Hack Any Instagram Account

Hack any Instagram  account was not possible before but big bounty hunter has found ways to hack any Instagram account . Arne Swinnen big bounty hunter from Belgium have discovered two vulnerabilities in Instagram, which allow him to brute force Instagram’s any account ‘s password. He can hack any Instagram account with minimal efforts.

Hack Any Instagram Account:

Arne Swinnen said in a blog post that ” Brute force attack issues are exploitable due to weak password policy of Instagram and its practice of using incremental user IDs”. He also have said that ” This  vulnerabilities can allow hacker to hack any Instagram account without any user interaction”.  He has posted a lot of information about this vulnerabilities in a blog post “InstaBrute: Two Ways to Brute-force Instagram Account Credentials“.

Brute Force Attack Using Android API Can Hack Any Instagram Account:

Hackers can perform brute force attack to hack any Instagram account using it’s Android mobile login API URL. There are weak and improper security implementations have found in it’s android API.

Arne Swinnen have wrote in his blog post that ” When he begin to brute-force attempts for the first 1000 times Instagram replied that “Your password is incorrect” but for the next 1000 times attempt Instagram’s server replied that ” User not found”. Arne Swinnen keep continued brute force attack and after 2000 attempts , he was getting a reliable response from the Instagram’s server.

According to Arne Swinnen discovery hacker can write a script to do brute force attempts many times. The hack will keep continuing the script until he don’t get a reliable response. Swinnen wrote a script to test 10,001 password against a Instagram account.


Arne Swinnen suggested to Instagram ” To stop these kind of brute force login attempts , Instagram should have to limit the account authentication requests“.


Hacker Can Hack Any Instagram Account With Brute-Force Attack using the Web-based Registration System:

Second vulnerability that was found in Instagram by the Arne Swinnen and he reported this vulnerability to Facebook in the Month of May ,2016.

This vulnerability can effect the Instagram’s Web registration  system.  This vulnerability can help hackers to carry out an other brute force attack against the Instagram web based registration end point that will not trigger an account lock out and also lake of security measure.

For proving this vulnerability Arne Swinnen registered a test account on Instagram and records it’s HTTP request. After it Swinnen removes the username and password from the HTTP request and he receives an error from the Instagram server that “Those credentials belong to an active Instagram account.

Arne Swinnen have found that there is no limits on the applied on the Instagram’s registration page. He brute force more than 10,000 request with incorrect username and password, he received affirmative response from the page.

Arne Swinnen reported these both vulnerabilities to Facebook and Facebook awarded him with 5,000$. Instagram vulnerabilities are not patched by limiting the login attempts and using a hard password policy.

Now Instagram’s user have suggested to make a strong password on their accounts rather than a simple password. User have advised to make strong password using combination of alpha bates, numbers and special characters.