It’s Friday afternoon and you’ve got some time to kill. You log in to your Instagram account, only to find that someone else – some other you – has already logged in and locked you out.
It’s no fun when someone changes the keys on one of your accounts, and not just because you’re missing the latest “Squid Game” meme. Unlike this year’s worst ransomware attacks and nastiest COVID scams, which are usually ends in themselves, the Instagram account takeovers happening today are often the means to a darker end.
The intel on the latest round of Insta hacks suggests that Insta grifters are using hacked accounts as pawns to gain access to their followers. In other words, they break into your account and then use it to expose a much larger group of victims to their malware.
You’re reasonably careful, as in you don’t have passwords like 12345! or SHIALEBEOUFISGOD. You use a VPN when you’re connecting to the internet in public. You don’t click on random links in emails or SMS you’re not sure about.
All good. But in the case of September’s four-fold spike in Insta attacks, it might not be enough. IG fraudsters may have already had your data from the last monster Facebook data breach back in 2018. Remember, IG logins go for $45 a pop on the dark web, a pretty safe investment when you consider that the average IG user has 150 followers.
As long as the cybercriminals haven’t broken into your email or SIM jacked your phone, one of the following steps should have you covered.
You may be lucky. Instagram may have sent you an email address change notification that you didn’t see. So, first of all, if you suspect some Insta fishiness, check your inbox for an email from firstname.lastname@example.org. If you didn’t request an email address change, click “revert this change.” That should be the end of the Insta thieves.
If the fraudsters went the whole hog and changed both your email and password, which is likely, you’ll need to request a login link. You can do this by asking Instagram to send you a login link via email or SMS. Just tap “get help” on the login screen to start the process. Again, the hackers won’t be able to intercept the link unless they’ve taken over your email or SIM card. IG will lead you through the rest of the process.
If the login link method doesn’t work, you can ask Instagram support to send you a one-time security code by following the same instructions on the login screen.
So a cyber scammer took over your IG account and you lived to tell the tale. It’s not the end of the world. I mean, you could have lost your Social Security number in the latest mammoth T-Mobile data breach.
But still, fraudsters broke into one of your accounts, and it doesn’t feel good. Here’s what you can do to make sure it never happens again.
Ok, this is Digital Hygiene 101. If you don’t have two-factor authentication set up for your IG account already, you should do it now.
With 2FA, no one can log in to your account without a one-time password (OTP) sent either via email or SMS. So that thief who snuck past your radar and into your account and changed your email because you missed the change of address notification? With 2FA that can’t ever happen.
A lot of us set up 2FA with email or SMS notifications. This is a lot better than nothing. But as the folks at Apple have shown us with their latest awesome iOS privacy upgrades, the safest way to use 2FA is with a free authentication app like Authy or Google Authenticator.
Normally, I’d just recommend a good free password manager like Firefox’s Lockwise or Google Password Manager. They’re free and secure ways to store strong passwords right in your browser.
But the IG imposters mentioned previously were harvesting breached data, meaning that it really didn’t matter how strong the password was because the hackers stole it from Facebook, not the user.
In this case, not even a subscription password manager like 1Password would notify you until the breach went public. But a best-in-class identity theft protection service would alert you, because it would be crawling the dark web for your credentials 24/7. As soon as your login info went up for auction on the darknet, you’d get a message on your phone.
Game over for the Insta crooks.
Many of us are savvy about avoiding third-party apps on social media platforms like Instagram. It’s 2021 and it’s practically a Pavlovian response from past bad experiences. You downloaded an app, Facebook didn’t protect your info, and your data went up for sale, maybe not on the dark web, but to a Purdue-sized data farm. Not a good feeling.
But you should be careful with any third-party apps. After all, the GriftHorse hackers conned 10 million users out of over 100 million dollars in broad daylight with apps for sale on Google Play.
So, along with two-factor authentication and ID monitoring, be very selective in the apps you download onto your devices, and be even more careful about giving any sensitive details or permissions to those apps.
Getting scammed is no fun, especially when the scammers are using your profile to scam your friends and followers. But the good news is that, while you can’t control who breaks into Facebook, you can easily stay one step ahead of Insta crooks. All it takes is a little proactive digital hygiene.
The most important step you can take against app hackers is to toggle on 2FA. They simply won’t have any way to worm into your account that way.
Then consider an ID monitoring service. You’ll get advanced warning if any of your logins ever do go up for sale on the dark web.
Finally, download third-party apps sparingly. They could be harboring malware, even if you found them on Google Play or the Apple Store.
Oh, and if you did get hacked and do get back into your IG account, make sure to let your followers know what happened. The IG fraudsters used your followers to commit their crimes. You can use those same numbers to put them out of business.