Instagram account hacked PART II – how I recovered it

As you all know, my Instagram account was hacked between May 18th and May 23rd. It was a very violating experience, with the hackers aggressively harassing people including members of my family. Since I recovered the account, I pledged I’d write some tips on how I did it, as well as a brief intro on how I got hacked, and what you can do to protect yourself. I have to say that while the process was in the end quite straightforward, Meta Help Center is an oxymoron in and of itself so hopefully this guide provides greater insight.

How my account was hacked

I first received a message analogous to this one. While it seemed a bit odd, it was from a person I talked to regularly so it didn’t really register. Yes, I would have liked an “hello”, but well…I was happy to help. I was also a bit distracted so didn’t really clock the link as suspicious.

Nothing would have come of it if I didn’t decide to open the link on my browser, where I am not normally logged in. What happens in these cases is you are basically logging in for the hackers (on a virtual machine I am assuming), giving them all your credentials. No matter the fact I had 2-factor authentication (2FA) set up, they were in in less than 10 minutes. The lesson here is that if somebody sends you a link to a page where your password is needed, assume it is nefarious.

This is a classic example of phishing, a “type of social engineering where an attacker sends a fraudulent message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure like ransomware”. If you are a victim of such scams, you don’t need to feel bad as it preys on human nature.

I went back in the thousands of messages and found 4 hacked accounts, and 4 more I suspected were hacked. I tried to mimic the message style to investigate further and have succeeded in clearing one so far. Additionally, 2 more people had recovered their accounts as well.

Filing a claim with Instagram

If your account is hacked, there is no need to panic…or rather, there is because it’s a great violation of your privacy. To regain access, this is what I did.

First, go to the log in page. In this page, skip entering any of your log in items and instead click ”Forgot my password”.

After that, you will now have to enter 2 codes. The first code is delivered to whatever email and/or phone number was registered to the account previously. Select an option as below and press Next.

The second code is where you have to pay attention, as the default would be to use the aforementioned ”backup codes”, which you don’t have, since the hackers changed them. In this case, select ”Try another way” and then select “Get support”.

In the next screen you select ”My account has been hacked” and the input a secure email address. I recommend using a different email address to the one linked to your account, just in case.

At this point you will receive yet another code, and will be asked if your instagram has photos of you. If that is the case, that you will submit a video selfie. Follow the instructions and submit. You will get an automated email saying they have received your claim and that’s it for now.

Reclaiming your account

I submitted my claim as above 9 times (I do nothing small, what can I say) and it took me 5 days to hear back, then got all of them approved at once. There is no rhyme or reason or logic for that matter when it comes to how they approve these requests. I was hacked close to the weekend, other people who were hacked on Sunday had access by Monday, I my guess is whoever is supervising this process what unavailable before this week.

When I say ”approved” I mean you will get an email with a password reset link. Now comes the tricky part, and time is of the outmost essence here, as the hacker will know you are logging in and will try to gain back control.

First you need to change your password and phone number. Then work fast to reset 2FA and generate new back up codes in Settings > Security. Also I would recommend setting up log in notifications so if the hackers try to log in again you will be notified, as below.

Also remove any devices associated with the account in Settings > Security > 2-factor Authentication > Trusted Devices as well as connected apps, if any.

If none of this works in a reasonable span of time – let’s say, a week – OR if you don’t have the options above, you can fill this form here.

If you account has been deactivated by the hackers, you can fill this form here.

Another thing I think helped is having everyone you know report the account for impersonation or intellectual property theft (the latter seemed to have yielded better results empirically). Also contacting Instagram directly by way of bashing it on its own platform is sure to gain some traction.

What you can so to be more safe

After this entire ordeal, I spoke with several cybersecurity professionals on how to keep us safe online. Here I am providing a short summary of the advice they gave me from easy to advanced. I also want to point out, as one of these professionals told me, that internet security is always fraught with complexity: ”it’s a balance between usability/low friction experiences and user security. Hackers are really sophisticated, and they have an arsenal of tools at hand”.

Having said that, there are ways you can be safer online:

• Be vigilant (this goes without saying) especially if interactions seem out of character
• Don’t open links
• Read the Instagram “guide” on phishing here.
• Ig you have another account, save some of your posts in case the hackers change your handle and make it impossible for you to locate it.
• Change passwords regularly and do not reuse passwords
• Always use 2FA
• if you get a weird message from someone, find a secondary way of contacting them, or check in with someone else who knows them
• don’t enter your password in websites you are not sure about
• don’t open links sent by message
• check the URL of the website you’re entering your password for domains and subdomains
• Use a password manager such as 1Password, LastPass, and Bitwarden
• Log out when not using an account
• Use browser extensions/add-ons which disable JavaScript (caveat: uncomfortable because on every page you explicitly need to tell the extensions which domains you allow Javascript from, but it’s useful to protect against script injection from third parties)
• Check your browsers extensions/add-ons mentioned above because those too can be hacked and be wary of browsers extensions/add-ons that request access to other browser pages

Some useful resources

• IDCare – NGO that helps if you have been experienced identity theft
• Scamwatch – report online crime to be investigated. It’s also useful for current cyber activities and what to look out for especially during heighten awareness times such as major holidays or events
• See how long it takes for an hacker to crack your password here.
• This Reddit thread is all about hacked Instagrams and what people did to recover their accounts

Feel free to reach out if you have additional tips.

Cheers

E