Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

How Hackers Reportedly Side-Stepped Google's Two-Factor Authentication

Illustration for article titled How Hackers Reportedly Side-Stepped Googles Two-Factor Authentication

Two-factor authentication is generally seen as the safest bet for protecting your Gmail account. But a harrowing tale from indie developer Grant Blakeman, whose Instagram was hacked through Gmail, reveals how not even two-factor authentication can beat every security threat.


Writing on Ello, Blakeman describes how hackers gained access to his Instagram account through his Gmail. Even though he had two-factor turned on, the hackers were able to reset his Instagram password through Gmail and take control of his account (which has since been restored). So how did they do it? Blakeman says that Wired's Mat Honan, himself a veteran of an epic hack, helped him by suggesting he check with his cellphone provider.

It turns out his number had been forwarded to a different number—which is how the hackers gained access:

The attack actually started with my cell phone provider, which somehow allowed some level of access or social engineering into my Google account, which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account.


After the post appeared on Hacker News, more details emerged about how easy it is to bypass security questions through cell providers. As commenter jasonisalive—who works for a provider—put it, service reps often receive commissions based on customer satisfaction, creating "a constant tension between providing a good customer experience and protecting security and privacy."

Which means a choice between upholding privacy standards and pissing off his customers. "So where do you draw the line between customer support and customer security without either enraging real customers or allowing people to illegally access customer accounts?," asked another reader.

Luckily, Blakeman had the wherewithal and knowledge to investigate and ultimately restore his accounts. But his story is a cautionary one: No matter how bulletproof two-factor authentication seems, no security system is perfect. [Hacker News]

Share This Story

Get our newsletter



This only works if your second factor is a text message. I don't trust text messages as a second factor because of issues like this - are your texts forwarded to another number? Do you sync your texts with a service like MightyText or similar? Can a CS rep read your text messages?

Use a time boxed code generator like Google Authenticator wherever possible. That's a protected service that doesn't exist outside your phone.