Here today, gone tomorrow: The experience of being hacked on Instagram
It was a Saturday morning, around 12 noon. I sat on the couch, opened Instagram, and began browsing stories. I happened upon a contest hosted by SBC Skier magazine’s account, which boasts its status as “A vessel for Canadian ski culture. 📖 Celebrating the past, present, future, industry, and the people.” They’re a trusted account I’ve followed for several years, and they publish images of mountains and people skiing, which is all I need. As of May 2022, SBC Skier’s Instagram account had 6776 followers, including professional skier Mike Douglas. Back to the contest.
The emoji laden post asked “An ex-police officer 👮🏻♂️lost his house 🏡 his car 🚗 and his girlfriend 🙋♀️. What did he lose first? The winner gets $500. I thought about the question and decided that he had lost his mind first, deducing that a mental breakdown caused an error in judgment and his ultimate downfall.
I couldn’t get a screenshot of this contest but was able to secure a similar example of another contest the next day:
“That’s correct” the person on the other side replied almost immediately. This led to an exchange whereby they asked me how I wanted to be paid and gave me the option of Paypal, bank transfer, or money order. I opted for a bank transfer, then proceeded to give my email address. They then asked me for my phone number so they could send me a verification link via text message.
I sent them a screenshot at their request of the code they texted me and was instructed not to click the link. Another red flag in hindsight. It was an Instagram account recovery link.
“Should I just wait patiently for the money to go through?” I asked naively. No reply.
After waiting around for about 10 mins, I gave up and went for a walk. During my walk, I checked my Gmail and noticed three new emails from Instagram. The first email had the title: “New Login to Instagram from Instagram on Apple iPhone”, the title of the second email read: “Two-Factor Authentication is on”, and the title of the third email read “Email removed on Instagram” This was when I realized I had been hacked and began feeling confused, frustrated, and terrified.
I was unaware that I had not enabled 2-factor authentication. If you look closely at the middle larger image above, you can see Instagram gives its users reassurance by saying “If this was you, you can safely disregard this email. If this wasn’t you, you can secure your account here.” It wasn’t me. However, when I tried clicking the link, it had already expired.
I then followed Instagram's help page recommendations in a vain attempt to recover my account, to no avail. Because I wasn’t checking my phone, I missed Instagram’s 30 min link lifespan by 1 minute.
Back to SBC Skier. An interim account was created to message SBC Skier to see if there had been some kind of mistake. That account was subsequently blocked.
I’ve reached out to employees of SBC Skier magazine via contacts on their website, and have not received a reply. I’ll update this post when I receive a reply.
What is going on here? Has the SBC Skier Instagram account been hacked?
Will Instagram be able to help me recover my account? Is this related at all to SBC Skier? Who is managing the SBC Skier account? Why is it so easy for someone to hack another person’s account? Do I miss Instagram? Kind of, not really. Can I live without it? Definitely. Do I want my account back? Yes.
To the sleuth who hacked me: insert Liam Neeson meme.
Update: I’ve established contact with the editor for SBC Magazine, they’ve confirmed that their Instagram account has been hacked, and they’re actively trying to resolve the issue.
