Whenever you get a text or notification containing some security code for a login attempt, you should never ignore it. And that couldn’t be any more true if you didn’t initiate the login request to begin with.
Here’s what I mean. The other day, I received a notification from Instagram containing a code I needed to use to log into my account. Problem number one is that I didn’t notice this message for a few hours — I think I was playing Starcraft II at the time. Problem number two, the much bigger issue, is that I never attempted to log into my Instagram account all day. (Again, busy killing Protoss.)
At first, I was tempted to shrug it off because hey my two-step authentication is working and that’s good. But then two other thoughts came to mind: I remembered that I had actually set up Instagram to use two-factor authentication — login codes should have been generated by a separate app on my phone, not sent to me in a text message — and, wait, that means that someone has my password and is trying to log in as me.
I can’t explain why Instagram sent me a text message with a login code, but I can explain the password bit. I pulled up my password manager of choice, 1Password, and looked up Instagram. And, of course, 1Password let me know that my password was an older one that had already been associated with my login email via one of the many data breaches that happen each year to various services.
Screenshot: David Murphy
Yes, I didn’t take my own advice about using unique passwords when I first set up my Instagram account. I couldn’t even tell you when that was, but I was much younger and stupider then.
Here’s the thing, though: at first, I was tempted to brush off that two-step authentication notification, simply because I knew that anyone trying to get into my account wouldn’t be able to do anything without that number. In other words, I was about to ignore it, since, hey, account security is working perfectly!
That’s the completely wrong approach to take, and I’m glad my common sense prevailed over my temporary laziness. Whenever you receive a login notification — whether that’s in the form of a code you’d need to enter to complete the process or a simple, “hey, someone new just logged into your account, FYI” kind of a message — do not ignore it if it wasn’t you. This is a great time to change your password, instead; in fact, I would go so far as to say it’s the best time.
Don’t get lulled by the false sense of security that comes from the fact that someone might need a bit more information to actually log into your account. Your security is already compromised, and you should be running to your phone, laptop, or desktop computer to update your password to something stronger, more secure, and unique.