Last evening, my mother showed me a Facebook post from one of her friends. It went something like this:
“Hi everyone, please stop following me on Instagram. My account was hacked and it’s no longer my account.”
I’m not the kind of person who just lets things like this go so I asked if I could talk to her friend to see if I could help. It’s a good thing that we spoke because not only had some very wonderful people taken over his Instagram but they also took over his Square account. We started by regaining control of his Square account and fortunately, there hadn’t been any unauthorized transactions. We then turned our attention to Instagram and the situation was one I’d seen before.
Generally, when Instagram accounts are taken over, it’s because the victim was using a weak password or a password that had been reused from another site that experienced a password leak. If either of these conditions are true and two-factor authentication is not enabled, the password is the only thing standing in the way of the attacker and a successful login.
There’s one more element to this attack that makes it particularly frustrating. Once the attacker has access to the account, they change the account information, specifically the email and phone number. Once this is done, the attacker will then create a new account for the victim, using their original email account. By doing this, the victim can no longer reclaim their account because their email will now be linked to a new account.
I’ve tried to help multiple people regain access to their Instagram accounts after falling victim to this attack and unfortunately, I’ve failed each time. Instagram’s support model does not account for this attack method nor do most users understand the attack well enough to know to ask for help.
Until Instagram improves its response to this takeover attack, there are some very specific things that you can do to avoid becoming a victim. For one, you must not reuse passwords or choose an easily guessable password. Password reuse is one of the most common reasons why accounts are compromised. Second, you must absolutely utilize two-factor authentication. This is a good idea for all your accounts. For anyone out there who thinks two-factor authentication adds a layer of inconvenience to the login process, I guarantee you that having to clean up a compromised account is a far more inconvenient outcome. Two-factor authentication takes only a moment and significantly reduces the probability that your account will be taken over.
It is frustrating to see people’s social media accounts, once used to share photos of their grandchildren, vacations, and families be taken over so some unknown attacker can peddle work from home scams or online lotteries. While no platform is perfect or immune from a takeover attack, Instagram can do more here to support users reclaim their account. Until then, use the tools at your disposal to help keep your accounts under your control.
