Hackers Abuse TikTok and Instagram APIs to Verify Stolen Account Credentials

Cybercriminals are leveraging the Python Package Index (PyPI) to distribute malicious tools designed to exploit TikTok and Instagram APIs for verifying stolen account credentials.

Security researchers at Socket have identified three such packages checker-SaGaF, steinlurks, and sinnercore that automate the process of validating emails and usernames against social media platforms.

Released between April 2023 and March 2025, these packages pose significant supply chain security risks due to their unauthorized network access and malicious behavior.

– Advertisement –

By abusing private API endpoints, threat actors can confirm the existence of accounts, paving the way for further exploits such as credential stuffing, password spraying, or selling verified data on the dark web.

Malicious Python Packages

The checker-SaGaF package, for instance, targets TikTok and Instagram by exploiting their internal password recovery APIs.

Its functions, like Tik() and Insta(), forge HTTP headers and payloads to mimic legitimate app behavior, injecting target emails into requests to check for responses like “Sent Successfully” on TikTok or error codes on Instagram that confirm an account’s existence.

Similarly, steinlurks employs five distinct functions to target Instagram, randomizing User-Agent strings and cycling through multiple API endpoints to evade detection and bypass rate-limiting measures.

The sinnercore package goes a step further by triggering password reset flows on Instagram using outdated app endpoints, potentially harassing victims while gathering account data.

These tools not only validate credentials but also enable threat actors to build databases of active accounts, which are often sold for as little as $300 for 100,000 verified emails on dark web marketplaces a mere $0.003 per email.

Exploiting API Endpoints for Credential Validation

Such low costs underscore the scale and accessibility of these threats, amplifying the risk of subsequent attacks like doxxing, spam, or account suspension through fake reports.

This exploitation highlights a broader issue in cybersecurity: the vulnerability of APIs and error messaging in revealing too much information to attackers.

Once validated, these credentials initiate exploit chains that can lead to devastating cyber incidents, reminiscent of the 2015 Ukraine power grid attack.

According to the Report, Socket recommends heightened awareness of leaked credentials, regular password updates, and scrutiny of API responses by developers to avoid inadvertent data exposure.

Tools like Socket’s GitHub App, CLI, and Browser Extension can aid in detecting risky dependencies in real-time.

As threat actors continue to refine evasion tactics evident in steinlurks’ use of multiple attack surfaces both users and platforms must remain vigilant against these sophisticated, automated threats.

Indicators of Compromise (IoC)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!