About once a day I get a message from someone asking for my help with restoring their Instagram account. Like me, they did all the right security things. They used two-factor authentication (2FA). They jumped through the hoops to restore their hacked Instagram account. None of it worked, so they ask me if I have a fix.
I wish I did, but I don’t.
Instagram hasn’t done one blessed thing to fix my hacked account. Six weeks into this, and neither Instagram tech support — if there even is such a department — nor public relations have said a word to me.
The more I look, the more it seems Instagram seldom, if ever, helps its users.
While this is really annoying, it’s not a big deal for me. I had fewer than 100 followers (unless you liked cat and dog photos and tech memes, there was little reason to follow me). It’s a different story, however, for many other users.
Businesses depend on Instagram for advertising and marketing. And when I say “depend,” I mean their account is essential for their business. Thanks to the pandemic, for example, many restaurants turned to Instagram to update their menus, schedules, and reservations. Without those, they’re dead in the water.
Many restaurants have resorted to paying ransoms to get their accounts back, since Instagram has — again — been useless. The only way some people have gotten their accounts back is because they have friends at Meta who could restore their accounts. Most of us aren’t lucky enough to have influential buddies at Instagram.
And it’s only getting worse. Secureworks Counter Threat Unit (CTU) for example, discovered an Instagram phishing campaign that targets business and influencer accounts. After gaining control, the hackers demand ransoms for each account. Typically, ransom amounts are in the dollar for follower range. If you have tens or hundreds of thousands of followers, that quickly adds up.
The attacks are increasing. Eva Velasquez, Identity Theft Resource Center’s CEO, reports, “In September 2021, we received four times the number of inquiries regarding hacked Instagram accounts than in a typical month, and we then saw an 80% increase in inquiries regarding Instagram account takeover from October to November 2021. January reporting saw the same number of inquiries as November; this is clearly an increasing trend.”
Yet Instagram has remained silent about this trend.
What can you do? First, dump Instagram. It doesn’t matter how popular it is if you can’t count on it. Other services and apps offer similar features, including Flickr, with its emphasis on high-end photos; Imgur, another photographic-centric service; Pinterest, an image-oriented social network; and Retrica, another photo-oriented service with many filters.
If you’re already committed to Instagram — and you haven’t lost your account — take steps to protect your data. That starts with always backing up your images; you cannot trust Instagram to preserve them or your account.
You must also do what you can to save your user community. Get their e-mail addresses, so you can contact them if something does happen to your account. That means you can warn them about the situation before they’re flooded with Bitcoin ads and never want to hear from you again.
Even though Instagram 2FA failed for me, I strongly suggest you turn it on. It’s better than nothing.
In particular, instead of using texting, aka SMS, for your second factor, use a third-party authentication app, such as Duo Mobile, Google Authenticator, or Microsoft Authenticator to generate login codes instead. SMS 2FA can be hacked. I don’t know how my own Instagram 2FA account was hacked, but the more I look, the more certain I am that there’s something off with Instagram’s SMS 2FA implementation.
If someone tries to talk to you about your account and asks you to help them or click on some link, just say no. I don’t care how much it sounds like someone you know or someone from Instagram security trying to “help” you; ignore them. Never, ever click on a link from an unsolicited message. You can also report any dodgy messages to Instagram security.
Let’s say you don’t, though, and it looks like you’re losing your account right now. In that case, immediately take the following steps:
- Login to your account at your login-activity page. You can also get there from the Instagram menu by opening the menu and taking the following steps: Settings > Security > Login Activity.
- This should show you a map showing every location and device where you’re logged in. If you see a session you don’t recognize, tap it and hit log out. That should kick the hacker out of your account.
- Instagram should also request you change your password. Even if it doesn’t, change it. Do not — for the love of kittens — use bad passwords like your street address or your pet’s name.
- While you’re at it, be certain to check your registered email address and phone number. If they’re not right, you’re not out of the woods yet. Reset them immediately.
If that works, congratulations! You’re probably safe… this time.
But if you can’t change your password, e-mail address, and/or phone number, your account is already well on its way to becoming toast. And if your Instagram account is now saying your iPhone is in Moscow, it’s time to head to Instagram’s help for hacked account pages. Good luck with that; it didn’t work for me and too many other people I’ve spoken with in the last few weeks.
If that doesn’t work, you can try sending an email directly to Instagram tech support via a Facebook form. That didn’t work for me either.
I’m sick of Instagram. But if you also fail at restoring your account, you can always start a new account and direct your old followers to the new one. Let me warn you right now, though, that there’s every chance your account will be hijacked again.
Instagram simply isn’t trustworthy.