Being Hacked on Instagram
Being hacked on Instagram: this blog is the tale of a scam. Luckily, it has a happy ending. But losing all control of my Instagram account for a week was really quite unpleasant, so I thought that by writing this I might be able to pass on some tips about how I messed up in the first place, and how I finally managed to get it back. I’d hate for anyone else to go through a similar experience and feel as miserable and helpless as I did. Oh, just in case you want to check our the re-incarnated account, my username on Instagram is @Lizzie_harper_illustrator
My two errors: 1. Not putting 2 Factor Authentification onto my account
The first mistake I made was not putting what is known as “2 Factor authentification” onto my account. This basically means that if someone tries to log in to your account, they’ll need to enter a code before they can access anything. The code can be linked to an app, or to your mobile phone number. I didn’t have this in place, which is why the hacker got access to my account. Funnily enough, I do have 2 Factor authentification up and running now. On ALL my social media sites!
My two errors: 2. Clicking on a link sent in a Direct message (DM)
So this is the mistake I made. I got a DM. It told me to verify my account by clicking on a link (Don’t click on the link!). It took me to a page which looked ever so official, even showing accounts I recognised as “followers”. It prompted me to put in my login details (Don’t put your login details in!) It asked me to confirm my details with my phone number and email. (Don’t confirm your details with your phone number and email!) And the damage was done.
Realising I was hacked
It took some hours before I realised what had happened. When I came to post something in the evening (a lyre bird, to be precise), I was asked to log in.
I logged in with my password. Nope. I was asked to confirm my phone number, and I’d be sent a text. No text. The whole thing spiralled out of control very fast, with every back-up option proving useless. I could NOT access my account.
I noticed a message saying a phone I did not own had logged into my account from Manchester. I don’t live in Manchester. Uh-oh.
Then I got lots of messages about logging in. In Turkish. Bigger Uh-oh.
The Hacker says hello
I started to feel really worried, and was looking online for links to Instagram help desks. I also furrowed my brow, and wondered if that DM link I’d clicked on might have something to do with it.
Up pops a What’sApp message from a number I didn’t recognize. Area code Las Vegas.
Hello”, it says politely. “If you want your Instagram account back you must pay me”.
Stomach churns. The advice online says to keep the hacker chatting, even if you have no intention of paying them a penny.
After a little back and forth I got the message.
Unless I paid $150 in bitcoin to this stranger within 24hrs my account would be deleted.
What I did next
Next, I contacted my computer expert buddies to ask for help. Giles of Pixelshifters went above and beyond, trying to find a solution and repeatedly telling me to absolutely not pay any ransom.
I got the link to my Instagram taken off my website.
I put up posts on my Facebook and Twitter accounts and on the blurb on my website saying that my Instagram was not in my hands, and to ignore any messages anyone was sent that purported to come from me.
I also took lots of screen shots of my last 40 posts on Instagram, cutting and pasting all my written content, and taking photos of the list of 95 people I was following.
I contacted Action Fraud who made a repot of this instance of “cyber crime”. Later, I was phoned by my local police to talk about it. It made for a depressing chat. He said instances of this sort of scam had sky-rocketed during Covid lockdown, and that they were innundated with reports of cybercrime. But in terms of catching the criminals? As soon as a hacker is out of UK juristiction, there’s not a lot the police can do. Coupled with which, most hackers hide their location. He emphasized that, in truth, the only action was to be proactive, and to be certain you protected yourself. In terms of reactive policing? Nothing really can be done. Although I assumed this to be the case, it was rather sobering to hear it from someone working in cyber crime.
I spent hours (literally hours) going in a hellish circle with the auto-bots on the Instagram help desk. I always got asked to enter some detail that the hacker had changed. This situation remained like this for a few miserable days.
Finding a Human at Instagram
I knew I had to find a way to speak to a person, not a bot. but how?
During one of my many desperate Google searches (“How to talk to a person at Instagram?”, “How can I fix a hacked Instagram account?” etc) I stumbled on a BBC News article. A company had been hacked in August 2020. The key words in the article were, “She is now working with Instagram to resolve the problem”. Whaaat? So there WAS a person there, somewhere.
I emailed the company (The English Stamp Company) and asked if they had a contact address, or a real person’s email? This was a last roll of the dice.
Bless them, within the hour they’d replied and given me the email address of someone at Instagram. The email address is this: firstname.lastname@example.org
The Hacked account gets weird
Meanwhile, the hacker had accepted that I wasn’t coming through with the bitcoin.
They posted in mu Instagram story: “This account is for sale for $150”
Clearly, this was targeted at me. My account would be worthless to anyone unless they were me, or wanted to pretend to be me (which is incredibly unlikely).
Another WhatsApp message, this time from another phone number (in New York). “So are we deleting an account?”
I refused to engage and felt a bit sick. They put the offer of the sale in the biogrpahy section.
Followers and friends were pinging off complaints to Instagram and getting in touch to ask why or if I really was selling my Instagram account? Uh – no. But this was all very useful and brought the damaged account to the attention of the behemoths at the help desk, I think.
It’s final weird reincarnation had my profile picture removed, an odd bit in the biography section, a totally new name (I think it was called “Verified Badgesl”), and a padlock to show that the account had been either deleted or taken down.
Resigned to my loss
There was no instant reply to my email. I decided it had been a false lead.
By now I was very bored of feeling so stressed. I decided I had to accept that the account and its’ 18k followers, 1083 posts, and 11 years of curation was gone.
So I built a new account, a new Instagram home. It took a day, and I referred to the photos I’d taken of my old account.
By the next morning I had a majestic 3 followers. Still, I resolved to be cheerful.
I did fire off one last email to email@example.com saying that being unable to talk to anyone guaranteed lots of people would turn to hackers to resolve the issue. I said I was going to go to the press (I would have done, too. Although it’s not exactly a thrilling tale. Unless you’re living it…). I suggested Instagram’s customer service was not perfect.
Instagram send me an email
The next day, an email pops up. From the Facebook helpdesk.
It took some untangling. They were very helpful, and very slow. I dealt with three different people, about 15 emails, and lots of password resets that didn’t work.
Finally, three or four days later, a reset link comes through that works!
Reclaiming my Instagram account
I was in again! It felt a little like coming home, I couldn’t quite believe it.
I’d only lost a couple of hundred followers. As far as I can see, nothing else weird has been done to the account.
A lot of DMs with links have been sent – I assume encouraging people to click on the same sort of scam that I fell for. I’m hoping my followers avoided doing any such thing (they’re probably cleverer than me).
I moth-balled the new account, and posted on my reclaimed account that I had been hacked and was back. I also shared this info on twitter and Facebook.
It had been almost exactly a full week since I clicked that fatal link. I was back.
So what have I learned?
First: Put Two-factor authentification onto every single social media account you own. It takes a matter of seconds, and gives you total peace of mind.
Second: Never click on any DM or link. Don’t trust something like that.
Third: Get it in perspective! One thing I did realise was that actually, in the grand scheme of things, losing an Instagram account was relatively meaningless. My family was well. The tulips were out in the garden, the blue-tit was singing in the tree. The tree was smothered in cherry blossom. Instagram? Yeah. Not really that important.
Fourth: Once I got my account back, I found out that you can request a back-up of your content. It might take a while to come through, but I’ve applied for one. So if the hackers get me again, I’ve only lost my followers, not any content.
So, I’d suggest you implement Two-factor authentification, and back up your account right away. If not, and the damage is done, you have the magic email to use, to access the humans at Instagram. Just hoping the poor fella whose email it is doesn’t go and change jobs anytime soon!
And most important, it’s actually not worth getting that upset about. In the grand scheme of things, the loss of an Instagram account doesn’t matter. Your own health, happiness, and immediate world – as is, not as it is on your social media accounts – is much more important that all these pixels.
Massive thanks are due to everyone who got involved and reported the hack, and reached out to tell me what was going on, and to those who commiserated.