Cybercriminals Exploit TikTok and Instagram APIs to Validate Compromised Accounts

Cybersecurity researchers have uncovered a wave of malicious software packages on the Python Package Index (PyPI) designed to systematically exploit TikTok and Instagram APIs for automated account validation.

These so-called “checker” tools allow cybercriminals to confirm whether compromised email addresses are linked to active social media accounts, significantly streamlining credential-based attacks and facilitating subsequent exploitation activities.

Automated Account Checkers

The threat landscape increasingly sees the use of credential validation as a precursor to more sophisticated attacks.

Malicious actors leverage “checkers” automated scripts that test stolen usernames or emails against login or recovery endpoints to assemble verified lists of live accounts.

These tools, distributed as Python packages (including “checker-SaGaF,” “steinlurks,” and “sinnercore”), were actively available on PyPI at the time of analysis before being reported and removed.

One of the most notable packages, checker-SaGaF, employs hardcoded requests to TikTok’s internal password recovery API (api2-19-h2.musical.ly) and Instagram’s private mobile endpoint (i.instagram.com/api/v1/accounts/login/).

By imitating legitimate app clients through spoofed HTTP headers and user-agents, these scripts bypass common anti-bot mechanisms and inject target emails directly into recovery or login payloads.

The TikTok component checks for “Sent successfully” in the response, confirming account existence, while the Instagram component parses response error codes to determine account validity.

Stealth and Redundancy in Instagram Checkers

Packages such as steinlurks further diversify their approaches by incorporating multiple API endpoints and randomized HTTP fingerprints.

Five distinct methods cycle between internal endpoints, including /bloks/apps/com.bloks.www.caa.ar.search.async/, /users/lookup/, and /accounts/send_recovery_flow_email/, as well as the public web AJAX endpoint /web/accounts/check_email/.

The code dynamically generates user-agent strings to mimic a variety of device, OS, and locale combinations, thwarting behavioral detection and load balancing requests to avoid triggering rate limits or endpoint bans.

The sinnercore package shifts tactics towards account disruption, targeting the legacy Instagram API endpoint (b.i.instagram.com/api/v1/accounts/send_password_reset/).

By issuing password reset requests for specific usernames, the tool validates account existence and can also serve as a vector for nuisance or harassment attacks, sending unsolicited reset emails to victims.

According to Socket Report, these automated checkers are not benign enumeration tools: they underpin major attack chains.

Once a list of valid accounts is curated often using data purchased from dark web forums attackers can conduct credential stuffing, password spraying, doxing, or account takeover operations with high efficiency and low detectability.

Validated account lists fetch premium prices on underground markets, with batches of 100,000 confirmed emails retailing for a few hundred dollars.

Beyond direct account abuse, the presence of these packages in open-source ecosystems like PyPI poses significant supply chain risks, potentially exposing unwitting developers and organizations to compromise.

Security experts recommend regular monitoring of credential exposure, minimizing detailed error responses in authentication flows, and employing behavior-based detection capable of recognizing automated abuse patterns.

PyPI package maintainers are urged to adopt advanced dependency scanning (such as those provided by tools like Socket) to identify malicious code during build or installation processes.

On a broader scale, social media platforms must continually audit and harden API endpoints, enforce stricter rate limiting, and further obfuscate account verification logic to disrupt automated checker tools.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates