My Instagram account was stolen — yours could be next

10 days ago my Instagram account was stolen. It isn’t obvious how this has happened and Instagram have failed to respond.

I use the word stolen rather than hacked deliberately. Partly because of the way in which I believe this to have been done and partly because of the way it made me feel — something of mine, that I’d cultivated, had been taken away.

steal
stiːl/
verb
take (another person’s property) without permission or legal right and without intending to return it.

WTF?

I realised something was wrong when I opened the Instagram app on my phone to check the feed. I was logged out which was unusual. iOS 10 had recently been released and a few apps had logged me out so I thought it must be due to an app update. No huge drama: head over to Lastpass, copy my password and sign in again. Incorrect password.

Tried password reset. No dice.

WTF?!

Look to my profile page to check it…oh dear.

Pictures of my family had been replaced by a blank page, a dubious script kiddie name and a blank follower count.

Over to Instagram

In the early days of Instagram (I think) their account sign up was linked to Twitter so I was given my Twitter handle — @_o. I’ve been offered lots of money for the account and I receive daily “password reset requests”. As a result of this interest, I used a Lastpass generated long password. By any measure this was “secure” (many, many millions of centuries to brute force on a large array of dedicated machines). I also used an instagram-specific unique email address. In the absence of multi-factor authentication, I thought I was being as careful as I could.

Since the password on the account had been changed the only thing I could do was to submit a form to Instagram. Immediately after the form was submitted I received an automated email asking for more details. I replied with more information and waited…

…and waited…

…and waited.

That was over a week ago.

So how did this happen?

When I first realised my account had been stolen I immediately thought back to the case of Possibly Mat Honan when his family photos were wiped because someone wanted his @mat twitter handle. I dashed around my digital life checking whatever I could to see if I was about to be “wiped”.

Hacked my email

Looking at the Gmail access logs, it doesn’t look like my email account was accessed from a location that wasn’t one of my devices. I also have the “Show an alert for unusual activity” setting turned on so I suspect I’d have received a notification if someone had actually been able to access my email.

If someone had managed to gain access to my email, I’m sure they would have changed the password and had a far more fruitful adventure than simply stealing my Instagram account.

Brute force

As I mentioned I used a very strong password so this seems unlikely. They would also have had to guess the email since I didn’t use that email anywhere else.

Firesheep-style hijacking/oAuth/Phishing

I suppose it’s possible that someone could sit on my wifi network and hijack my accounts. But when one considers that I work from home and home looks like a scene from James Herriot, I think that’s pretty unlikely.

I don’t remember what apps I’d linked to my Instagram account so can’t be sure. Presumably, I had Twitter linked (given the way I first signed up) but won’t have had many others. I didn’t use any management tools or post to Instagram from 3rd party apps so this feels like an unlikely source.

Social engineering

When I think of Possibly Mat Honan’s case, some kind of social engineering seems the most likely source of the breach. How could that happen though?

As far as I can gather the email address on the account wasn’t changed before the password (I received the post-breach “we’ve changed your password” email). So presumably the thief would have had to send an email from a different account and explain why they’ve lost access to “their” account. If this is the case it seems that Instagram have some work to do on their account verification process.

I’ve asked Instagram to shine some light on how I lost control of my account. I strongly suspect this a one-off attack so perhaps I’m at risk elsewhere. They’ve not responded to my email so I’m still in the dark. Until they explain how this happened, I think its entirely possible that your account could be stolen next.


If anyone at Instagram Engineering is listening, finding the source of/method used in this breach could prevent similar episodes for high profile accounts when the egg:face ratio would be considerable. I’m happy to help in any way I can …and of course, it would be great to have my account back :-)

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.