After nearly 40 years in tech, what had to happen happened. One of my accounts has been hacked. Target ? My Instagram account. Although I am very active on social media, Instagram was the one I used the least. Here is what happened.
It all started when I received a plausible Instagram message from a friend. His message asked for my help and included a reset link for the account. Rather than asking me to click on the link, which I would never do, he simply asked me to send him a screenshot of the message including the link. I thought, “How can I be hacked by sending a PNG image?” After all, that wasn’t a reset link for my account. So I answered with the picture.
It turns out that the combination of the URL on the image and my response gave them enough information to take over my account.
Instagram to absent subscribers
Even when I saw trouble was brewing – an email from Instagram asking if I wanted to change my phone number to one in Nigeria – I wasn’t too concerned. I had protected my account with two-factor authentication (2FA). Although two-factor authentication isn’t perfect, it’s better than anything out there when it comes to basic security.
But, this is where things went wrong. Instagram should have sent me an email with a link asking me to “revert this edit”. Instagram did not send such a message. Instead, I received emails from
In the meantime, I received another message from Instagram telling me that my account was now associated with a new email account. Again, Instagram didn’t give me the option to opt out of this change and the message redirected me to the page of the hacked Instagram account. Argh!
Identity proof
I followed Instagram’s advice on how to get my account back. I requested a login link from my Android Instagram app. I received one, which did not work. Then I asked for a security code. I got one. That didn’t work either, presumably because at that point the account was now responding to his “new” email address and “new” phone number.
Next, I verified my identity by providing the email address and phone number I signed up with, and the type of device I used when signing up. I had hoped for this post because I highly doubt that many of the people signing up to Instagram are doing so from a Linux desktop! It was a good idea, but nothing happened.
Then, as my account contained photos of me, I took a video selfie to confirm that I am a real person to confirm my identity. No.
I would have called Instagram’s tech support number, except (surprise) that number doesn’t exist. After some research, I was able to message Instagram support directly. Truth be told, Instagram doesn’t make it easy to find because the Instagram support link is actually a Facebook page. Well done, Meta!
The Bored Ape Yacht Club also paid the price
But even after that, it didn’t help me much. I haven’t heard a single word from them. So, I decided it was time to bring out the heavy artillery. I messaged as tech journalist Steven J. Vaughan-Nichols to Instagram PR asking for help and/or an explanation.
It did not work. Guess I’m not that special after all.
So, if I made the first mistake in opening the door to hacking, Instagram is largely responsible for its 2FA system, if not its entire security support system.
But at least I’m not alone. The Bored Ape Yacht Club, a leading non-fungible token (NFT) collective, lost $3 million worth of NFTs to a hacker who used a phishing attack. Like yours truly, the Bored Ape Yacht Club said: “At the time of the hack, two-factor authentication was enabled and the security surrounding the IG account followed best practices. They also said they were working with Instagram security and would report back on what happened. It was almost a month ago.
All this for… cryptocurrency
There seem to be quite a few such attacks going on. I have seen numerous reports of small businesses whose Instagram accounts have been hijacked. Several of my friends have reported the same thing. One of them, who works in security public relations, reports that he contacted “white hat” people for advice, but nothing they could do.
Instagram seems to be a security black hole, user complaints go in and nothing comes out. He had also enabled the 2FA option and was bombarded with “all sorts of weird messages asking for confirmation to change my password”. I also received many emails from IG asking me to reset my password. I then received a letter from T-Mobile, my telephone company, asking me to “block the SIM card from my account”. SIM blocks are used to prevent cloning of your phone’s SIM card, a popular way to circumvent the SMS-based 2FA system. He also “filed a police report and asked the police to contact IG”. After all that, “IG’s assistance was useless” and he ended up losing his account.
Personally, it was really boring, but it didn’t really bother me that much. I had less than 100 Instagram followers. My hacker seems to be using my old account to send cryptocurrency spam. Anyone who knows me knows that I think cryptocurrency is a scam. I spread the word that my account was hacked, and people should report it, remove it from their friends, and block it.
You’d think that with all these reports, over two dozen people telling me they reported it, Instagram might have made the connection and realized my account had been hacked. Three weeks later, Instagram still doesn’t get it.
Business at risk
But, it could be worse. Hackers take over Instagram accounts of businesses and influencers and demand payment of ransomware up to $40,000.
What’s irritating to me is a business killer to others. I won’t shed tears for the Bored Ape Yacht Club. NFTs are also scams and if you think otherwise, I will gladly sell you a Brooklyn Bridge NFT. However, many design shops, videographers, photographers and marketers depend on it for their livelihood.
If Instagram isn’t improving its level of security, it’s time to find another platform for your business. I made, at most, a minor mistake, and I lost my account. Instagram, with its pathetic security defenses, could lose your much more valuable account and you would have no way to restore your account or your followers.
Source: ZDNet.com