Tech
What To Do If Your Instagram Account Gets Hacked
It seems to be Instagram hack hoax season. Here’s how to avoid being next.
Your friend who knows nothing about cryptocurrency is posting suspiciously worded missives about how to get Bitcoin-rich, and your DMs are filled with strange links from people you never talk to. Odds are, if you get curious enough to click these links or interact with the bizarre messages, you may be the next victim of an Instagram account hack. For this reason, you want to avoid phishing attempts and suspicious scams as much as possible. To keep your account safe, here’s what you can do to protect your Instagram from getting hacked.
NordVPN reports that about 13% of Americans have been hacked on Instagram. Meanwhile, Norton’s 2021 Cyber Safety Insights Report found that with 73% of Americans spending more time online than in previous years, nearly half of respondents felt like they were more vulnerable to cybercrime since 2020 started. Cybersecurity expert Kristina Podnar previously told Bustle that Instagram, in particular, has become a platform of choice for hackers because people engage with friends on the app and are trusting of links and messages sent through DMs. (Think about how if a friend sent you a weird link on Facebook, you would be less likely to click it.)
If you haven’t noticed, there has been an influx of IG hack hoaxes in pop culture as of late. First, it started with viral phenomenon Lil Tay in early August, followed by former Bachelorette contestant Josh Seiter a few weeks later. The rise of celebrity hacking attempts proves it can happen to anyone — including you — and according to those who’ve experienced the breach of privacy in the past, it’s a headache you don’t want. Thankfully, though, it’s avoidable.
What Happens If You Get Hacked On Instagram
In October 2021, Cici*, 30, a Montréal-based graphic designer, fell for an Instagram phishing scheme that not only led to them getting hacked but also caused them to lose control of their account permanently. “Someone I know DMed me and said ‘Hey! I need your help. Can you help me? I need to activate my new account but I need a friend to send me a link,’ so I agreed and gave them my phone number.” Using their phone number, the hacker, who had posed as Cici’s friend, tapped the Forgot Password button on the Instagram login page, which triggered a link to be sent to the number. Not knowing what the link was, Cici forwarded it to the “friend,” which ultimately gave the hacker full control over the account. The hacker changed the password, started posting about how to make money with Bitcoin, and got to work trying to scam Cici’s friends, too.
For Rachel*, 34, a teacher, what started out as a similar verification link scam turned into a demand for ransom. “The hacker not only changed my passwords but started extorting me.” After finding her on X, previously known as Twitter, the hacker DMed her to say that they would give her the account back if she sent $100. Then, they raised the price. Rachel ended up sending over $500 without getting access to her Instagram.
Per Instagram’s Hacked Accounts Help Center, there are a few safeguards against hacking in place. First, the app will send you an email from security@mail.instagram.com if your login information is changed to confirm it was you who made the changes. If you tap the link, it will revert the changes and give you a chance to change your password and block the hacker back out. The problem, according to Cici, is that the link expires. “I was at work when the email came through and by the time I clicked it, it was too late.”
If that doesn’t work, you can report the hack to Instagram by requesting support. On the Instagram login link page, tap “Need more help” (under “Send Login Link”) and follow the on-screen instructions. If your account doesn’t have any photos of you on it, Meta will send an email asking for information to verify that you own the account. If your account does feature photos of you, the second recovery option Instagram offers is an identity verification video — you record your face from multiple angles to prove who you are to the support team. Cici says, however, that Instagram didn’t accept the video selfie as proof of their identity, and they’ve given up on recovering their account altogether.
Why would scammers bother with your Instagram page in the first place, especially if you don’t have a big following? Podnar says to think of it as modern identity theft. “The Instagram account is a gateway to mining other types of data and broadening the scam.” Once a victim clicks a scam link, the hacker locks them out of the accounts by changing the recovery email and then starts leveraging the account to log in to other platforms — from your Instagram, they might hack your Facebook, then get perhaps enough information to get into your email. According to Podnar, having control over established social media profiles can be valuable for data, in addition to the money the hackers can get off holding the accounts for ransom.
Unfortunately, if your account gets hacked, there’s no easy fix to get it back — though heading to the mobile site and letting Instagram know you’ve been hacked is a good place to start. The best protection is to prevent a hack from happening in the first place. Here’s how to increase your security, back up your data, and stay alert.
Update Your Password & Increase Its Strength
In order to minimize the risk of a guessing or snowballing hack, which is when a hacker can log into multiple accounts with the same information, change your passwords regularly, and opt for complicated ones. Podnar recommends investing in a password management tool — she likes Lastpass — to help you keep track of them. These tools can also let you know if your data is breached so you can hop on and change your password. If you can’t think of a new password (and you’re an iOS user), you can use Apple’s autogenerated strong passwords, which are stored to your Keychain for safekeeping. To be extra careful, make sure that your passwords on different apps are not similar and don’t include biographical information.
Use Two-Factor Identification
Two-factor identification — when your apps send you a text message with a code or a third-party link every time you log on to verify that it’s actually you — can be annoying, but Instagram offers it for a reason. “It is an easy security move that most people don’t use nearly enough,” Podnar says. To enable two-factor identification, tap the triple line icon in the top right corner of your profile, then tap Settings and Privacy and navigate to Accounts Center. From there, select Password and Security, followed by Two-Factor Authentication.
Delete Apps You’re Not Using
When your membership to an app is active, the information linked to it is live, and can potentially be used by hackers to gain access to other accounts. If you haven’t used your gym’s app in a few years, there’s no reason to maintain a presence there — especially if you used that same password for all your other apps. Podnar suggests going through all of your apps and permanently deleting the accounts you don’t use anymore, especially apps you log on to using your Facebook or Gmail account. “Online security decreases with each cross-account link we create, so this is an easy way to decrease your online risk.” You have to go into each platform’s settings to delete your account, too — don’t just delete the app from your home screen.
Check Your Recovery Settings
When you set up Instagram 10 years ago, you might have selected an email you no longer use or have access to. If you’ve never had to recover an account or reset a password, you might not even know what default email you have listed. Check all of the email accounts your social media accounts are connected to and make sure they are up-to-date and accessible.
Back Up Your Instagram
While you likely can’t get the messages and interactions back from an account that’s been stolen, having a backup of your Instagram posts will lessen the blow of a permanent hack. “That way, if your account is hacked and held for ransom, or if you can’t recover your account, you still have access to your important information and can request that your old account be deleted without losing those cherished memories,” Podnar says. To back up your Instagram data, head to the mobile site, tap the triple line icon followed by Your Activity, then select Download Your Information. From there, you’ll be prompted to enter the email account you’d like your info to be sent to, and whether you’d like your data to be sent in a HTML or JSON format. Enter your IG password, select Request Download, and soon you’ll receive an email titled “Your Instagram Data.”
Stay Vigilant
Most platforms, including Instagram, are good about notifying you about suspicious activities on your account. That said, scammers can also use fake notifications to trick users into clicking links and falling into hacks. Whenever you get a safety email from an app, check the address and make sure it’s official before clicking any links — it should be from an @instagram.com address. The app will never DM you with an issue. If you got an email from Instagram and aren’t sure if it’s legit, tap Settings, Security, and then Emails From Instagram. If the email was real, it will be there for 14 days after it’s sent.
If you notice weird activity on your account — like photos you didn’t post, messages you didn’t send, or any changes to your bio — Podnar says to immediately change your password and force a logout of all devices on which your account is logged in. On Instagram, you can head to Security, and then Login Activity to see if anyone has used your account from a different location. To log out, head back to Security and just tap Log out.
If you miss that short window of time to change your passwords and log out, Podnar says it might be too late. “I’ve never heard of anyone having a good experience with this process,” she says, referring to recovering a hacked account. “It’s easier to be proactive and not put yourself in the position that leads to having to deal with it in the first place.”
*Name has been changed for privacy.
This article was originally published on