I’m sharing my personal story of exactly how my Instagram account was hacked, how you can avoid it and keep your account safe, what to do if your account is hacked, and my thoughts on instagram’s need to provide better support for its creators. Find me @wtfab.
On Friday afternoon, the unthinkable happened. My Instagram account @WTFab was hacked, and stolen right out from under me by Instagram hackers. It’s basically every influencer’s worst nightmare, and while I take a couple precautions with my account like enabling 2-step verification and occasionally changing my Instagram password, I never actually thought it would happen to me. The feeling of panic and nausea that swept over me when I received an email from the Instagram hackers telling me what had happened was so strong, I thought I might pass out. Now, that might sound slightly melodramatic, but imagine working every day on your content, brand, voice, and building your following over the last few years. Imagine that all of that hard work and dedication has generated an income for you, and paid off in opportunities to partner with brands, experience restaurants and trips, and build a community. Now imagine all of that is taken from you in an instant.
I hear it all the time on influencer podcasts and in discussion with my blogger girlfriends. Instagram is so important for our brands and our businesses right now because it’s so popular, but it could be gone tomorrow, so we still need to put time and energy into our blogs—the only platform where we truly own our content. When we say this, or when I listen to industry leaders talking about it at events, there’s always the comforting caveat; “Now, I don’t think that’s actually going to happen anytime soon. But it could happen.” I was suddenly faced with the “could happen,” happening.
I’m sharing this story for a couple of reasons. I want other influencers to know exactly how this happened, so that they can avoid this happening to them, because it was truly 12 hours of hell. And secondly, because going through this experience made me realize how little Instagram gives a shit about your account and helping you if you get hacked, unless you’re Selena Gomez and someone is posting nudes of Justin Beiber from your account. Since hackers have now found a way to bypass Instagram’s 2-step verification, and it is happening to other influencers right now by the hands of the same Instagram hackers, I hope that Instagram can rethink the type of support they provide. If they don’t, this type of extortion is only going to get worse.
How my Account was Stolen by Instagram Hackers
I receive a lot of emails in my What The Fab inbox. This year I’ve definitely noticed an uptick in the volume, and it has become increasingly difficult to keep up with, especially when I travel so much and sometimes end up going an entire day without being able to sit down and respond to messages. During the week, I try to spend 15 – 30 minutes in the morning responding to emails before I head to the office for my job at Google, and a good chunk of time in the evenings catching up on emails that came in that day. On Friday morning, I was trying to jam through a few emails that had been sitting in my inbox unattended to the last couple days. One of them was an email from a brand called Sheike, asking what my rates are for an Instagram collaboration (this is a real brand, and I found out later the hackers have been using several different brands and their Instagram names in these emails). This is a really typical email that influencers receive on the daily. I scanned it quickly, clicked the link to Sheike’s Instagram page to check out their aesthetic, and responded back with my rates. I was not asked to log into my Instagram account and enter my password and username (other influencers who received a similar phishing email were prompted to log in), but I was already logged into Instagram on my browser. This was where the hack happened.
Here’s a look at the exact phishing email so you can be on the lookout for it and avoid it like the plague, as well as the three signs that I should have spotted and will now be paying close attention to in emails going forward:
- Email address. The email address was [email protected] This should have been a red flag to me, but I was hurriedly rushing through my inbox and I didn’t even look at the sender’s email. To be fair, I’ve also received legitimate emails from smaller businesses that are from an individual marketing person’s gmail account rather than a corporate email with the business’ URL before. And to be honest I’ve worked with people with way weirder names/email addresses than that before who were legit. 😂 However, going forward, if you’re emailing me from an address that is not associated with your company’s domain, it’s going straight into my spam box. It’s just not worth the risk.
- The link. While the Instagram link at first looked legit to someone rushing through their inbox, looking back on it I realize that Instagram links do not get shared in that format. When you directly link to an Instagram photo, it looks something like this: https://www.instagram.com/p/BlgQs5dAsjZ/?taken-by=wtfab when linking through a desktop, or this: https://instagram.com/p/BlgQs5dAsjZ/ when linking through the app. Either way, the link in the email with the photo_135 is slightly off, and should have raised another red flag for me.
- The URL when I hovered over the link. This is the most important part, and where the key learning lies. If you look at the screenshot, the link looks like an instagram.com URL. However, if I had taken the time to hover over the URL, I would have seen https://lindagram.ru/sheikeandco/ at the bottom left of my screen, which is obviously some phishing bullshit.
A few hours later, I received the following email:
And that’s when the panic set in. I immediately tried to open up Instagram to change my password, but received a notification that I had been logged out of my account. When I tried to log back in with my credentials, my username, email address, and phone number were all unrecognized, and no longer associated with an Instagram account. The hackers had changed everything associated with my account and login, and there was no possible means of recovery. I was completely locked out.
I immediately texted a girlfriend of mine who works at Facebook asking for her help. She told me to send her screenshots and details so far, and she shared those in an internal Facebook group, and created a security ticket asking for help as well. It was a Friday afternoon, and not a single person responded. We texted back and forth, and as I stalled, the emails from the hackers started escalating, and I knew they would be threatening to delete my account shortly.
During this time I was also doing as much research as I could in the influencer Facebook group that I’m a part of, and I saw that this exact same thing was happening to other girls in the group too. Some of them got lucky and had been able to recover their accounts by quickly changing their password before getting locked out. Others, like me, weren’t so lucky and were asking for help and suggestions on what to do to get their account back. And still others had been through the whole rigmarole and decided to just pay these bastards, and they did indeed get their accounts back.
I also started researching Instagram’s Help Center, which proved to be maddeningly useless. There is absolutely zero support for someone who has been hacked. There is no one to reach out to, and their best advice if you’re unable to log in is to make sure you’re typing your email address or username correctly. They do have a form you can fill out so that they can “hear about your experience” if you think you’ve been hacked and are still having trouble logging in. Not exactly helpful in a time of crisis. I submitted my info to that form and still haven’t heard back. And after posting about my experience on Insta Stories I had another blogger reach out and share that it took Instagram five weeks to help her get her account back after it was hacked. FIVE WEEKS. When I think about the sponsored campaigns I’ve committed to over the next five weeks, and the $$ I’d lose out on if I didn’t have my Instagram account it makes me both sick and infuriated.
At that point, I decided to pay the ransom. They were asking for $800 and I was able to negotiate them down to $300. But they wouldn’t accept any form of payment other than Bitcoin (I tried to get them to agree to a wire transfer, and they gave me a half-complete address of a bank in Ukraine that wasn’t going to cut it). They sent me a couple links websites like coinmama.com where you can make an account and buy Bitcoin, but in order to set up an account you have to get verified. I had to send photos of my drivers license, and photos of myself holding my drivers license and a written note with “coin mama” and the date on it. I felt sick jumping through all these hoops just so I could send these assholes encrypted currency. But jump I did, and after sending all those photos I received an email saying that my account would be verified within 24 hours. 24 hours?? I tried to explain to the hackers that I was waiting to get verified, but they were growing impatient and more threatening. I was getting panicky again, and I just wanted all of this to be over. I had the idea to call my cousin, whose husband is super knowledgable about Bitcoin, to ask if he could send $300 worth of Bitcoin to the hackers on my behalf. This led to a four-way call with my cousin, her husband, and his friend who had Bitcoin readily available (shout out to Greg for comin’ through and helping a stranger out!!).
Once the Bitcoin was sent, the hackers said I’d have my account back in 30 minutes. I waited. An hour passed. Two hours. I kept following up with them asking what was taking so long, but they had suddenly gone dark. Their original email said they would give me my account back within 10 minutes of payment. What was going on? Had they lied and already sold my account off to someone else? Did they screw up because they’re fuckin amateurs and they’ve already lost and deleted my account? I knew they had given other girls their accounts back once they had paid, but did they just randomly decide to screw me over? I tried to be patient, but these thoughts were bouncing around and my intense anxiety grew with every minute that I didn’t hear back from them. Omied and I played Uno for like an hour to try to take my mind off of this horrible situation. 😂 Finally, four hours later at 12:30am, they sent me my log-in information. Praise be. 🙌🏼
What to do if your Instagram is hacked
Try not to panic. I know, much easier said than done, but you’re going to need a clear head to deal with this crappy situation. When I saw the email that my account had been hacked, my head immediately started spinning and I felt like I was going to throw up. I took a couple deep breaths, and told myself to remain calm and try to focus. I mentioned earlier that I tried to open my Instagram app and reset the password, but I was already locked out. Some girls were able to this though, and who knows, it could have been a matter of a few seconds that they were able to get their password reset before the hackers realized they hadn’t changed all the account details properly.
Save your handle. For a couple years my handle on Instagram was @wtfab1, because some abandoned account with a couple photos had @wtfab. When I saw they had finally deactivated their account, I was so excited to scoop up @wtfab and ditch the “1.” The way these hackers worked was that once they got into your account, they changed your username to something with a bunch of random numbers at the end (mine was wtfab_1809r) and deactivated it so that you wouldn’t be able to find it (note that deactivating your account is not the same as deleting it, because you can reactivate it). Since my account had been changed to @wtfab_1809r, @wtfab was no longer a profile and could have been up for grabs if someone happened to want it. So I set up a separate Instagram profile with my personal email address and took the handle @wtfab, so that no one else would be able to. After the hackers gave me my original profile with the new @wtfab_1809r handle, I was able to change my @wtfab handle to @wtfab1235 so that my original profile could go back to @wtfab. Hallelujah.
Reach out to Instagram. You’ve got a few options here. If you know someone at Facebook/IG, ping them madly like I did to see if they can help. You can also fill out the “we’d like to hear more about your experience” form within the app, but again other influencers were either completely ignored as well, or it took weeks to get a resolution.
Weigh your options. For me personally, $300 was absolutely worth getting my account back. And while I know you’re not supposed to negotiate with terrorists, all I wanted was for this nightmare to be over. I knew from the influencer Facebook group I’m in that other girls had received their account back once they paid, and since Instagram wasn’t responding/helping me, I decided to pay. Other girls were holding out and making the decision to not pay and hope that Instagram would be able to help them. One girl told me this was the best exercise in patience she could ever practice. 😂
Report the URL to Google. Google has a site where you can report phishing sites here. I’m planning on doing more research internally at Google to see if there are any other recommended steps when reporting a phishing site, or anything else that can be done.
Have 2-step on. Have 2-step verification on for all of the things. While it didn’t help in this case, Instagram is working on building a non-SMS 2-factor auth, similar to what Google already has with the Google Authenticator app.
Watch out for suspicious links. Be hyper-vigilant. Gone are the days where I’d try to breeze through my emails in an effort to get my unread emails number lower without paying serious attention to the sender’s email and all of the links (and links shown at the bottom of screen when you hover over a link).
Protect yourself from SIM-swapping hacks. I don’t actually think that a SIM-swapping hack was used in my case—I think my browser session was basically stolen and the hackers were able to access my Instagram account that way because I was already logged in on Chrome—but through my research from this unfortunate incident, I found a few recent articles about how to protect yourself against SIM-swapping hacks. Here’s another article about it if you’re into some light reading on how fucked phone hijacking is and preventative steps you can take.
Instagram needs to step up their game for influencer support. When all of this went down, I felt completely helpless and alone. Looking back at the browser I had open when I started to try to find a way to get help, I have a disgusting amount of tabs open from clicking through Instagram’s help center, old forums, Facebook groups…you name it. Besides the loop of Help Center pages that would lead right back to where I started, some of Instagram’s Help Center pages seemed outdated. For example I got excited when I saw this page, which states that you can reset your Instagram password through Facebook if you had previously linked your accounts. “I had my accounts linked!” I thought. “This may be IT! This may be how I beat these Ukrainian jerks who are extorting me!” I frantically went to my app to follow the instructions. Only the Help Page says, “To reset your password, first open the Instagram app. On the login screen, tap Get help signing in below Log In.” Yeah, there is no “Get help signing in” to tap on these days. There was a Facebook icon with the words “Continue as Elise Armitage Arvin” next to it, but when I tapped that and hit log in, nothing happened. Beyond frustrating to think you have a fix and then be back to the drawing board.
And that’s just one of many examples of how Instagram’s “help” was incredibly frustrating and non-supportive. Here’s another maddening pathway you take when you try to get help from Instagram. Within the app, I tapped on Report a Problem > Spam and Abuse > Hacked Accounts. The section “I think my Instagram account has been hacked” is beyond useless. They give two options:
First of all, there is no “get help signing in” to tap on the login screen.
Option 1 for iOS doesn’t help me—the hackers changed both my name and my email. When I tap on “learn more about what to do if you don’t know your username,” I’m brought to an insultingly stupid page about how I should retype my username to make sure it’s spelled correctly. Not helpful while I’m being attacked by Ukrainian assholes, Instagram.
Option 2 frankly doesn’t make any sense to me. If my username and email were changed by the hackers, how does trying these steps over again help me at all? It doesn’t.
There’s a link at the end to fill out a form if you’re having trouble accessing your account, but I know from other Instagrammers who have DMed me after this experience that they were responded to with a bot. A freaking BOT. I know we’re really into AI these days, but we’re just not quite at the point were a bot response is going to actually be helpful in a time of crisis.
After posting about this horrible experience on my Insta Stories I received so many DMs that were a combination of messages of support and commiserating. Many bloggers messaging me knew several other influencers who had also been hacked last week. Others had their own horror stories like their Instagram account being held for a $10k ransom, or having other issues with their account and no one ever responding to them. The girl who had her account hacked and stolen for five weeks going around in circles with their support team (I mean, I guess at least she actually got a response?) for that period of time, sending them several photos of herself holding written notes to confirm her identity, however they kept resetting the password to the wrong account (she had done exactly what I did, which was to reclaim her original handle when the hackers changed her username). They told her this was a different account, and they could only handle issues for one account at a time. Are you kidding me? How hard is it to see that this is one issue and the poor girl is just trying to save her original handle?? This. Is. SO. Messed. Up. And while I appreciate that Instagram is working on a non-SMS 2-factor to up their security game, hackers gonna hack, and people’s accounts will still get compromised. I’m sure it will be far less accounts thanks to this new security patch, but security is only half of the equation. Aside from security, I want to know: How is Instagram going to provide better support for its influencers, who work tirelessly day in and day out to contribute to the platform and are part of what makes Instagram so successful? Our content and audience should not be so vulnerable that it can be taken away in an instant. Even if there was just some guidance to help us make a good decision about what to do in a horrible situation like this, that would at least be slightly more helpful. I had no idea if it was even possible for Instagram to help me get my account back if the hackers deleted it, and neither did my friend who works at Facebook. While some of the help pages said that if you delete your account there is no means of recovery, let’s be real, I’m sure Instagram does have the necessary data and backups to make that happen and could do it, I just don’t know if they would do it to help me, and that’s just not a chance I was willing to take.
Now, on the one hand, I get that there are 1 billion monthly users on the app. But on the other hand, why does an app with such a huge user base not have some kind of triage system in place and a better help center navigate and know the next steps after you’ve been hacked? From my perspective, there needs to be some kind of commitment to its users. For example, if you have a business account (which requires a linked Facebook Page), and your account is hacked, Instagram should commit to helping the rightful owner get their account back. If there was some kind of written commitment like that, I wouldn’t have paid the ransom. I’m not even asking for a time commitment here. Just some kind of clear communication that affirms that if your account is hacked, stolen, and deleted, we’re on it and we’ll work with you to make it right. This would have given me the confidence to give the middle finger to the people holding my account for ransom. Based on my experience and all of the DMs I’ve been receiving, Instagram has a long way to go in providing some kind of helpful support, rather than replying with a bot, sending people in circles, or just straight up ignoring people.
Frankly, just texting my friend at Facebook and knowing that at least one person who worked there gave a shit about my account and was trying her best to get me some kind of help was comforting. Feeling lost in the Instagram abyss while your whole digital brand flashes before your eyes is beyond sickening.
So Instagram, how are you going to support your influencers? How will you make sure that this insane extortion stops? How will you keep your users safe? Wells Fargo is already running awkward ads about how they’re “recommitting to its users.” And we’ve all seen Facebook’s awkward AF commercials about “getting back to what matters.” I’d like to hear your game plan.