Had your Instagram account stolen? Don’t panic – here’s how to get your account back and how to avoid getting hacked (again).
A friend of Jake Moore, Global Cybersecurity Advisor at ESET – let’s call her Ellie – recently called him with a devastated tone in her voice. Her Instagram account had been hacked and she was locked out. Her panic was evident as she told him her password had been changed and that the hackers had added two-factor authentication (2FA) to the account.
She went on to ask him if he knew of any tips to regain control. Ellie is quite computer savvy and understands technology; however, she is also very busy with her small business and young children. As a result, she has simply “put off” adding extra security layers to her social media and email accounts.
How things went wrong
Ellie’s first mistake was that she had used a relatively simple password on the account and had reused it on other accounts, so this password was either compromised or attacked via brute force to gain illicit entry.
Her second mistake was that her account was not to set up 2FA, which is free and easy to implement in all social media and email accounts. With this turned on, the hackers would have simply been turned away – even with entering the right password or clicking on the “forgotten password” link (a hacker’s favourite starting block!).
Once into her account, they started the process of locking Ellie out by changing the password, adding 2FA to a Nigerian phone number and a different email address. Also, they added an authenticator app. Additionally, they even added some numbers to the end of the Instagram username. This is presumably done so Ellie would not simply be able to regain control from her phone, should she get that far.
Once they had locked Ellie out, they started the next level of sideways attacks by sending messages to her Instagram friends, presumably to target their accounts and get their 2FA codes and multiply the hack. Luckily, no one else divulged the code but a few were immediately taken in by the messages.
The long road to (account) recovery
When Ellie tried to recover her account, she felt like she was at a dead end – even after following the steps on the Instagram help site, she felt stuck. When she requested a login link from Instagram to be sent to her primary email address, nothing genuine came through even though she could still access this account. (You will, of course, need access to the email address connected to your account. If for any reason you cannot access this email account, Instagram will not let you regain access to your Instagram profile.)
Jake had remembered that hackers can often get into the associated emails via the same reused passcode, and then hide or block recovery emails sent from Instagram regarding the hacked accounts.
This was exactly what had happened. In her Yahoo account, she clicked on the “Blocked List” and three email addresses ending in mail.instagram.com had been blocked.
Once unblocked, she followed the process again and Instagram sent another login link. She was then asked to submit a video selfie to help verify her identity (this was only possible as she has photos of herself on the account).
Within 20 minutes, she received an email saying that she had now been granted access back into the account and given a small number of one-time recovery codes to use. Jake and Ellie both thought they were on the road to victory!
But it was short-lived.
Although Ellie did regain access to the account by following the genuine link and typing in a backup code, the strangest thing is that she was instantly booted straight back out on entry. She retried this process five more times and this frustrating cycle reoccurred. She panicked, as she was only given six backup codes to use. To get more codes, she had to prove her identity again via the video selfie process – which did not work the next time, but after another attempt she passed and was given six more codes.
Interestingly, however, Ellie’s email address started receiving emails purporting to be from Instagram but the grammar errors and strange requests for security codes looked phishy and, luckily, she ignored them. Presumably they could have locked her out of this account, but they wanted to keep her in to potentially hand over the One Time Passcodes (OTPs).
Jake wondered if there could be a problem with her geo- or network location, or device, potentially banning her from entering the account, so he asked her to send the recovery email to his email address so he could try from his laptop at a location five miles away.
Jake attempted the process on his laptop and much to Ellie's disbelief, he got in straight away and stayed in! Success! Ellie was overjoyed, but before Jake took a moment to work out why this attempt had worked, he decided to secure the account once and for all.
He turned off the newly assigned 2FA app and the Nigerian phone number the hackers had changed it to; then, he changed the associated phone number to Ellie’s and then turned 2FA back on. He went on to change the password and used a 2FA code sent to her phone via SMS to prove she was now the secure owner of the account.
Another thing the bad guys did was change Ellie’s username. This is presumably because when you log back into Instagram from your phone after logging out, it locks the login screen to the previous username and not an email address, making re-entry very tough unless it is still the original username tied to the app. To get Ellie back in, Jake had to change it back to her original username.
While in her account, he visited her “Login Activity” and it asked him if his current login location was “me”. He clicked “yes” and it stored this location.
Jake's presumption on how she was instantly being booted out of the account is one of two possibilities. Firstly, they had potentially looked at recent login activity and struck off those locations, making Instagram think her home Wi-Fi was in fact a hacker’s location.
Or secondly, the hackers were still in the account and every time Ellie attempted to use the backup codes, they were notified and used their associated 2FA to change the password once again before she could press on any further. Either way, using another IP address from a laptop and navigating the site quickly worked.
Once she was back in, Ellie had a lot of replying to do with all the messaging that the hackers had done.
Fascinatingly, anyone who replied stating they thought Ellie’s account had been hacked, or mentioned on their own stories that Ellie’s account had been hacked, had been blocked by the hackers too!
Luckily, the whole process only took three days but it definitely felt longer for Ellie. She is back in now and after nearly giving up, she mentioned that she has learnt about account protection the hard way, and said “I wish I had followed this simple security advice beforehand”.
Recovery process on a compromised Instagram account
- Head to your email account and make sure any email addresses from Instagram do not feature in your blocked list.
- Visit Instagram’s Password Reset page for a login link.
- Follow the on-screen prompts to this Help page and submit a support request to verify your identity. You will be asked to record a video selfie, but the next step will only work if your account already contains photos of you. The recovery link will be sent to your original email address.
- If this does not work, try it again until it verifies you.
- When successful, you will receive an eight-digit code that will be required after clicking on the link sent from Instagram.
- Log into the account on a computer using an IP address not used before with the account.
- Once in, immediately revoke any wrong 2FA implementation.
- Change the password to something strong and unique and not related to you.
- Change the phone number back to yours.
- Turn 2FA back on.
- Consider using a 2FA authenticator app instead of SMS-based 2FA.
- Change the username back on the laptop before re-entering from your phone.
- Finally, check your blocked list in your Instagram account. The hackers may have placed some close friends of yours in there.
Prevention tips for securing an Instagram account
- Use a strong and unique password on Instagram and never reuse it anywhere else.
- Turn on 2FA, both on your Instagram account and on your email account.
- Watch out for phishing emails purporting to be from Instagram.
- Beware of any Instagram messages that start with something like, “Hi, I need your help”, and call your contact to make them aware of the potential compromise.
- Have at least one photo of your face on your account so the video selfie process will work if needed.