Watch the detailed, technical play-by-play of how I got my account back from hackers in 2.5 days in the Instagram Live at the bottom of this post.
I never thought this would happen to me! Here’s how I got back into my account in 2.5 days, and the one thing you can do to prevent this from happening to you.
We all know the saying.
If it seems too good to be true, it probably is.
Well, there’s another one.
We fall for scams when we want them to be true.
So here’s what happened to me.
Last weekend, I got a DM from Instagram that said I was eligible to get verified for a blue badge. You know, that blue badge that goes onto celebrity accounts?
I was overjoyed!
Yep, I’ll admit it. I was thirsty. It’s so embarrassing. I want Instagram credibility, and this DM brought me information I wanted to believe. I wanted to believe that I was eligible to get a blue badge on my account.
So, I asked for their form and filled it in with my handle, password, email and phone number.
Seconds later, I was logged out of my account and my stomach dropped.
I texted my husband: “I just did something very stupid.”
When we tried to log back in, it was clear the hacker had taken over the account and replaced my email and phone number with theirs, including a Nigerian country code.
If I had two-factor authentication installed on my account, this never would have happened!
Right now, install two-factor authentication on all the accounts you care about: social media, email, banking.
Once the hacker was in, he turned two-factor authentication. So not only did I not know the password, but I could not supply the additional codes needed to get back into my own account.
This proved to be very hard to overcome, but I did.
First, I submitted a video selfie.
I had Googled and learned that Instagram offers a video selfie for those in my situation. You have to go through the log-in loop. Type in your handle. Then click “forgot password.” Then continue through, clicking “try another way” as needed. Eventually one of the choices is “I think my account was hacked.” You then turn your head several different ways (kind of like Face ID on your iPhone) for a video that’s submitted to Instagram, and you get an email saying your information was submitted.
Cool. Now wait.
The first day, I submitted my video selfie at 2pm EST. I received the email saying my information was verified late that night, at 12:30am. I was asleep. When I woke up the next morning, I also had another email from Instagram at 4am, indicating the hacker had changed the account’s email address. When I clicked on the link in the information verified email from Instagram, it no longer worked.
In other words, once Instagram verified my video selfie, the hacker went into my account and changed something which rendered the Instagram reauthorization link useless.
So, now I know 2 things:
- The hacker gets an alert when Instagram verifies my video selfie.
- It’s not automated because there was a 3.5-hour gap between the 2 emails. The hacker is a person who was sleeping.
So, I tried again.
I submitted a video selfie at 8am. I checked my email the entire day, and nothing. Literally, I was in church with my email app open, swiping down to refresh the app every 3 minutes. Nothing.
That night as I was sleeping, at 12:10am, I received that same email, indicating that Instagram had verified my selfie and here was another link to get back in. But, same issue. This time, the hacker had logged in at 12:45am and changed my Instagram handle, adding “s_” at the end of it.
My verification link didn’t work because the hacker had changed my handle.
So, I submitted a third video selfie that same morning at 5am.
Within 20 minutes, I got another verification link and it worked!
I got into my account. (Cue the cheering!)
I changed my password, handle, email and logged out a device in Nigeria. But I was unable to turn off their two-factor authentication and the hacker eventually logged me off.
Back to square one.
Except I wasn’t. Because I had learned more valuable information I could use.
Once Instagram sends me the verification email link and the hacker changes something in my account to make the link unusable, if I send a second video selfie before 6am EST, I get another verification email within the hour.
And I can be ready to jump in immediately, with a quick plan of action.
Here’s something else I learned: my hacker is in Nigeria. I Googled his time zone to learn that he is 6 hours ahead of me. As a former TV news reporter, I love investigating. So I got to thinking: if I’m a hacker, I’m probably up super late — you know, ruining lives — and probably don’t go to sleep until about 2am Nigerian time. And chances are, I probably don’t get up until 9 or 10am, which is about 4am EST.
Okay, so on to my next video selfie. I submitted it around 10am and knew my verification would come in sometime overnight.
That day, it became clear why the hacker wanted my account.
He took a photo from one of my feed posts, made it look like the wallpaper on my phone and shared this to my Stories:
First, can I just ask: What middle-aged mom of 4 has a photo of herself as her phone wallpaper? I mean, I’m all about self-love but even I have my limits..
I would find out later that about 25 of my followers DMed the hacker — thinking it was me — for more information. Remember, we fall for scams when we want the information to be true.
Three women lost a total of $3,000 to this scam. That I know of.
Including a woman whose husband just deployed and she was just looking to make some extra cash. It’s truly sickening.
So back to my video selfie.
I am hot on the trail now.
As expected, Instagram verified me overnight. And as he had done before (so predictable!), the hacker changed the account email and the verification link from Instagram didn’t work.
So, I knew exactly what to do. I couldn’t sleep and was up at 2am EST.
I knew I would submit another video selfie immediately, and before 6am EST. And I knew I’d get the verification link within the hour. Once I did, I had to be ready.
I would have to jump into the account and be ready to fight for it in real time as the hacker was in the account as well, trying to kick me off.
So, I came up with my plan:
First, I had 3 very complex passwords, generated by LastPass. I cut and pasted all 3 passwords into email draft in my phone for easy access.
Second, I came up with my sequencing. I would be in my account in real time with a professional hacker. I had to think this through. First, I would change the password. Then I would log out other devices. Next, I would update phone and email. And finally, I would install my own 2-factor authentication.
And third, I realized something as I was sleepless the night before this showdown. And this is huge. When the hacker logs me off, the fight is not over. I still know the password I just changed it to and can get right back in and log him out. The last 2 times, once I was logged out, I was like, “Oh man, it’s over.” But it’s not. I have just changed the password and I have the upper hand. I just need to log right back in and then log him off.
And so, at 3am EST, I got my verification email back and immediately got into the account. I followed my plan. First, I changed the password. Then I checked for other devices logged into the account. There were none. Next, I changed the email and phone number. Then I turned off his 2-factor authentication.
Then he logged me off.
That didn’t stop me. I got right back on.
Updated the password with my second password, cut and pasted from my email draft. Logged him out. At this point, my hands were shaking so badly from the adrenaline I couldn’t type. Handed the phone to my husband. He tried again to get up 2-factor. Hacker logs us out.
We are not done!
Third time. New password from the email draft. Logged hacker out. And successfully set up my 2-factor authentication.
IT IS DONE.
Once that 2-factor is set up, the hacker was powerless to get back on. It was over.
It took determination. It took not giving up. It’s easy to feel hopeless and powerless in this situation. But you’re not. Keep going. Keep trying.
If this hadn’t worked, my next step was to purchase Facebook ads and then contact Facebook’s live chat to get help with the Instagram hackers, as this guy did.
Through my 2.5-day saga, Instagram did not respond to any of my requests for support, with the exception of the video selfie verifications. The platform has 1 billion users. There’s no way they can help everyone directly.
I had considered getting an attorney to negotiate a ransom for the account with the hackers.
We have friends with a huge platform who have had to do this. More than once. Still, I couldn’t bear the thought of rewarding these criminals in any way.
For what it’s worth, I also learned that Instagram will never send you a DM.
I wish I would’ve known that before this began!
One more thing:
If you think this could never happen to you because you have a private account, or you’re over 50, or you only have 20 followers, don’t be fooled!
Hackers aren’t interested in numbers.
They’re interested in the trust your followers have in you.
Hackers want to exploit your followers’ trust in you.
I had so many readers tell me in DMs after the incident:
“You’re so real. I just believed it because I thought it was you.”
“You normally tell it like it is, so I thought it’d be a great way to make money.”
It’s not the fact that I have lots of followers. It’s the trust that I have built with them that made me a vulnerable target.
That and my thirst to be Instagram verified. *wink*
View this post on Instagram
Has this happened to you? Share your experience with us over on the Instagram post, or in the comments on Facebook. You can also send me a DM or an email at firstname.lastname@example.org; I don’t know if I can be of any help to you, but I’d sure love to try!
I hope this post was helpful! I’d love if you’d make sure you’re on my email list so we don’t lose touch in the future. Just enter your email below.