April 30, 2021
3 mins read

Steal Instagram accounts with tokens

instagram smartphone
Photo by Cristian Dina on Pexels.com

Instagram is a social network to share images about you or your business. There are many profiles that monetize your account and it is very appetizing for cyber criminals. In this article I will comment on how they manage to access your instagram account by sending you a login token or tokens.

A token is similar to a museum watchman. Allows you to enter the museum if the visitor has a permit to do so. The token or tokens are permission, the document we show the watchman to enter the museum. The tokens contains the security credentials to log into your session and identifies the user, user groups, user privileges, in some cases, to a particular application.

SMS to regain fake access

The SMS seen in Fig 1 can reach you with a number from Spain, +34 671 467 469.

sms tokens
Figure 1. SMS with link to recover the account

This message invites me to recover my Instagram password by clicking on the link it provides. As a general rule we should NEVER click on these links. What we do have to do is copy that link to work with it.

How to check where the link is going

The link comes from a link shortener that uses Instagram, https://ig.me, but the final part is the key, since it has a series of letters that don’t give me any clues where it goes. We use the wheregoes page to know where that link is pointing. Important: this should not be done since doing so activates the token. If you do, please change your account password and revoke access immediately.

Figura 2. Redirección 301 del enlace que viene en el SMS

As you would expect it is a redirect (it comes from a shortened link) that does not lead to any external page to Instagram http suspicious, but is a token of this social network. Every social network have their own tokens.

Suspicious login on Instagram with tokens

Both the mobile version and the pc version inform me that someone has tried to access an account and puts the location of the attempted access to the account. Unlike sms, which seems to come from Spain (prefix +34) however, Instagram informs me that suspicious access is from California.

instagram tokeninstagram token

Figure 3. Comparison between Instagram app messages on pc (left) and pc (right)

At this point and since obviously it wasn’t we have to click on the button It wasn’t me. Next we will have to change the password.

Tips to improve the security of your account

Here are some tips you can follow to help keep your account safe:

  • Choose a strong password.  Use a combination of at least six numbers, letters, and punctuation marks (such as “!” and “&”). It’s very important a unique password, that you only use on Instagram. Use password managers who do the work for you, and who keep a complicated password
  • Change your password regularly, especially when you see an Instagram message that prompts you. As we have seen in this SMS that comes to our account and the subsequent attempt to log in Instagram automatically asks us to change it. .
  • Never share your password with someone you don’t know and don’t trust.
  • Turn on two-factor  authentication for increased account security.
  • Make sure your email account is protected. Keep in mind that everyone who can access your email is likely to also be able to access your Instagram account. Have different passwords for social media accounts.
  • Sign out of Instagram when you use a computer or phone you share with others. In a public place it’s never a good idea for you to access a social network. . Also, if you log in to Facebook from a public computer, don’t check the “Remember password” box, as doing so will keep you connected even after you close the browser window.
  • Think about it before giving your authorization to third-party apps. It’s never a good idea unless you’ve done it yourself. If you see access to a third-party app, turn that access off.

How to know who accessed your Instagram account

In the https://www.instagram.com/accounts/access_tool/  you can see all the accesses your Instagram account has had. There’s a lot of relevant information about your Instagram account, such as when you joined the platform. The most important section is privacy and security.

instagram tokens
Figure 4. Your Instagram accoun details

Ways to improve your privacy and security on Instagram

The mejhor form, as long as nothing new is discovered, is to enable a double authentication factor. To do this, https://www.instagram.com/accounts/two_factor_authentication/  and enable the option you want. After enabling you will have some recovery codes that you will only be able to see as can be seen in Fig. 5.

codigos de recuperacion instagram

Figure 5. Double-factor privacy and security on Instagram

Authentication can be by text message sent to your mobile phone or by using an authentication app.


Stealing social media accounts through tokens is something you have to be careful about. If someone you don’t know sends you an sms or email with a link asking you to change your account details, don’t listen to them.

It’s always a good idea to first go into the social network to see that everything is in order. The social network itself will inform you if there is any suspicious activity and you can act from the same platform to avoid them. Activating a dual authentication factor will strengthen the security of your account.

User Avatar

Avelino Dominguez

👨🏻‍🔬 Biologist 👨🏻‍🎓 Teacher 👨🏻‍💻 Technologist 📊 Statistician 🕸 #SEO #SocialNetwork #Web #Data ♟Chess 🐙 Galician

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

instagram smartphone
Previous Story

Robo de cuentas de Instagram con tokens

photo of woman writing on tablet computer while using laptop
Next Story

Tools to improve the design of your website


Don't Miss

apple office internet ipad

How to download your data from social networks

Nowadays social networks store thousands of
close up shot of keyboard buttons

Cómo descargar tus datos de las redes sociales

Hoy en día las redes sociales