— July 9, 2019
As more people than ever taken advantage of online platforms for financial gain, so the opportunities to hack the system increase. Instagram is no different, and every day we see more reports of Instagram accounts being hacked.
News media stories in recent times have been telling. “Instagram Hacked – Bitcoin Ransom Demanded,” yell the headlines as more people fall victim to the scam.
Yet the platform has been slow to address the issue or help those who have been affected, and Instagram customer service has been roundly criticised along the way.
How does Instagram tell you to recover hacked accounts?
Instagram’s advice for when you find your account is hacked. You may have already done a number of these steps though!
- Check your email account for a message from Instagram
Often changes such as someone changing the email address for the account can be ‘reverted’ from this email by clicking ‘revert this change’.
- Get a security code sent to your email address or phone number
Click ‘My login info isn’t working’ on the login screen, then Instagram will ask you to send a security code via SMS or email. Enter the code and recover the account.
- Report the account then provide identity verification documents
Follow the same steps above (forgot password/help signing in -> my login info isn’t working’), and include an email address only you have access to.
Instagram will then reach out automatically to that address asking for identify verification. It will commonly ask for a photo of you holding a piece of paper with a code they provide (this is to cross-check with the selfies or other photos on the account), and the email address/phone number and device type that you used to sign up.
For businesses, different information may be requested. Of course, you should make sure you send an email from an official company address if you can – this is much better than a shared Gmail account or similar.
Here is the information published by Instagram themselves about hacked accounts that we summarised above.
How are Instagram Accounts Typically Hacked?
Even though hackers have stolen some high-profile accounts, they are increasingly focused on the “bread-and-butter” users and smaller business accounts. They are going after those who may rely on their Instagram presence for their income and who may have a not insignificant following.
The hacking demands may be relatively small in terms of the online ransom world, and many people choose to pay up, rather than risk losing access to their follower list and potential cash cow. Users are even more inclined to pay the ransom and regain access to their accounts due to a lack of response from the platform itself.
The hackers are particularly interested in any account based on a single word or first name handle. These can be traded in underground forums for many thousands of dollars.
The Process: Weak passwords
At a very basic level, accounts can be compromised by a hacker guessing the password.
This might be as simple as just guessing what the password might be based on the brand (Nike hopefully doesn’t have the password ‘nike123’!), or it might involve trying a password that has been breached on a different service.
This is why it is very important to use a unique password for each login. Password managers help with ‘remembering’ them, but given the frequency of password breaches, it is really important not to re-use the same password.
You can check if your email address has appeared in any hacked account breaches using a tool like Have I Been Pwned, a service run by Australian security researcher and Microsoft ‘MVP’ Troy Hunt.
If you are sharing logins between team members, it’s important to still use complex passwords (many password managers have sharing functions!).
The Process: Phishing
The approach is quite sophisticated, and the hackers take time to establish their fake credentials before they pounce.
They begin by posing as a representative of a high-profile company operating in the same line of business as the target user. After an introduction and the offer of a potential partnership deal or similar, they will ask the victim to follow a particular link.
Unfortunately, the link is a trap, and the user will land on a page that looks like a real Instagram login portal. When the victim tries to log back into their account, their details will be sent to the hacker, and the victim’s credentials will be compromised.
This is called “phishing” – make sure that when you click a link in an email like that and you are sent to a login page that it is the right domain (for Instagram, it should show www.instagram.com!).
Armed with this data, the hackers log in, change the email address, phone number, and password, and the scam is underway. Typically, they will contact the victim and demand a ransom which, on average, may only be a couple of hundred dollars, but it has to be paid in Bitcoin.
Unfortunately, the story may not end well even if payment is made, as the bad guys have been known to delete the account anyway.
How Instagram responds
Instagram has been aware of this trend for some time. Initially, they would confirm that they were aware of the information through an automated response and would continue to send generic or unhelpful mail in answer to any follow-up.
They have been more attentive as the problem continues to grow, however, and are now beginning to suggest a more stringent account security setup.
The new approach is based on two-factor authentication through an app that can be downloaded to the user’s smartphone.
This gets around the additional problem of SIM hijacking, where a hacker can infiltrate a user’s phone number and, consequently, intercept any confirmation text code.
It’s not clear whether Instagram will continue to offer the user (or potential hacker) the option to request a text message instead, as two-factor authorisations based on a mobile phone are standard techniques in the industry.
Taking a selfie for Instagram
In answer to this type of threat, Instagram seems to have another answer. They may ask the victim to send in proof of identity together with a specific code.
The platform will send them a code, and the user is then asked to return a selfie where they must hold a white piece of paper (with both hands visible) bearing the code.
Instagram staffers will then check the selfie against images contained within the account to determine if they are one and the same.
If the selfie matches the proper account owner and the code confirms, then Instagram can reunite.
As we mentioned above, this can be less helpful for brands, who often don’t have images of themselves all over their account!
Third Party “Good Guys”
Instagram has attracted a lot of criticism so far, and many hackers have found it necessary to reach out to third party “good guy” hackers for help.
These individuals will use their own techniques to infiltrate the original hacker and gain back control of the account. Some users find it more convenient to go down this route, even though the legality is quite questionable (!!) and of course, scams also exist for this as well.
It’s probably not the best technique unless you are incredibly desperate, and even then – operate with a lot of care.
How to Contact Instagram Support
Instagram is, of course, a massive platform with more than 500 million active daily users and Instagram customer service is very difficult to access.
How to contact Instagram? It may be better for business accounts to reach out to the customer service representative through their Facebook ads manager instead.
After all, one is owned by the other, and you can set up Instagram ads in your Facebook ads manager account. This may be well worth considering if you have fallen victim to a hack.
You can contact Instagram via Facebook Advertising Support. Different users will have different contact options available (commonly tiered based on how much money you spend on advertising).
Unfortunately for individuals, there isn’t a dedicated support mechanism available that is equivalent.
Looking to the Future, And Avoiding Getting Hacked (Again)
Some victims have been forced to recreate their social media presence from scratch and restart the process of gathering their followers.
Will the measures introduced by Instagram help to protect them as much as possible going forward?
Those who have fallen victim to the bogus investment scam will surely be well aware going forward, but what method will the hackers use next time? Time will tell if Instagram gets ahead of the problem and becomes more proactive in response to these threats, as the size of the platform continues to grow.
If you’ve regained control of your account (or you have signed up for a new one), here are our top tips to keep safe:
1. Use a secure, un-guessable, unique password, and change it regularly
Don’t pick a password that is easy to guess, and don’t re-use passwords that you use for other sites or services. This is a really easy way for anyone (with no real ‘skill’) to take control of your accounts, whether Instagram or otherwise.
It’s also worthwhile changing it regularly (say every few months, not necessarily every week!).
2. Turn on two factor authentication
Instagram offers two factor authentication through two methods, SMS and via an app like Google Authenticator.
If multiple people are signing into the account, you will want to use the app based mechanism.
While SMS-based two factor login may be a bit more convenient, keep in mind it is potentially open to SIM swapping hacks (more common than you’d think!), so app-based two factor is your more secure choice.
3. Revoke access to third party apps you don’t use
That random ‘free Instagram audit’ tool you once used but wasn’t very good – once you’re done with it, time to say “thank you, next”!
4. Be careful of other hacking vectors, particularly email
These days our email accounts are pretty much the keys to our kingdom.
Unless you have two factor authentication enabled, if someone has access to your email inbox, they can reset passwords without anything else!
Be particularly careful with email inboxes you have (even the weird ones you rarely check), and make sure you maintain good password hygiene (see point 1) for these as well.
We hope our tips help, and you can recover your Instagram account ASAP!