If you think the two-factor authentication offered by Google and other cloud services will keep your account out of the hands of an attacker, think again. One developer found out this weekend the hard way; Google’s account protection scheme can be bypassed by going after something most people would consider an even harder target—the user’s cell phone account.

As Wired’s Mat Honan found out two years ago, customer service representatives are the weakest link in cloud security. And mobile phone carrier customer service representatives are just as susceptible to social engineering attacks, apparently. That’s what Grant Blakeman, an independent software developer and designer, learned when he woke up to find his Google account’s password had been changed and his Instagram account—desirable because of its two-letter name (@gb)—had been hijacked despite the use of two-factor authentication on his Google account.

Blakeman contacted his cell provider after an online conversation with Honan about what happened. He found that someone enabled call-forwarding on his cell account without his knowledge. That call-forwarding setup allowed the attacker to get an authentication code from Google to take over his Gmail address, which was in turn tied to his Instagram account.

As Blakeman found, and as Ars has previously reported, most cell carriers allow for a customer to enable a voice response question or verbal “entrance” passcode that can be used to prevent an attacker from fooling a customer service representative into giving them access to an account. If your cell number is public, having this sort of a code is an essential part of securing your cloud accounts.

In a post on Ello about the experience, Blakeman said his biggest mistake was likely the fact that he used an e-mail account “that was basically my name… I’ve since moved all important accounts that allow password reset e-mails to a different address that does not contain my name [and] you might want to consider doing that too.”

As of this morning, Blakeman has regained control of his Instagram account—but only because of the personal intervention of an Instagram team member.