I was floating on cloud 9 on my first day back at work after what was undoubtedly my most successful week since I started the blog when my Instagram account was hacked.
Part I: How it happened
Venti dark roast in hand, I had just logged and settled in after having taken off a full work week to attend New York Fashion Week. Not quite ready to get back to lawyering, I checked my Instagram stats – over 40,000 hits in the in the last 7 days. I could hardly believe my eyes; I was excited. All of my hard work was finally paying off – the sponsorships and collaboration opportunities were steadily coming in, I had just crossed over the 10K follower mark, I made a million and one new contacts attending shows and events during NYFW and I was never prouder of the content I had been producing. Everything seemed to be moving in the right direction.
Naturally, I then checked my blog emails – tons had come in during NYFW that went unread and I needed to get through them. Some were deleted, others were flagged for later and then I came upon the following email:
I should have noticed the glaring red flags:
- Email address was not an official address. Although not obvious in the snapshot of the above email, the email address was one from Gmail. Always check the actual address. Most advertising solicitations and PR agents have company/site related email addresses.
- Grammar/writing indicated the author was foreign. Although this is not always an issue as many of the companies that offer opportunities are from the EU or Asia, I should have been more careful.
- The item was provided with a suspicious link. Most companies will provide greater detail of the item through a photo or a more direct link to the product. Do not download unless you trust the sender and place links into a new browser window.
- Clicking the link logged me out of Instagram. Alarms should have set off the minute that clicking the link logged me out of Instagram and led me to a login page. Turns out the login page was a fake page that mimicked Instagram (it appeared identical to the Instagram login page) and by entering my credentials I was sending my hacker my information.
Within minutes I received a notification from Instagram that my email had been changed, followed by an email from the hacker informing that my Instagram account had been hacked and temporarily blocked and extorting me for payment through Bitcoins (WTF?!) or wire transfer. I panicked, debating whether to engage in a crypto currency transaction, call the FBI or just cry.
Part II: What to do to prevent being hacked
There has been a major surge in Instagram hacks since August 2018, primarily from Russia, and is sure to continue. After I was hacked, I spoke to numerous IT security experts and here are some invaluable tips:
- Turn on two-factor authentication immediately. I admit, I had not done this and had I, I likely would not have fallen victim. For Instagram, go to the settings button, scroll down and tap on Two-Factor Authentication, and slide the position to “on.” Also turn this on for all of your associated email accounts.
- Use strong passwords and update regularly. This one seems obvious, but it is imperative.
- Get a password manager. Every expert I spoke to advised I should get a password manager to keep track of and manage my passwords.
- Download a VPN app. VPN allows you to connect your device up to a secure connection over the Internet and send and receive information in encrypted form. VPNs can also let you access region-restricted websites, keep your data secure, hide your browsing activity on a public Wi-Fi network and more.
- Revoke access to suspicious third-party apps. Open your Instagram profile, clock the setting button and click on “Authorized Apps.” If you notice anything strange, you can click revoke third-party app access by clicking the Revoke Access button.
- Check Instagram account information. To learn more about a new or suspicious account, go to their profile, tap the “…” button and then select “About this Account” and look for when the account joint Instagram, country of origin, accounts with shared followers, username change and any ads they might be running.
Part III: Steps to take after you’ve been hacked
Here is what I wish I had known the minute the hacking occurred and hope this helps guide you if you should ever fall victim to such a terrible crime.
- Revert change email from Instagram. The minute your account is hacked, the hacker will begin changing the information associated with your account including your username and your associated email address or phone number. If you receive an email from Instagram notifying you of a change, immediately click on the link marked “revert this change” and change your password. This did not work for me as the hacker had already changed other information before I received the notification that my email was changed (they had changed my username). Strangely, I did not receive a notification from Instagram that my username had changed, but only that my email had been changed, so I was already two steps behind the hacker.
- Try logging in with different credentials. Try logging in with your username, email and phone number in order to change your password immediately. This likely will not work, but it is worth a try.
- Look for clues from your email from Instagram. Here is the email I received from Instagram alerting me that information on my account had been changed. Let’s go through all the important pieces of this notification: (a) address line indicated a new Instagram username- my username had been changed from “styled.by.my” to “styled.by.my.1809” (upon receipt, I had not initially noticed this); (b) a new email address was provided (the email address is important to note when filing your report); (c) revert this change link (immediately click and try to change your password); and (d) the address 1 Hacker Way is a real address (in my panic, I assumed this was also an email from the hacker, but research has confirmed that this is Facebook’s official address. Note: Facebook owns Instagram).
- If it is unclear whether your username has been changed, ask friends and family to look at old notifications from you. Old notifications on the pages of your friends and family should indicate the name in which your old page is associated. I was showing up as “styled.by.my.1809” on pictures I had previously liked. Old comments had disappeared and tagged photos of me had disappeared, but likes remained.
- Immediately try to claim your old Instagram username. It’s unclear to me why the hackers do this, but one of the first things they do is change your username to something new and create a new account in your old username. My guess is to ensure that you are completely blocked out of access to your account. Create a new email address or use one that is not associated with your hacked Instagram account and immediately create a new Instagram account with your old original Instagram username. I did not do this and have now lost my original Instagram username, which can be devastating to your brand and raise concerns to your followers at to the authenticity of your account if and when your account is restored. The reason why this is critical is so that when your account is restored, you can reclaim your old username as you have essentially created a placeholder. I did not do this and the hacker created a new account with my old username which I am working to get taken down in order to reclaim it. In the meantime, I have renamed myself as “styled.by.my.official.”
- Immediately create a new email address not associated with Facebook or Instagram. I will explain further below, but create a new email that has no association with your social media profiles.
- Submit an official report. One thing I have learned is that Facebook/Instagram does not make the process of reporting or communication with them easy and it is nearly impossible to find the reporting page, so here is a guide to get you where you need to go quickly now that you have done the investigative work outlined above and have critical information in hand. Go to the login page for Instagram and insert your username and click on “Forgot password.” Do not enter your old password or click “Login.” That will lead you to the wrong place. Now that you have clicked on the “Forgot password” link, you will be taken to a “Trouble logging in?” page where you will need to insert the phone number associated with your account and you will need to click on “Need more help?” Do not click on “Send login link” as you presumably have tried to do this and could not log in. Finally, you will be led to the official reporting screen where you must put in as much information as you have been able to gather – the username the hacker has changed your username to, all associated email addresses with the account, all phone numbers associated with the account, as well as any old usernames you previously used for the account. Use the “Any additional details?” part of the form to give as much information as possible. Also provide the new email address that you created that has absolutely no association with your social media profiles in this section. This new email will be used by Facebook/Instagram to reassociate your old recovered account to a secure/uncompromised email address. Facebook/Instagram will eventually contact you for more information. In my own experience and from research online, this could take days or longer.
- Ask all of your friends and family to submit reports. It is unclear how effective this is, but my sense is that the more reports that are made the greater the likelihood that Facebook/Instagram will notice. They can do this by going to the Settings tab, then scrolling down to the “Report a Problem” tab, hitting “Spam or Abuse,” then “Hacked Accounts” and/or “Impersonation Accounts” and follow the prompts. If a new account has been created in your old username, they can also go to that page and report it directly.
- Find someone at Facebook or Instagram. This is the golden ticket. After a full day of submitting multiple reports and not receiving any meaningful responses from Facebook/Instagram (I had received a number of automated responses asking for more information or simply rejecting my reports of abuse), I turned to friends and family to ask for their help to find someone who might work at Facebook or Instagram. Thankfully, my social media manager at work had a friend who worked for Facebook and put me in touch with him (I am always reluctant to reveal the blog at work for fear that people will not take me as seriously professionally, but I was desperate and so glad I did.) He asked me for a lot of the same information I provided on the official form as well as for an email address not associated with any social media account. With this information he submitted an internal ticket. Thereafter, I was able to connect with two additional contacts through the help of my cousin who has friends who work at Facebook (God bless the millennials) who also checked in on the status of the internal ticket. Approximately 24 hours after the internal ticket was submitted, my account was restored under the username that the hacker had changed it to “styled.by.my.1809.” I received an email to the new email address not previously associated with any social media informing that Instagram had detected suspicious activity with a prompt to reset my password. I followed the prompts and I was back in!
Part IV: Questions that remain & things I’ve learned
It is unclear how long it would have taken or whether my account would have ever been restored without the altruism of individuals who work at Facebook to get my account issue escalated. I know that this post will likely cause many of you to ask for their contact information, but for the sake of their privacy and so they will not be bombarded with requests, I cannot provide their information. I apologize in advance and hope you understand and encourage you to find someone within your own social circle who may work at Facebook or Instagram.
It is unclear whether Facebook/Instagram will ever actually investigate what happened or the criminality of this extortion scheme. I don’t see any indication from them that they will, which I find terribly disconcerting and concerning for the safety of all Facebook/Instagram users. In fact, this situation has made it quite obvious to me that Facebook/Instagram is not prioritizing the safety or privacy of its users. It is far too easy to create new and fake accounts without any proper verification system, it is far too easy to change information associated with existing accounts and their reporting system is an absolute joke.
Always follow your instincts. If something looks fishy, it likely is. In my every day life, I warn my own client about obvious signs of fraudulent activity and here I was engaging in stupidity and ignoring my own advice.
Lastly, I have the most incredible family, friends and followers. I cannot tell you how overwhelmed I was with the outpour of support from everyone who asked how they could help, encouraged me that even if my page was never restored that they would personally do whatever they could to help rebuild and regain followers, submitted reports and offered their own time to help me locate someone at Facebook to get this situation escalated. I am eternally grateful to all of your for your kindness and especially to Bugsy who watched me cry for over 48 hours but never once dismissed my devastation or told me I should just give up on this blog, remained optimistic when I was in despair, researched all mechanisms for reporting and restoring my page and cheered as loudly as I did when my page was finally returned.
It’s hard to believe that all this happened only 72 hours ago, but hope you find this blog post helpful for prevention from hacking attempts or if you have found yourself a victim of hacking.
If you have any other helpful information to provide, please do so in the comments below and I will be happy to include your tips in a subsequent updated post. The more information we provide, the better we all are going to be at protecting ourselves from these kinds of attacks.
My new Instagram handle is @styled.by.my.official. If you did not unfollow my account while it was disabled, then you will already be following me under my new username.
Thank you for your continued support.