My Instagram account was stolen — yours could be next
10 days ago my Instagram account was stolen. It isn’t obvious how this has happened and Instagram have failed to respond.
Update, May 2019: My account has been suspended for pretending to be someone else. Get the full story (so far) here: https://medium.com/@_o/my-instagram-account-was-disabled-for-violating-our-terms-except-it-wasnt-129adec50a77
I use the word stolen rather than hacked deliberately. Partly because of the way in which I believe this to have been done and partly because of the way it made me feel — something of mine, that I’d cultivated, had been taken away.
steal
stiːl/
verbtake (another person’s property) without permission or legal right and without intending to return it.
WTF?
I realised something was wrong when I opened the Instagram app on my phone to check the feed. I was logged out which was unusual. iOS 10 had recently been released and a few apps had logged me out so I thought it must be due to an app update. No huge drama: head over to Lastpass, copy my password and sign in again. Incorrect password.
Tried password reset. No dice.
WTF?!
Look to my profile page to check it…oh dear.
Pictures of my family had been replaced by a blank page, a dubious script kiddie name and a blank follower count.
Over to Instagram
In the early days of Instagram (I think) their account sign up was linked to Twitter so I was given my Twitter handle — @_o. I’ve been offered lots of money for the account and I receive daily “password reset requests”. As a result of this interest, I used a Lastpass generated long password. By any measure this was “secure” (many, many millions of centuries to brute force on a large array of dedicated machines). I also used an instagram-specific unique email address. In the absence of multi-factor authentication, I thought I was being as careful as I could.
Since the password on the account had been changed the only thing I could do was to submit a form to Instagram. Immediately after the form was submitted I received an automated email asking for more details. I replied with more information and waited…
…and waited…
…and waited.
That was over a week ago.
So how did this happen?
When I first realised my account had been stolen I immediately thought back to the case of Possibly Mat Honan when his family photos were wiped because someone wanted his @mat twitter handle. I dashed around my digital life checking whatever I could to see if I was about to be “wiped”.
Hacked my email
Looking at the Gmail access logs, it doesn’t look like my email account was accessed from a location that wasn’t one of my devices. I also have the “Show an alert for unusual activity” setting turned on so I suspect I’d have received a notification if someone had actually been able to access my email.
If someone had managed to gain access to my email, I’m sure they would have changed the password and had a far more fruitful adventure than simply stealing my Instagram account.
Brute force
As I mentioned I used a very strong password so this seems unlikely. They would also have had to guess the email since I didn’t use that email anywhere else.
Firesheep-style hijacking/oAuth/Phishing
I suppose it’s possible that someone could sit on my wifi network and hijack my accounts. But when one considers that I work from home and home looks like a scene from James Herriot, I think that’s pretty unlikely.
I don’t remember what apps I’d linked to my Instagram account so can’t be sure. Presumably, I had Twitter linked (given the way I first signed up) but won’t have had many others. I didn’t use any management tools or post to Instagram from 3rd party apps so this feels like an unlikely source.
Social engineering
When I think of Possibly Mat Honan’s case, some kind of social engineering seems the most likely source of the breach. How could that happen though?
As far as I can gather the email address on the account wasn’t changed before the password (I received the post-breach “we’ve changed your password” email). So presumably the thief would have had to send an email from a different account and explain why they’ve lost access to “their” account. If this is the case it seems that Instagram have some work to do on their account verification process.
I’ve asked Instagram to shine some light on how I lost control of my account. I strongly suspect this a one-off attack so perhaps I’m at risk elsewhere. They’ve not responded to my email so I’m still in the dark. Until they explain how this happened, I think its entirely possible that your account could be stolen next.
If anyone at Instagram Engineering is listening, finding the source of/method used in this breach could prevent similar episodes for high profile accounts when the egg:face ratio would be considerable. I’m happy to help in any way I can …and of course, it would be great to have my account back :-)
Update: 2/12/16
It’s been two months, lots of emails and Googling and I finally have my account back (for now).
During those two months I repeatedly completed the “Report a hacked account” form. Sometimes I had an automated response from Anton or another name beginning with A (I’m assuming this is an internal joke that their automated systems’ personas have the initials A.I.). When I did get a response, it stated that I hadn’t given them the correct email that was used when the account was created. Since the account was created several years ago, I couldn’t be sure but I tried every option I could think of. In the end, I presumed that the original details were changed as part of the hack. At this point I decided to send an email with all possible combinations and hope that either an AI was filtering the emails for a match or a human could make sense of the logic. A week after this email, I receive the email I’d be waiting for…my password reset link. Yay!
What I got back
When I logged in to the account, the follower and following counts had been returned to a state I can only assume were snapshotted before the hack. Sadly, all my photos have gone. I do have most of the originals (thanks to iOS’s ‘Instagram’ photo folder) but I can’t figure out a way to post retrospectively to recreate my timeline.
Not quite there
Since the account was hacked, I’d like to get 2 factor authentication (2FA) turned on. Oddly, despite the hack, my account doesn’t pass the “we think this account might be high enough risk to turn on 2FA” test so I haven’t got that option.
Until I am able to get 2FA, I’m not posting anything I don’t mind loosing to the account.
Sadly, for those of you who have also seen your accounts hacked and are looking for a repeatable solution, I have no good news. My reinstatement appears to have been random.
