How my Instagram account got hacked

Every so often I receive an unsolicited friend request on social media from an attractive woman doing a suggestive pose in her profile picture.

I’m not just showing off that I get the occasional friend request from an attractive lady. The person in the profile picture of these accounts probably looks nothing like the person requesting to follow or befriend me.

Quite often these are hijacked accounts used by a cybercriminal to exploit your sexual desires.

I’m going to share a deep dark secret with you

Today it’s Data Privacy Day, and to celebrate I’m going to tell you the story of how my leaked data was used against me by hackers to login to my Instagram account.

In April 2012, Instagram was launched on Android devices. When the popularity of the Android app grew, I signed up to an account and uploaded a single picture to see what the fuss was about. I then removed the app and didn’t sign into the app again until 2015.

When I signed in, I could see that my account had been following thousands of people unknown to me.

Yes, that’s right ladies and gentlemen, I may have once been an attractive woman doing a suggestive pose to lure people into following me back or click on a link.  Well, perhaps my hacked Instagram account could have been.

I had a million and one questions running through my head as to how this could happen.  In 2015 my career in IT Security was budding, and to save myself the embarrassment of having a hacked account, I immediately changed my password and unfollowed all unknown accounts.

4 years on, I think I know what happened

In the news every so often, we see a company suffering a data breach. These data breaches may include things like passwords and email addresses.  Between 2012 when Instagram was launched and 2015 when I logged back into my account there were a number of breaches of note, including Yahoo, Adobe, eBay, JP Morgan, LinkedIn and Target.

It’s very likely that whoever logged into my dormant Instagram account was using a method that is referred to as credential stuffing.

Credential stuffing is when a hacker takes passwords from the data breach of Company A to login to a web app of Company B.  This relies on the victim (me) having reused my password.

Now, I know what you’re thinking, “But Matt, don’t you have a different password for every account?”  Well now I do, yes.  Unfortunately, the Matt of 2012 wasn’t as well versed in the field of IT Security as the Matt of present.

Security advice

How do you know that your Instagram or other social media account has been compromised?

If you find that your Instagram is starting to follow people you wouldn’t expect, your profile picture has changed without your knowledge and your bio suddenly reads “click here for a private chat 😉” or something equally flirtatious, then you may have been compromised.

Instagram advises you to change your password immediately and revoke access to any suspicious third-party apps.

Whether or not your account has been compromised here’s what you can do to strengthen the security of your social media presence:

  • Don’t reuse passwords for different services! This is a great chance to set up and use a password manager. It’ll generate and store a unique password for every website you sign up to.
  • Setup 2FA! Instagram along with lots of other social media platforms now supports the use of two-factor authentication so that you don’t have to solely rely on your password.
  • Delete the account, not just the app! If you’ve decided you’re finished with an app, don’t just remove it like I did.  Find out how you can delete your account and do that as well!