How my account was hacked — an involuntary user test and true story
Dear Instagram, I have a new business idea for you, and it’s called customer service. Well, the concept is not exactly new. When Tim Berners-Lee laid the cornerstone for what we today know as the Internet, he was all about making communication and connection easier, more effective, and enjoyable for everybody. This basically translates to what we now would call UX or User Experience Design. So in a way, it’s the very basis of the Internet and not new — but seriously, Instagram, you should give it a try.
Recently, my Instagram account was hacked. It’s a rather small one, with around 2200 followers as of today. Called @dailyperfectmoment, it’s my visual diary as a collage artist, and it’s nothing with a commercial background that you would consider “worthwhile”. But it’s part of a great, troll-free, and always supporting community that became especially dear to me when we all went into COVID-19 lockdown. Besides getting offers for interviews or books or artist collaborations, it’s the contacts that were more important to me than a few years of my work as an artist.
The hostile takeover
And then, I got hacked. And blackmailed. The hackers wanted € 150 — a sum well-chosen because you really start to consider whether it’s worth it to pay. But first, I didn’t want to negotiate with terrorists. And second, as a huge believer in customer service, I thought that Instagram could help me to get my account back. Boy, how naive I was.
Initially, it even looked good. I received an automatic response from Instagram that my password was changed and that I should let them know when I didn’t ask for it. Well, that’s how I understand good UX — something goes wrong, but they notice it in real-time and give you clear instructions about how to solve it. Except that they didn’t solve it, like — at all.
While I was optimistically clicking the Instagram text link “let us know”, the hackers had changed the email address and phone number in my account and set up the two-factor authentication. I received an email from Instagram in Turkish to inform me of the fact that they had given all this to an unknown user in Turkey. Btw, that’s why PayPal or other companies are sending you confirmation codes when you’re up to do major account changes. Or login from a completely different location (this is good UX, too. Just saying).
Was Instagram joining the Dark Side?
Meanwhile, I had checked tons of links and YouTube videos for help, but strangely enough, not a single one, even from 2022, fit the screens I saw in front of me: Instagram had changed their interface frequently, and not to a small amount. This seemed a bit fishy to me.
UX teaches you that even small changes can have a huge impact, so you don’t do it lightheartedly and without a need (and a lot of user testing). Famously, a larger e-commerce site had changed the text of a single button and increased the site’s annual revenue by $300 million*. But in the same way, you can lose 300 million dollars (or customers) with a single change done wrong. So, what was Instagram up to with all these changes? This is the first time I started to think of dark patterns in the UX or user eperience. Think of it as a dark plan to reach a secret goal without leaving obvious links or traces. Did I just see Instagram switching to the dark side of the force?
UX is also a lot about research and hard facts. Never go for an assumption, always trust the data. Therefore, if all the changes Instagram obviously had done during the last years had led to an easier or better user process or “flow” to get a hacked account back, all the changes were done to improve the user experience. If not, there must be other reasons. Maybe not exactly dark ones, but at least ones that served other purposes than the user’s needs.
Highly suspicious error messages
This is when the first error message occurred. What? Error messages shouldn’t happen at all. They are a sign that something has gone wrong, and usually, extended user testing (“usability testing”) is done before launching a new product or feature to eliminate any possibility that something could go wrong. While still desperately trying to get my account back, I started to collect Instagram’s error messages. Plural. One might be by chance (life is wild, s*** happens, and never underestimate a user’s capability to come up with a crazy way to use your app, and that well includes me). But if there are several error messages, and at certain points of certain processes, that’s a pattern. And in this case a pretty dark one.
What Instagram does — and obviously intentionally, you can’t have such a bad UX by pure chance — is keeping customers from going through the process of reclaiming their accounts. Let’s have a look at the error messages to see a bit more of the dark patterns.
Dark patterns, example 1
Instagram offers certain steps to restore your account. At least theoretically.
Instagram sent me recovery emails for a different one of my accounts (for which I had used the same email address). After trying to do this three times, the screen with the recovery option just wasn’t available anymore. Wait, I thought, the most promising option is gone without an explanation or offering me a diferent one?
From Instagram’s point of view, it makes absolute sense, because that keeps users from flooding them with the same emails again and again. An easier — and way more customer-friendly version — would be to come up with a process to help users get the job done, so they don’t have the need to send you tons of desperate emails. Thus, from a user’s perspective (mine) this was a pretty unfriendly user experience.
Dark patterns, 2
Next try: recovery codes! If you’re lucky, you’ll find a screen where Instagram offers to send you a recovery code to restore the account. Sounds like a no-brainer, but this, too, was a pattern that led to a lot of frustration. Instagram even came up with several ways to screw this up. First, they managed to give you no hint about whether your action was successful. Good UX means that you click that “send me a code” button and get some kind of feedback that the message was delivered. Either as a new screen or a little message popping up, or a visual representation like a loading icon on the button — you get it. The user understands that the task is done. Instagram doesn’t have any of this. You press the button, nothing happens, you press again — and this means you’re already lost. Because Instagram expects the second code while you’re typing in the first code you received (at least that’s what I thought … I tried the same procedure a few days later, had learned my lesson, and waited — and still received just another error message. They just don’t make the codes work).
Then, after a few tries, Instagram just stopped sending a code. Again, without offering an alternative or giving an explanation or warning. You’re going on to press the button and nothing happens. Do you remember Pavlov’s dog? This is classical conditioning. In the end, you learned your lesson and stop sending emails.
Dark patterns, 3
Another dark Instagram variant works like this: You click on “send me a code via SMS”, but they just don’t. You’ll wait for an hour, or two, but no SMS. Or you click the same SMS button and Instagram tells you they sent you a code via email. This makes a huge difference when extortionists have hacked your account, and they will be the ones to receive this email. And then, Instagram returned to its old tricks and stopped reacting at all, and I ended in another dead end.
Communication with my blackmailers
Meanwhile, I was communicating with my blackmailers. They had deleted all all 1200+ posts from my account after I refused to pay. But then, they received all the emails Instagram had sent to them instead of me when I asked for a code. So they knew that I was still fighting for my account, and they contacted me again.
First, I beat them down from €150 to €50 (if you negotiate with terrorists, at least beat them down). But I didn’t want to make it easy for them. We started to have long conversations via WhatsApp. Because, you know, Instagram had asked for my phone number for “security reasons” and after they had hacked my account, the blackmailers also had my WhatsApp number. I said I wanted proof that they were able to restore my deleted account, so they did it. I still hadn’t access, but all my posts were there again!
I still waited for Instagram to answer my requests in any way. A few days into all this, I started writing messages directly to Instagram, asking for help. Somewhere I had read that it might take one or two weeks for a reply, I thought it was just a matter of time. So in the beginning, I described my situation and asked for help. No confirmation mail or anything (which would have been another UX basic standard), then I wrote daily reminders like “Hi, it’s me again. I just wanted to tell you that I’m still getting blackmailed and threatened and need your help to get my account back.” And never heard a single word back.
Rescue in sight?
After one and a half weeks since the hack, I finally had lost pretty much all hope that Instagram would help. But then a miracle happened: someone in my network came up with good news. He had recently met a Meta programmer at a fetish party (never underestimate the perks of having small talk with a stranger with mutual interests). Meta is Facebook’s mother company, which owns Instagram. This was the closest source to a solution! I was thrilled.
It was Friday evening, and the guy said he couldn’t reach anyone before Monday morning. So I started to buy myself some time with my blackmailers and told them that I’d be offline to spend the evening at my sister’s birthday party (a blatant lie).
My polite extortionists wished me a nice party. Maybe I was starting to develop Stockholm Syndrome, but it was way more entertaining and nice to communicate with my blackmailers than all my futile attempts to get any response from Instagram.
Dark patterns, 4
I waited until Monday, but then, the Meta programmer’s advice was just to try the Meta help section for recovering my Instagram account. Since I’m avoiding Facebook at all costs, my accounts weren’t connected, so this wasn’t any help at all.
Meanwhile, I had tried my last attempt with Instagram recovery options. I found a screen where they gave you two options: you could upload a video of yourself, and an AI (artificial intelligence) would check your uploaded selfies for a match. Well, I don’t have a single photo of myself on @dailyperfectmoment, so I chose the other option (no photo uploaded) which looped me back to where I had been (I don’t have to mention that this is really, really bad UX, don’t I?). So I checked with the AI anyway. Ot at least tried to.
UX is all about a nice way to inform your user that something went wrong, or is not possible — or to make things happen. The message I received was: “Hi, dear dailyperfectmoment, we loved your video, and scrolled through your complete feed with our AI (amazing feed, by the way!). But we couldn’t find a single photo of you (what a bummer!), so this option, unfortunately, doesn’t work for you. To help you get your account back asap, please try the following option (…). In case you still should have any difficulties, please contact our support (…), which will do everything to help you, day and night! Heads up, everything will work out fine in the end. Because we care.”
Just kidding. That would have been good UX, and of course, all I received from Instagram was just another error message that the video upload wasn’t possible:
How I got my account back
At any time of the process, I would gladly have paid for a carefree Instagram one-click recovery package. But finally, I gave up and offered my blackmailers €30. They accepted. End of the story? No. They wanted Bitcoins, which I didn’t have, I offered PayPal (with the full knowledge that I could ask them to get my money back). They pretended that PayPal wouldn’t operate in their country, which made me think again that my blackmailers, most probably were underage and very inexperienced.
The blackmailers had a functioning business model — extortion — but obviously, they weren’t prepared to get money out of it. They asked me to install a specific Bitcoin app. I gave it a try, but I couldn’t manage to get them the money. Then, they came up with a PayPal account, but my money transfer wasn’t accepted. Finally, I asked my brother-in-law to transfer the Bitcoins. They sent him a code, which wasn’t accepted (“address invalid”), too. They sent three other ones I should try. In a way, it was funny to see them struggle — in the end, the €30 wasn’t easy money for them.
Finally, I got my account back, and I estimate it way more after this adventure.
As of this writing, it’s day 92 after the hack, and still, I haven’t received a single word from Instagram. As the very last try to make them react, I activated the “someone is pretending to be me” feature, telling them that my blackmailer threatened to use my account for dark purposes and send faked DM to my peers and family (which they actually did, I could have provided a screenshot). But still, no response.
Sometimes, deep into the night, the idea haunts me that Instagram finally would react — to that last message, by blocking my account.
- Takeaway: Don’t rely on Instagram to help you, ever. Change your password from time to time. Make sure you have activated the two-factor authentication. In the worst case, hope for nice blackmailers.
- @Instagram: About better UX: instead of all those dead-end user flows and the misleading different “send” or “get the code” buttons, just use one that would honestly, easily, and clearly communicate your support process to your users. Here’s my proposal for free, you’re welcome.
- Image source: Jon Tyson at unsplash.com