By Isabel Roces-Trebol
We always hear about someone’s social media acount getting hacked, but we hardly ever think it will happen to us. I always thought mine was secure and I’d be able to spot any attempt right away. That wasn’t the case.
Last weekend my Instagram account was hacked, hijacked, and put up for sale. I fell victim to a phishing scam. I’m narrating now what I learned in the hopes letting everyone know how they strike and how easy it is to lose control of your account.
I found out that the hacker first gained access to a friend’s account, and renamed it to look like one of Instagram's technical support accounts. The name was changed, the photos deleted, but the followers were retained. He used it to send me a direct message that looked like a legitimate security warning.
Using the account name, “Business Support,” and with Instagram’s logo as its profile picture, the message said I had posted copyrighted content and a complaint had been filed against me. It had a link to contest this claim. However, it gave me a deadline of 48 hours to do so.
It was a lapse in judgement for me. Since it looked official at first glance, I clicked the link and entered my password to confirm the action. Thinking it was a legitimate email from Instagram, I thought it was part of the process.
Little did I know that the password I gave would be used against me. In a few hours, the hackers behind the scam had used the details I provided to log into my Instagram account and take control. Once logged in, they can change the username, the backup email account, and other security settings to transfer the account to their control.
I only realized this was happening when I received an email from Instagram informing me that my username had been changed. I don’t remember doing so, which is why I checked. I then realized I no longer had access to my account.
The hackers quickly changed the name of my account and removed the profile picture. However, my pictures were still there.
It was changed to “laniam12k,” with 12k meaning 12,000, the number of followers I had at the time. It’s then that I realized that my account was being put up for sale.
Horrified, I tried reaching out to friends who had experienced something like it before. Some told me theirs had been held hostage and would be given back to them if they paid a ransom in cryptocurrency. I was fortunate enough to find a someone who was able to retrieve their account without paying. They got it back with the help of an ethical hacker, a white hat.
After getting in touch with the white hat, I told him about my account hijacking, how I lost it, and asked what I should do to get it back.
With his help, we filed several complaints and reports with Facebook and Instragram about the problem. I followed their instructions, some of which required filling forms and sending new photos to regain access to my account.
But every time Instagram gave me back access to my account, the hacker would simply get it back.
Every time you change critical information in your Instagram account — like changing the username or backup email address — Instagram sends an email to the current email address listed, informing the user of change. In that email is the phrase, “secure your account here.” In my case, that email was sent to both my email and the hacker’s email.
He would simply click on “secure your account” to tell Instagram’s automated system that he didn’t authorize that change. Unfortunately, Instagram would return control back to him. I spent three days in front of the computer, in a tug of war for my account with my hacker.
Every time I had the account in my control, I would disable it, change to a new email, new passwords, and even implement two-factor authentication. Yet with this little loophole, my hacker kept managing to retrieve my account. I was manic!
After 20 incident tickets sent to Instragram technical support, 20 narrations of what happened to the helpdesk, and contacting 10 different Facebook agents via email later, things were finally looking up.
The last Facebook tech support agent I talked to realized that the way to stop my hacker was to set my email as the primary email. This would stop the automated system from sending retrieve links to the hacker’s email. Finally my account was freed.
I was relieved but still livid. To get back at him, I enrolled the email addresses my hacker used to annoying newsletters from gossip sites, book clubs, pet accessory sites, porn sites, and even conservative religious sites. I even used a spam sending service to deliver up to 60 spam emails per minute to his inbox just to spite him. I doubt the spam will do much damage, but if it even irritates him a little bit, that’s a win for me.
In retrospect, maybe there are merits to my misfortune. I learned a great deal about maneuvering the tech world and how easy it is to get someone’s personal information and social media login details.
I realized my hacker probably wasn’t someone hunched over in his computer in a dark room, tapping away at the keyboard the way they’re depicted in the movies. He could have just been one of many in a syndicate, lazily sliding his mouse around and exploiting the loopholes of the system.
What happened to me is just one of many phishing scams used to get a person’s login details to social media accounts, online banking services, and even emails. They just need to get into one account to get access to a whole list of potential victims in the contacts or friends lists of these accounts. I thought I’d quickly be able to spot these tricks because of their notorious bad grammar and spelling. But these tricks are getting more sophisticated by the day.