What to do if your Instagram gets hacked

In early February, Indirectory’s business instagram was hacked. The criminal took control of the account, and contacted scores of my followers, pretending to be me, in attempts to get control of their accounts too. 

I got it back… but it took 3 days, professional support from a cyber security service, a TV appearance with Channel 9 News, and probably years off my life due to a mild nervous breakdown!! The following article is about what happened, how I got it back, and what I’m going to do to try prevent it from happening again…

If you’ve come across this article because this has happened to you, I know you want answers asap. So I’ll tell you how I got it back, and my advice first as TLDR, but if you want the longer story, I’ve also included that below.

Here is the sequence of actions that got me back into my account

1. Log out of all accounts on the Instagram app

2. Go to log in to the compromised account using the latest username

3. Click forgotten password (which gives an option to send codes to the hackers new email address)

4. Click ‘try another way’ down the bottom of this screen (which gives an option to send codes to my original/correct email and phone number)

5. Instead of being distracted by these (which only leads to a dead end as I was required to also give a 2 factor authentication code that I didn’t have) I needed to push the ‘try another way’ link again on the bottom of that screen.

6. This takes me through to a screen that asked me if my account was hacked and if I had photos of myself on the compromised profile. Luckily the answer to this was YES.

7. Then I was prompted to take photos of my face from different angles to prove I’m the same person as on my profile.

8. I then had to wait to see if if Instagram agreed that I was who I said I was, and the rightful owner of my business account. I had heard many stories about people taking these steps and being rejected by Instagram over and over, even though they had photos of themselves on their profiles, albeit not very clear or recent ones.

9. MIRACULOUSLY, within 3 minutes, I was approved and given a code to log back into my account. Perhaps the news story had something to do with it?? It’s a mystery!

10. Before I took the opportunity to regain control, I composed myself and wrote down what I wanted to do (change my password, turn on 2 factor auth, change my phone number back, check that my email was correct) because I was worried the hacker might be logged in and changing it back at the same time. I seemed to get away with it because its a couple of days later and it hasn’t been

My advice

1. Turn 2 Factor Authenticator on and link to an Authenticator APP on your phone (rather than phone number). I don’t know what to advise you if you are using a third party scheduling app like we were… This is on Instagram for not facilitating. I’ve heard that hackers are getting past 2 factor auth… but surely it will decrease your changes of being hacked.

2. Have clear and recent photos of you on your profile to help with the swift proving of your identity.

3. Have long, different, and complex passwords on your email and app accounts that you change often. Store these on paper in your office, not in your phone notes or in texts or emails to your team.

4. Have 2 Factor Auth turned on to all other services that support it.

5. Make sure that the email you have linked to your Instagram is the one you get alerts for on your phone. I did get emailed when the hackers started to make changes… and maybe I could have jumped in there and stopped them earlier. Instagram help centre says there is a ‘special link’ in these alert emails from Instagram, that can ‘reverse’ the hackers take-over… but this magical link must be so magic its invisible as the only links in those emails took me straight back to the page in Instagram help centre complete with an array of suggestions that lead nowhere.

If all else fails, get in touch with your local news. For all I know, the press helped moved things along with Instagram support. The other business in the news interview’s identity wasn’t verified until after the news story went live.

How it happened

At 7.14am on a Saturday morning, I was treating myself to some Instagram scrolling in bed, when I see a weird, unscheduled story posted by my business account talking about a cash prize.  My heart sank immediately, as I knew @indirectoryapp, renamed to ‘@indirectories’ had been hacked.

Then the race was on… I switched from my personal to my business account on my phone and frantically tried to change my password, but was logged out. 

Next, I tried to get in by clicking ‘forgotten password’ and saw that my phone number and email address had been changed so I wasn’t able to receive a code to get back in. I didn’t know it at the time but found out later that if I clicked ‘try another way’ I could get codes sent to my original email or phone number… but this STILL would not have helped me, as the hackers had switched on 2 Factor Authentication and messed with my stored codes.

I recalled I likely had 2 factor authentication turned off to allow my team to schedule posts with a third party scheduler app.

I then spent the next 3 hours UNSUCCESSFULLY trying to find a way to submit a support ticket to Instagram for the hacking. I was only able to find a way to ‘report’ abusive content, which didn’t seem as though it lead to much affect.

At around 10am I get a call from a close friend who is like the sweetest person on earth. She was super stressed, asking me ‘what is going on?’. It took a while to untangle, but we eventually we figured out she had been chatting with the hacker for the last half hour, thinking it was me (in a really pushy and impatient mood). The hacker had asked her if they could send her a link so she could send it back. This wasn’t an entirely unusual request for me to make of her, as in the past she had helped me out with tests, no questions asked. 

THANK GOD  she didn’t have her current phone number connected to her account and they struggled to text her the link which (should she have not seen through the scam) would have given them direct access to logging into her account. When the hacker (who she still thought was me) started getting more rude and hassling her for her instagram password she luckily called me to ask why.

The hardest thing for me to stomach was the realisation that the hacker was strategically contacting all of my Indirectory followers, starting with the ones I had chatted to most recently. It was devastating to me that my followers, fans, friends and colleagues were at risk because of my account being compromised. It felt like such a violation. 

By midday I was still being sent around in circles by Instagrams support centre, so I reached out to techie friends, and was introduced to a cyber security expert called Amanda-Jane from Demystify Cyber. Mandy gave me easy follow steps to improve my security, and try and get my account back, but the real gold about Mandy was that she was really supportive and lovely, which helped calm me calm the f down.

We spent the next days trying to make sense of any suggestions in the help centre, and trying everything to get the message through to Instagram what had happened. I wrote a big step by step document that proved my identity and showed screenshots of what the hacker was doing. I never found a reliable way to submit this to Instagram though. I just kept hitting walls, even with a business account in Facebook Ads Manger. 

On Tuesday, when I had resigned myself to never getting my account back I was told by a friend that Channel 9 news was doing a story on Gold Coast businesses that had been hacked. I jumped at the opportunity to be interviewed, hoping it would increase my chances of getting Instagram’s attention. Sleep deprived and nerves fried, I ‘ummmed’ my way through a quick interview with the reporter that appeared on TV 2 hours later on the local news. 

After this interview I went and got a massage and healing session (yes I am a hippy) to try and relax. Later that night, in a more relaxed state, I went to go through all the steps to try and recover my account again. I think because I wasn’t panicking as much and mashing my phone screen with my shaky thumbs, I was able to focus on methodically worthing through all my options during the login process. This is when I went through the steps I mentioned above and got back in.

If you are reading this, I know there is a strong chance that this has also happened to you. And I feel for you! Knowing your loyal followers might be getting duped is the most stressful feeling ever. I really hope this article has helped you in some way. I know I would have appreciated reading it at the time!

x Emma