Embarrassment, confusion, anger, upset, anxiety, defeat, anguish, hopelessness. These are just a few of the emotions that had been present. (editor’s note – Isaac was kind enough to share this story so other can learn and see what can happen, and how to solve it).
On a restful Saturday afternoon, a friend woke me up from a nap and uttered the biting words I had never expected to hear: “Dude, your Instagram was hacked.”
On the evening of May 7th, 2022 I lost access to my Instagram account.
Constantly throughout each day, I got text after text: “Hey, I didn’t know you were into crypto?”, “I think you got hacked”, “Nice Bentley lol”, and “I’m sure you know your Instagram was hacked?” to name a few.
After 5 LONG days, I got my account back on Wednesday, May 11th.
Once I was able to log back into my account. The hacker had direct messaged several hundred of my personal and professional contacts on Instagram attempting to lure them into the same scam that got me.
I spent hours pouring through all the messages trying to determine the extent of the damage. Luckily I was able to get back into my account and stop the hack before the handful of my friends that were on their way to falling for the same scheme had been fully “gotten”.
Instagram hacks like this one are spreading like wildfire and people have lost millions of dollars thinking their friends are someone they are not.
What I want to detail in this post is exactly how I got hacked and how to prevent this from happening to you, your friends, colleagues, and loved ones. Then, if you are currently hacked, I’ll also show you what steps you can take to get access to your account again and minimize the damage.
I had just gotten back from a beautiful day outside when I laid down on my couch and opened up my Instagram. I opened up my DMs (direct messages) to find an old friend who had messaged me that I hadn’t heard from in a while. Intrigued, I opened and read his message.
“Hello I’m contesting for an ambassadorship spot at an online influencers program can you please vote for me?”
My friend didn’t seem like the “influencer” kind of person but I figured a simple vote would help him out.
After I agreed, he said:
“I’ll send you your entry link a you have to do is send me a screenshot and I’ll send it to my influencer don’t click on it just screenshot it and send that’s all”
“I just sent the link now to you screenshot and send to me don’t click on it”
“It was sent via text message”
It seemed strange to me that he would need a screenshot for me to vote for him for an influencer contest but my tired, and trusting state got the best of me, and after I received a text message from a 6-digit number, I screenshotted the message and sent it, not thinking twice.
Once I sent that screenshot it was all over.
He was able to log me out of my account, change my email and phone number, and just like that, I was locked out of my own account.
Shortly after, my friend called me to notify me my account was hacked. How did he know? He sent me these screenshots of stories about investing in crypto that had just been posted on my account:
My heart dropped. “This can’t be happening,” I thought. The hacker used my own picture on their phone background to try and convince people they were legit?
Then I was informed of a new post on my account about a Bentley I just received “thanks to Bitcoin mining” (see above). Oy vey.
Once I knew I was hacked, I quickly mobilized to get my account back following this help page on Instagram. After checking my email, I tried securing the account from the new login email notification. I got an error message. I tried to revert the email address change, but I got an error message again. I tried reverting the phone number change, but I was directed to the “I think My Instagram Has Been Hacked” help page. I tried to submit a selfie video, but it got denied three times. Nothing was working, I was locked out and the world was closing in on me.
Next, I contacted my friend via text message who had “hacked” my account. It turns out he was hacked too and had been locked out of his account for over a week and he had tried everything.
These stories and the Bentley post stayed up for about 2 days for which the hacker did not initiate any messages but did message anyone who responded to the stories. Trying to get them to “message his mentor” and invest in crypto via their advice.
On Monday morning I received a golden ticket. I found out a friend of mine is an engineer at Meta and quickly got in contact with him. I told him the situation and he offered to “file an internal task”. I gave him my account name, the time it was hacked, my current email, and a new email for the account.
He filed the task and told me it was “in the queue”. I was relieved momentarily until I got a notification that the email for my account had been changed again. Shortly after, on Monday morning, I started to get a slew of text messages from my friends and family telling me they were contacted by my IG account about an “influencer contest” and they were asking me if I was hacked. The (new?) hacker was now contacting as many of my IG contacts as possible trying to hack them the same way they got me. I responded to all my texts explaining I had been hacked and to not respond to the hacker in any way. They just kept coming.
Light at the End of the Tunnel
This went on for two days. I contacted as many people as I could, friends, family members, coworkers anyone to try and warn them about what was coming. My hope was that each person I notified was spared my pain and anguish. Finally, on Wednesday morning, I got the most glorious email on the new email account I had given my friend at Meta.
“We detected some suspicious activity that suggests your Instagram account may have been comprimised…”
I was able to reset my password and just like that, I was back.
After realizing the extent of the damage the hacker caused and the number of people they messaged through my account (about 500) I knew I needed to minimize the damage control as much as possible and reached out to everyone that had responded to the hacker. Luckily it seems as if only one person was at risk of being hacked but due to him having 2FA (2 Factor Authentication) turned on. He was spared.
Piecing it all together: What Happened?
How did the hacker break into my account and lock me out with a simple screenshot? This is how they did it:
- After I agreed to vote for what I thought was my friend in a contest, the hacker went to log in to Instagram with my username. They chose the “forgot password” option on the login screen and then sent a login link to my phone.
- When I received what I thought was a text message from my friend it was actually Instagram sending a login link because it thought I forgot my password. The hacker deliberately told me NOT to click on the link because if I had, it would have prompted me to change my password and expired the link for the hacker.
- I sent the hacker the screenshot of the message that showed the log-in link to my account.
- The hacker most likely typed in the link to a browser, got access to my account, and then promptly changed my email address and phone number locking me out of the account.
Where Did I go Wrong?
Hacks like these are tough because I believed my friend was who he said he was. Regardless, I did not have 2FA set up on my account which would have saved me big time. 2FA adds a layer of security so that even if someone tries to access my account via the “forgot password” at login, and they get the link to access the account from a screenshot, they would also need a 6-digit code from my phone. I’ve since enabled 2FA through a third-party app so that now when I log in, I must type in a code that’s generated from a third-party app. I can’t expect myself now to “not trust anyone” but to be more responsible and enable the protection of my accounts.
Once a hacker has access to an account, they can pose as a friend or family member to hundreds or thousands of people. By simply asking for a screenshot, the damage can spread through many networks of people. That’s the reason this type of phishing is so challenging for big social media companies to guard against if the account holder doesn’t have 2FA enabled.
Why Would Someone Hack My Account?
The short answer is money. Recently, the Instagram account for the NFT group, Bored Ape Yacht Club, was hacked. A hacker with access to the Instagram account was able to steal millions of dollars by simply direct messaging folks and asking them to transfer NFTs to their wallet. In my case, several friends had been in talks with the hacker about “messaging my mentor about crypto investing”. Additionally, once hackers have access to your personal account they can ask for all kinds of information from your contacts. You are much more willing to hand over data when it’s someone you trust.
How to Protect Your Accounts
The best way to protect yourself and your account is Two Factor Authentication. Follow Instagram’s guide on setting up 2FA here. You can use your phone number to send a text message with a code or you can use a third-party app to generate the code. Instagram and I both recommend using a third-party app to generate the code. You can find more detailed instructions on setting up 2FA with a third-party app like Google authenticator or Duo Mobile here.
What to do if you are Hacked.
Here is Instagram’s checklist. Please follow this first.
Here is my checklist to regain access to your account which is a combination of Instagram’s with some extra advice:
- Take a deep breath.
- Check your email for any mail from email@example.com
- You should have gotten 2-3 emails about 1) a new login to your account and 2) your email and or phone number for the account have been changed. With all of these emails, you will have an option to revert the change and log back into your account. The sooner you do this the better.
- If step 3 did not work and you are still locked out of your account, you have the option to submit a selfie video to verify your identity. The video will not be posted publicly anywhere and is just for Instagram’s internal algorithm to verify you are you based on the photos on your profile. The selfie video will only work if you have pictures of yourself on your profile. It’s important to submit a video of yourself looking as close to how you do in the pictures on your Instagram account as possible. The below video will show you how to submit a selfie video if you need some extra help. Once you submit the selfie video, Instagram will let you know within about 10 minutes if they’ve rejected your video. If you get rejected more than ~5 times and you continually tried different lighting, hair, and outfits that resemble how you look in your profile, it’s time for the next step.
- Report an Impersonation Account on Instagram. Use this link to report your Instagram account via the option “I can’t log in to my old account”. You can also ask your parents or family to be a “representative” of you and submit the form through their account.
- Contact their support team and explain the issue. You will need 1) your username 2) your current email 3) a new email to move the account to and log in from.
What should you do while you’re waiting to get back into your account?
- Change the passwords for both your email and Facebook accounts associated with your Instagram.
- Secure your Facebook and Email accounts with 2FA.
- Call, text, and email anyone and everyone who is important to you and warn them you have been hacked. Ask them to report your profile via the “It’s pretending to be someone else” option on Instagram. Save them the trouble and stop the hack in its tracks before it spreads through their networks and beyond.
- Get a password manager if you don’t already have one.
Based on my personal experience and research, hacks like this one have been affecting many folks. In the process of this episode, numerous friends reached out saying they had seen the same message from other friends whose accounts had been hacked. A quick search on Google Trends shows a sharp incline in 2022 of the search “hacked Instagram account”.
This attack spreads like an insidious fire. If your Instagram is hacked, the majority of your contacts are messaged and targeted in a matter of days. Chances are, several of your contacts will believe it’s really you and unknowingly hand them access to their account. This cycle continues and the hack spreads.
Be proactive, secure your accounts, stay vigilant and share this post with anyone who may need help.