow/ch4tavy/kojTXMs5/
    ?re=YWxleGlzd2lsa2VAZ21haWwuY29t
    &eu=d2hvbGVzb21lX2ho
    &ce=dXNlcm5hbWVfY2hhbmdlZA
    &ndid=59c0ca4f0256bG24bc332daf445eG59c0cee86283eG826

and the "Remove your email":

https://instagram.com/accounts/remove/report_wrong_email/ch4tavy/5d3-2e3956953653e7030fd03a4c665bbf19/PcoC9Sfm/YWxleGlzd2lsa2VAZ21haWwuY29t/

As we can see, it uses key, which is pretty advanced for a hacker. (Just kidding. It's dead easy to use, it's just uncommon.)


Return-Path: alexis@m2osw.com
X-Original-To: alexis@m2osw.com
Delivered-To: alexis@m2osw.com
Received: from mail-qk1-f175.google.com (mail-qk1-f175.google.com [209.85.222.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by m2osw.com (Postfix) with ESMTPS id 6748C3FBAB
	for <alexis@m2osw.com>; Mon, 13 Jan 2020 22:24:04 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.1 m2osw.com 6748C3FBAB
Authentication-Results: mail.m2osw.com; dmarc=fail header.from=mail.instagram.com
Authentication-Results: m2osw.com;
	dkim=pass (1024-bit key; unprotected) header.d=mail.instagram.com header.i=@mail.instagram.com header.b=OG39+uXE;
	dkim-atps=neutral
Received: by mail-qk1-f175.google.com with SMTP id z76so10330561qka.2
        for <alexis@m2osw.com>; Mon, 13 Jan 2020 14:24:04 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:delivered-to:dkim-signature:date:to:subject:from
         :reply-to:errors-to:list-unsubscribe:feedback-id:message-id
         :mime-version:content-transfer-encoding;
        bh=WBQPtl2h9v8ZlmAQBxpj54mVB2tvx193b28RzAOrrrI=;
        b=qgAr8XD2BZc3vvQbQlprezvZI/9wclYwq9IkSy10R088Ns0kXtaUGqNvUQpcMDn+nH
         MvLJOAuy+AOeJdGr8XKAOPNXso9skW5hvOHYV8EpJKIx6tSH8ppbpTZP5jKccYrKu8H9
         3C2F1xiuabVrLk3MTc4SlHOY24//YTVRXaRsATC2bw/KfZFPhNuLUMSTvqwZitGSyEj0
         w54SR8bjOzefhMoQ2l359UXdEfxd18l3Cr5+u9MHr26tATupeU/fJzb9qTvOU3687zxN
         4JcOh9+rurmjI+FmexljVtKqjEeNdzlr7fgUrNMkPnkVlQFCUO8k4B6eW8Cz+uMS6f/4
         18Tw==
X-Gm-Message-State: APjAAAVWh2PdcSaW+lZB3TTeQNxPa1BkFqmad+5yLNEha+H1euBKkW8N
	EkXRIwkpQBDBXh+PFSrXAaE5MKgOlirgQmqANgLIn5mV0hoz8yw=
X-Received: by 2002:a37:65c8:: with SMTP id z191mr18533967qkb.176.1578954243351;
        Mon, 13 Jan 2020 14:24:03 -0800 (PST)
Received: by 2002:aed:3941:0:0:0:0:0 with SMTP id l59csp4546564qte;
        Mon, 13 Jan 2020 14:24:02 -0800 (PST)
X-Google-Smtp-Source: APXvYqxKUIuLGOPEntW9igwvlvoH3d1xWCfwxKuGbXENNFjAq2MOlyJJov86QisDvoIsuBpUDFyS
X-Received: by 2002:a63:70e:: with SMTP id 14mr22681526pgh.266.1578954242178;
        Mon, 13 Jan 2020 14:24:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1578954242; cv=none;
        d=google.com; s=arc-20160816;
        b=HrZcpswdVIQQ375mY91UEEGvQ1dpniepV2UYW7RXtOqixHip4xBovcXb4sqBAJZWHj
         3uBjLkh+rMIueWX5mehceRB+xi7hnEK5K1ZiAD3Cr8WOy/IaARM7/REnAefO6ISOdlSQ
         5UojZGVe9ZKHIuEcehVwfIUI1vvk/DYqCxksPdGTSNScppcrEoFPtbS7QHyHiQjrEDJP
         F3IleF68fKHj/buUu77DA3JU33eIFixaFmKcol7WBQ+xsugPCkuyjP05gwl1KLthEnak
         v49ttQJchJ/UYuRJR4noIsKugMr4tURsZ96+qHK0Ozhz0A2vZ+2MXh2JqVWYveyb0ajx
         8/sA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:message-id:feedback-id
         :list-unsubscribe:errors-to:reply-to:from:subject:to:date
         :dkim-signature;
        bh=WBQPtl2h9v8ZlmAQBxpj54mVB2tvx193b28RzAOrrrI=;
        b=D+ZIzKNfSlNpHrs704N2HYp0Z2DOVA9CtbCW+jAHyORjNwxPa9LuWIB/Jtiw1U3zlT
         9C51NSBsoeSAd/FVaCH4Fj2sbEVmciU3XpL3Hjgpb1mMse+6h6Nrym59iASH0AvGul4P
         uDRcS+kuTpUtkE+UFaTxtgAyA5D/POfnC/cWjWbl/R/rRcyxGThiS8AJuU26duTOK4Th
         SylyWNIUc4/LB10ufkFuowodd+HqsxM0UKb6sWAOKKUn95eLDCsvBWIvvZJLxgY3pYtQ
         0deRBrBsZhXmfpSodY/6b2Vlj1Fn7L8IHHpYB375YQlJndvB8nLqH1Im2GZ218Ig8B7q
         XmRA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@mail.instagram.com header.s=s1024-2013-q3 header.b=OG39+uXE;
       spf=pass (google.com: domain of security@mail.instagram.com designates 66.220.144.145 as permitted sender) smtp.mailfrom=security@mail.instagram.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=mail.instagram.com
Received-SPF: pass (google.com: domain of security@mail.instagram.com designates 66.220.144.145 as permitted sender) client-ip=66.220.144.145;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mail.instagram.com header.s=s1024-2013-q3 header.b=OG39+uXE;
       spf=pass (google.com: domain of security@mail.instagram.com designates 66.220.144.145 as permitted sender) smtp.mailfrom=security@mail.instagram.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=mail.instagram.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.instagram.com;
	s=s1024-2013-q3; t=1578954238;
	bh=WBQPtl2h9v8ZlmAQBxpj54mVB2tvx193b28RzAOrrrI=;
	h=Date:To:Subject:From:MIME-Version:Content-Type;
	b=OG39+uXEazdAeBkccsWchEQszGxv1YDvaoG5mlBFutS5V4VEOcamwB2LZiu9wgDch
	 9u1CEmHPi85XNDvO37lgqKcmne5XdY7AgoFm+9ToDHGNs3H9NB0+5UMcFeQEXKzVNG
	 GJWte1vpZg2/7JL35Mk2i/pzQn9GSbmskTIioItk=
Received: from facebook.com (kRJnksMu5QAJCtQN12DrmKT1hzdFwIMgbEMhbAwiqnFhoNnvx9d7wzE4tRUagXEh 2401:db00:0030:5123:face:0000:0009:0000)
 by facebook.com with Thrift id 64c4426a365311ea84c4000af7a3062e-15bd3b0;
 Mon, 13 Jan 2020 14:23:58 -0800
X-Facebook: from 2401:db00:30:31b4:face:0:70:0 ([MTI3LjAuMC4x])
	by www.facebook.com with HTTPS (ZuckMail);
Date: Mon, 13 Jan 2020 14:23:58 -0800
To: alexis@m2osw.com
Subject: Username Changed on Instagram
X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
From: "Instagram" <security@mail.instagram.com>
Reply-to: Instagram <security@mail.instagram.com>
Errors-To: security@mail.instagram.com
X-Facebook-Notify: ig_contact_point_changed; mailid=59c0ca4f0256bG24bc332daf445eG59c0cee86283eG826
List-Unsubscribe: <https://instagram.com/accounts/remove/report_wrong_email/ch4tavy/5d3-2e3956953653e7030fd03a4c665bbf19/PcoC9Sfm/YWxleGlzd2lsa2VAZ21haWwuY29t/>
Feedback-ID: 9999:ig_contact_point_changed:Facebook
X-FACEBOOK-PRIORITY: 0
X-Auto-Response-Suppress: All
Message-ID: <dcc6fac4cf749a962abce016b3d164ce@3e723b591bdb95ce8f5c9b7032dc572ca97351d0da5efc73459c1fbaf438e43b>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"

 

 

 

 

 

 

 

 

 

 

 

 

 
 
 
Instagram
 
     
   
   

The username for your Instagram account was changed from wholesome_hh at 14:23 (PDT) on Monday, January 13 2020.

Your new username is cough_hh. If you didn't change your username, you can secure your account here.

   
 
   
from Facebook
 
© Instagram. Facebook Inc., 1601 Willow Road, Menlo Park, CA 94025
This message was sent to alexis@m2osw.com and intended for cough_hh. Not your account? Remove your email from this account.
   
 

(Here they had a facebook picture for tracking purposes.
It's called the Facebook pixel)