Hackers are taking control of high-profile Instagram accounts and holding them to ransom, Sophos reported.

“At least four influencers have lost control of their accounts and received demands to send Bitcoin for their return, but in some cases the attackers retained control or deleted the accounts,” the security company said.

Sophos said that a clue to the root of the problem may be found in an August blog post by Instagram which stated that the service currently only supports SMS-based two-factor authentication (2FA).

“We’re working on additional two-factor functionality with more to share soon,” Instagram said.

Using SMS for two-factor authentication leaves you vulnerable to SIM swap fraud, Sophos said.

South Africans are all too familiar with this kind of attack, as SMS was a popular form of two-factor authentication used by banks.

Criminals who perpetrated Internet banking fraud used SIM swap attacks to gain access to people’s online banking profiles, from where they could transfer money to an account they could withdraw cash from.