Protecting your personal Instagram account

Embarrassment, confusion, anger, upset, anxiety, defeat, anguish, hopelessness. These are just a few of the emotions that had been present. (editor’s note – Isaac was kind enough to share this story so other can learn and see what can happen, and how to solve it).

On a restful Saturday afternoon, a friend woke me up from a nap and uttered the biting words I had never expected to hear: “Dude, your Instagram was hacked.”

On the evening of May 7th, 2022 I lost access to my Instagram account.

Constantly throughout each day, I got text after text: “Hey, I didn’t know you were into crypto?”, “I think you got hacked”, “Nice Bentley lol”, and “I’m sure you know your Instagram was hacked?” to name a few.

After 5 LONG days, I got my account back on Wednesday, May 11th.

Once I was able to log back into my account. The hacker had direct messaged several hundred of my personal and professional contacts on Instagram attempting to lure them into the same scam that got me.

I spent hours pouring through all the messages trying to determine the extent of the damage. Luckily I was able to get back into my account and stop the hack before the handful of my friends that were on their way to falling for the same scheme had been fully “gotten”.

Instagram hacks like this one are spreading like wildfire and people have lost millions of dollars thinking their friends are someone they are not.

What I want to detail in this post is exactly how I got hacked and how to prevent this from happening to you, your friends, colleagues, and loved ones. Then, if you are currently hacked, I’ll also show you what steps you can take to get access to your account again and minimize the damage.

The Hack

I had just gotten back from a beautiful day outside when I laid down on my couch and opened up my Instagram. I opened up my DMs (direct messages) to find an old friend who had messaged me that I hadn’t heard from in a while. Intrigued, I opened and read his message.

“Hello I’m contesting for an ambassadorship spot at an online influencers program can you please vote for me?”

My friend didn’t seem like the “influencer” kind of person but I figured a simple vote would help him out.

After I agreed, he said:

“I’ll send you your entry link a you have to do is send me a screenshot and I’ll send it to my influencer don’t click on it just screenshot it and send that’s all”

“I just sent the link now to you screenshot and send to me don’t click on it”

“It was sent via text message”

It seemed strange to me that he would need a screenshot for me to vote for him for an influencer contest but my tired, and trusting state got the best of me, and after I received a text message from a 6-digit number, I screenshotted the message and sent it, not thinking twice.

Once I sent that screenshot it was all over.

He was able to log me out of my account, change my email and phone number, and just like that, I was locked out of my own account.

Shortly after, my friend called me to notify me my account was hacked. How did he know? He sent me these screenshots of stories about investing in crypto that had just been posted on my account:

My heart dropped. “This can’t be happening,” I thought. The hacker used my own picture on their phone background to try and convince people they were legit?

Then I was informed of a new post on my account about a Bentley I just received “thanks to Bitcoin mining” (see above). Oy vey.

Once I knew I was hacked, I quickly mobilized to get my account back following this help page on Instagram. After checking my email, I tried securing the account from the new login email notification. I got an error message. I tried to revert the email address change, but I got an error message again. I tried reverting the phone number change, but I was directed to the “I think My Instagram Has Been Hacked” help page. I tried to submit a selfie video, but it got denied three times. Nothing was working, I was locked out and the world was closing in on me.

Next, I contacted my friend via text message who had “hacked” my account. It turns out he was hacked too and had been locked out of his account for over a week and he had tried everything.

These stories and the Bentley post stayed up for about 2 days for which the hacker did not initiate any messages but did message anyone who responded to the stories. Trying to get them to “message his mentor” and invest in crypto via their advice.

Phase 2

On Monday morning I received a golden ticket. I found out a friend of mine is an engineer at Meta and quickly got in contact with him. I told him the situation and he offered to “file an internal task”. I gave him my account name, the time it was hacked, my current email, and a new email for the account.

He filed the task and told me it was “in the queue”. I was relieved momentarily until I got a notification that the email for my account had been changed again. Shortly after, on Monday morning, I started to get a slew of text messages from my friends and family telling me they were contacted by my IG account about an “influencer contest” and they were asking me if I was hacked. The (new?) hacker was now contacting as many of my IG contacts as possible trying to hack them the same way they got me. I responded to all my texts explaining I had been hacked and to not respond to the hacker in any way. They just kept coming.

Light at the End of the Tunnel

This went on for two days. I contacted as many people as I could, friends, family members, coworkers anyone to try and warn them about what was coming. My hope was that each person I notified was spared my pain and anguish. Finally, on Wednesday morning, I got the most glorious email on the new email account I had given my friend at Meta.

“We detected some suspicious activity that suggests your Instagram account may have been comprimised…”

I was able to reset my password and just like that, I was back.

The Aftermath

After realizing the extent of the damage the hacker caused and the number of people they messaged through my account (about 500) I knew I needed to minimize the damage control as much as possible and reached out to everyone that had responded to the hacker. Luckily it seems as if only one person was at risk of being hacked but due to him having 2FA (2 Factor Authentication) turned on. He was spared.

Piecing it all together: What Happened?

How did the hacker break into my account and lock me out with a simple screenshot? This is how they did it:

  1. After I agreed to vote for what I thought was my friend in a contest, the hacker went to log in to Instagram with my username. They chose the “forgot password” option on the login screen and then sent a login link to my phone.
  2. When I received what I thought was a text message from my friend it was actually Instagram sending a login link because it thought I forgot my password. The hacker deliberately told me NOT to click on the link because if I had, it would have prompted me to change my password and expired the link for the hacker.
  3. I sent the hacker the screenshot of the message that showed the log-in link to my account.
  4. The hacker most likely typed in the link to a browser, got access to my account, and then promptly changed my email address and phone number locking me out of the account.

Where Did I go Wrong?

Hacks like these are tough because I believed my friend was who he said he was. Regardless, I did not have 2FA set up on my account which would have saved me big time. 2FA adds a layer of security so that even if someone tries to access my account via the “forgot password” at login, and they get the link to access the account from a screenshot, they would also need a 6-digit code from my phone. I’ve since enabled 2FA through a third-party app so that now when I log in, I must type in a code that’s generated from a third-party app. I can’t expect myself now to “not trust anyone” but to be more responsible and enable the protection of my accounts.

Once a hacker has access to an account, they can pose as a friend or family member to hundreds or thousands of people. By simply asking for a screenshot, the damage can spread through many networks of people. That’s the reason this type of phishing is so challenging for big social media companies to guard against if the account holder doesn’t have 2FA enabled.

Why Would Someone Hack My Account?

The short answer is money. Recently, the Instagram account for the NFT group, Bored Ape Yacht Club, was hacked. A hacker with access to the Instagram account was able to steal millions of dollars by simply direct messaging folks and asking them to transfer NFTs to their wallet. In my case, several friends had been in talks with the hacker about “messaging my mentor about crypto investing”. Additionally, once hackers have access to your personal account they can ask for all kinds of information from your contacts. You are much more willing to hand over data when it’s someone you trust.

How to Protect Your Accounts

The best way to protect yourself and your account is Two Factor Authentication. Follow Instagram’s guide on setting up 2FA here. You can use your phone number to send a text message with a code or you can use a third-party app to generate the code. Instagram and I both recommend using a third-party app to generate the code. You can find more detailed instructions on setting up 2FA with a third-party app like Google authenticator or Duo Mobile here.

What to do if you are Hacked.

Here is Instagram’s checklist. Please follow this first.

Here is my checklist to regain access to your account which is a combination of Instagram’s with some extra advice:

  1. Take a deep breath.
  2. Check your email for any mail from security@mail.instagram.com
  3. You should have gotten 2-3 emails about 1) a new login to your account and 2) your email and or phone number for the account have been changed. With all of these emails, you will have an option to revert the change and log back into your account. The sooner you do this the better.
  4. If step 3 did not work and you are still locked out of your account, you have the option to submit a selfie video to verify your identity. The video will not be posted publicly anywhere and is just for Instagram’s internal algorithm to verify you are you based on the photos on your profile. The selfie video will only work if you have pictures of yourself on your profile. It’s important to submit a video of yourself looking as close to how you do in the pictures on your Instagram account as possible. The below video will show you how to submit a selfie video if you need some extra help. Once you submit the selfie video, Instagram will let you know within about 10 minutes if they’ve rejected your video. If you get rejected more than ~5 times and you continually tried different lighting, hair, and outfits that resemble how you look in your profile, it’s time for the next step.
  5. Report an Impersonation Account on Instagram. Use this link to report your Instagram account via the option “I can’t log in to my old account”. You can also ask your parents or family to be a “representative” of you and submit the form through their account.
  6. Contact their support team and explain the issue. You will need 1) your username 2) your current email 3) a new email to move the account to and log in from.
  7. Wait.

The Wait

What should you do while you’re waiting to get back into your account?

  1. Change the passwords for both your email and Facebook accounts associated with your Instagram.
  2. Secure your Facebook and Email accounts with 2FA.
  3. Call, text, and email anyone and everyone who is important to you and warn them you have been hacked. Ask them to report your profile via the “It’s pretending to be someone else” option on Instagram. Save them the trouble and stop the hack in its tracks before it spreads through their networks and beyond.
  4. Get a password manager if you don’t already have one.

Takeaways

Based on my personal experience and research, hacks like this one have been affecting many folks. In the process of this episode, numerous friends reached out saying they had seen the same message from other friends whose accounts had been hacked. A quick search on Google Trends shows a sharp incline in 2022 of the search “hacked Instagram account”.

This attack spreads like an insidious fire. If your Instagram is hacked, the majority of your contacts are messaged and targeted in a matter of days. Chances are, several of your contacts will believe it’s really you and unknowingly hand them access to their account. This cycle continues and the hack spreads.

Be proactive, secure your accounts, stay vigilant and share this post with anyone who may need help.


Stop breadboarding and soldering – start making immediately! Adafruit’s Circuit Playground is jam-packed with LEDs, sensors, buttons, alligator clip pads and more. Build projects with Circuit Playground in a few minutes with the drag-and-drop MakeCode programming site, learn computer science using the CS Discoveries class on code.org, jump into CircuitPython to learn Python and hardware together, TinyGO, or even use the Arduino IDE. Circuit Playground Express is the newest and best Circuit Playground board, with support for CircuitPython, MakeCode, and Arduino. It has a powerful processor, 10 NeoPixels, mini speaker, InfraRed receive and transmit, two buttons, a switch, 14 alligator clip pads, and lots of sensors: capacitive touch, IR proximity, temperature, light, motion and sound. A whole wide world of electronics and coding is waiting for you, and it fits in the palm of your hand.

Join 32,000+ makers on Adafruit’s Discord channels and be part of the community! http://adafru.it/discord

Have an amazing project to share? The Electronics Show and Tell is every Wednesday at 7pm ET! To join, head over to YouTube and check out the show’s live chat – we’ll post the link there.

Join us every Wednesday night at 8pm ET for Ask an Engineer!

Follow Adafruit on Instagram for top secret new products, behinds the scenes and more https://www.instagram.com/adafruit/

CircuitPython – The easiest way to program microcontrollers – CircuitPython.org


Maker Business — Foxconn executive discusses the dramatically scaled back project in Wisconsin

Wearables — Look sharp with this quick tip!

Electronics — Straw Diffusers

Python for Microcontrollers — Python on Microcontrollers Newsletter: MicroPython 1.19 released and more! #Python #CircuitPython @micropython @ThePSF

Adafruit IoT Monthly — eInk Postcard, VR Spectrum Instrumentation, and more!

Microsoft MakeCode — MakeCode Thank You!

EYE on NPI — Maxim’s Himalaya uSLIC Step-Down Power Module #EyeOnNPI @maximintegrated @digikey

New Products – Adafruit Industries – Makers, hackers, artists, designers and engineers! — New Prods 6/22/22 Feat. ADS1115 16-Bit ADC – 4 Channel w. Programmable Gain Amplifier – STEMMA QT!

Get the only spam-free daily newsletter about wearables, running a "maker business", electronic tips and more! Subscribe at AdafruitDaily.com !



No Comments

No comments yet.

Sorry, the comment form is closed at this time.