All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
When tech magazine founder Bashir Osman’s Instagram account was breached, he decided to hack the attacker. He sent a password reset phishing email to encourage his attacker to click a link and enter their new credentials. And it worked. Within 15 minutes, Osman had recovered his Instagram account and locked the attacker out. “It was one hell of an experience, and it shows even people in the industry can fall short of best practices,” he says.
It was a mistake anyone could have made. Osman’s Instagram business profile had been set up in 2014 and he didn’t renew the domain name and email address associated with his account when it ran out. He regularly logged in with his user name and didn’t get around to setting up two-factor authentication.
The attackers were organised, taking advantage of the fact Osman no longer had access to the domain name and email address linked to his Instagram account. “I opened up GoDaddy to try and buy the domain name again, and to my surprise it had been purchased less than an hour before I got logged out. I realised someone had bought the domain, re-created the email account I had publicly visible on my Instagram, and used a simple password reset via email to kick me out.”
Instagram hacks like this can be devastating, especially for the businesses and influencers who rely on the social network for revenue. “When your account is taken over, there is no going back – most content creators have to start again and it can take years to build up,” says Lotanna Ezeike, founder and CEO of XPO, a fintech platform for social media influencers.
Making things worse, contacting Instagram, which is owned by tech giant Facebook, can be difficult and complicated after you’ve been breached. But it goes without saying that if your Instagram is hacked, don’t post about it on social media, or try to hack it back. You’ll only attract bots and scammers which will ultimately make the problem worse.
Here’s what to do if your Instagram account is hacked, and how to prevent being breached in the first place.
Why hackers target Instagram accounts
A billion people use Instagram every month, and those with large follower counts are at greater risk of being targeted. Once they have taken control of your account, attackers will often use it to sell scam products, or distribute malware and steal credentials via phishing pages.
“The most targeted accounts include those that generate a lot of income from brand partnerships, as this is the quickest way for a hacker to benefit,” says @andreacdasilva_, an Instagram influencer. These include Instagram profiles with a large following and verified accounts as well as micro-influencers with a high engagement rate.
Malicious actors often look to compromise influencers by posing as technical support accounts, as one scam revealed by security researchers at Trend Micro shows. In order to lure their victims, criminals claim the account owner has committed a copyright violation, or in some cases adversaries will simply offer to provide a verified badge.
Criminal hackers will then encourage people to enter information via a link that leads to a phishing site. When someone enters their password, criminals can take over their Instagram account, sometimes holding it to ransom in exchange for a Bitcoin payment.
How to tell your Instagram account has been hacked
The first sign your Instagram has been hacked is often strange activity such as spam appearing on your feed, or suspicious links sent to your followers via your DMs. “If you're lucky, you will receive an email from Instagram reporting suspicious activity on your account,” says Drew Benvie, CEO of communications agency Battenhall.
If at this stage you can still access your Instagram, it’s important to act quickly. “If hackers haven’t changed your password and you still have access, get in and change it ASAP to something complex and unique,” says David Emm, principal security researcher at cybersecurity company Kaspersky.
If someone has breached your account and changed details such as your email address and phone number, you will need to work through the prescribed method via the Instagram Help Page. Here you will be asked to answer a few questions such as what alerted you to the compromise, and Instagram will offer you a login link or code to your email or phone – which of course will not work if hackers have changed the contact details associated with your account. You can also request support from Instagram via the app on your iPhone or Google Android device.
In order to recover your account, Instagram might want you to provide the email address, phone number and device you signed up with and will ask for a selfie video to help confirm your identity.
How to prevent your Instagram account being hacked
It’s not always easy to get your account back, but there are a number of steps you can take to prevent your Instagram being hacked in the first place. Password security is a good place to start: always ensure passwords are long and complex and enable two-factor or multi-factor authentication.
It’s difficult to brute force attack Instagram accounts – where criminals try multiple password combinations until the right one is found – as the interface will block after 10 to 20 attempts, says Daniel Card, a cybersecurity consultant. “Realistically, attackers need to phish and get someone to give up their password.”
For this reason, if you receive an email that looks suspicious, separately open up Instagram on your browser to check if anything is amiss. This will help you avoid clicking on malicious links.
In addition, you can avoid becoming a victim of credential stuffing attacks, where criminals try hacked credentials across multiple sites, by not re-using passwords. Using a password manager takes the weight out of this process, says Emm, and using two-factor authentication though authenticator apps or security keys is “essential”.
It’s also a good idea to regularly check your login activity under Settings, Security, Login Activity. Meanwhile, you can download your full activity history from Settings, Security, Access Data, Download Data.
“Logins and activity that you don’t recognise suggests you’ve been hacked,” says Sam Kirkman, a senior security consultant at security firm SureCloud.
To improve your security on Instagram and help stop cyber-criminals from using social engineering techniques against you, it’s worth locking down your Instagram privacy settings too. “Look at which apps and websites are connected to your account and adjust privacy settings governing who can see your posts,” Emm advises.
Because the stakes can be so high for the many businesses and influencers on Instagram, your foundational security also needs to be up to scratch. Keep your devices updated and don’t install software or apps from anywhere apart from the official app stores, Kirkman says. “This will reduce the risk of your devices getting hacked, which could be used to compromise your accounts.”
- 💼 Sign-up to WIRED’s business briefing: Get Work Smarter
- The race to stop fish becoming the next factory farming nightmare
- What to do if your Facebook account is hacked
- Microsoft is heading for a new antitrust showdown
- How Out Run changed video games forever
- The draconian rise of internet shutdowns
- A radical plan to treat Covid’s mental health fallout
- The 100 hottest startups in Europe in 2021
- 🔊 Subscribe to the WIRED Podcast. New episodes every Friday
This article was originally published by WIRED UK
