On Tuesday morning, I woke up to unusually early calls from my home country, Russia. It was 5 a.m. in Phoenix, where I am currently living, when my sister reached out to me to say that my Instagram account had been hacked. I had tons of messages on WhatsApp, Telegram, and Facebook and missed calls from people I haven’t spoken to in years. They all were mentioning the recent post on Instagram and asking, “Is it true?” Was what true? I couldn’t log in to my account, of course. Meanwhile, notifications from different messengers continued to come, raising the level of my anxiety.
I logged into an old account and finally was able to see what happened. Hackers had published a post that said my mom had been in a car accident and needed 200,000 rubles (about $2,500) for a surgery. They included information for people to send money to their bank account as well. But the worst part was in the Stories. There was a video from the intensive care unit with a crying female voice in the background. There were no people in the video, and it was impossible to identify the hospital, but many of my followers believed that it was me sobbing, and at least two of them sent money to the fraudsters.
Moreover, the hackers responded on my behalf in direct messages. My friend Ekaterina, who transferred $30 to the scammers, received a response: “I am sorry that I am pressing, but can you lend me $40 more till tomorrow?” At that moment, according to her, she understood that it was a scam. Moreover, Ekaterina told me that another friend was hacked on Instagram the same day, and fraudsters attached the same bank account for collecting money. The bank couldn’t return money to Ekaterina and redirected her to the police.
My other friend, Arseniy, wrote “me” in direct messages to say that he would transfer money. But before he did, his account was hacked, too. I can’t say for sure if it were the same criminals, but they did even more damage to Arseniy than me. In addition to requesting money for his mother’s imaginary surgery, they published images of his actual documents, including his passport. It took Arseniy two hours to regain access to his Instagram account and finally delete the harmful content. At one point, direct messages between his and my accounts looked surrealistic. He sent me a screenshot where “his” hacker is asking “my” hacker for help.
At least Arseniy was successful in getting back his account, which I can’t say about myself. Two days have passed since my account was taken over, and so far, all my efforts to get the posts taken down haven’t brought any results. Hackers have attached my account to another email address and unlinked it from my phone number. So every time Instagram sends me an email with the link to get back into my account, it goes automatically to the email I have never seen before. On the second day of struggling, I reached out to the customer support of my email service provider (it was a Russian service Mail.ru), and the employee recommended me to check spam filters. I was surprised when I found there two emails: firstname.lastname@example.org and email@example.com. It meant that hackers got an access to the email that was linked to my Instagram account as well. (Or more likely they first got inside my email and then into my Instagram—but at least they didn’t change my email password. Thanks?) Anyway they changed the settings so that all the letters coming from these emails get deleted immediately. I also discovered that scammers logged in to my account from IP addresses tied to Moscow and Kyiv.
Once I removed spam filters, I received the password reset code. But unfortunately, it was too early to celebrate the victory. When I entered that code, Instagram asked me to type into another one: from an authentication app. When you set two-factor authentication on Instagram, you receive a notification or are asked to enter a unique code every time you try to log in to the account from a new device. According to the Instagram website, the user chooses between two methods: “Login from a third party authentication app (such as Duo Mobile or Google Authenticator) or text message codes from the mobile phone.” I didn’t have two-factor authentication turned on (which was a mistake, as I realize now), and I guess the hackers, concerned for my security, set it for me. So, I suppose that every time I tried to log in, someone in Kyiv or Moscow receives a code, making it impossible for me to get back the access.
I was left with the only way to return my account: request support. I received a letter from Facebook (it owns Instagram) with a code and instructions, reminding me of some movie about ransom. I was asked to attach a photo of myself holding a hand-written copy of this code. I did it, but as of early Thursday afternoon Eastern, I still haven’t heard back from Facebook support or its press office, which promised to look into the situation.
Though many of my followers reported the scam post, it is still visible, and I still receive questions from people who worry. The good thing is that it turned out that there are a lot of people who are ready to help me. The bad thing is that they were taken advantage of, Instagram apparently is not doing enough to protect users from scammers, and I don`t know if I will be able to return my account. I learned at least one lesson, though: Set a two-factor authentication before hackers do it for you. That will be the first thing I will do when I return my account.