How to hack back into your own instagram account

Instagram Hacked? Here’s How to Recover Your Account

Instagram is crucial for designers, serving as a marketing and networking tool that’s key to landing new clients. So what should you do if you’ve had your Instagram hacked? First, don’t panic—you’re not alone. “I’d say it’s common for the average user to get hacked to some degree in their life,” says Matthew Krull, a social media strategist at design-focused communications agency Novità. “I hear more often than not from my friends and colleagues that they’ve experienced some suspicious activity on their account.” But if you’ve had your Instagram account hacked, it’s important to recover it as quickly as possible. Here are the steps for how to get your Instagram account back, as well as measures you can take to bolster your cybersecurity.

Can you get your Instagram back if it’s been hacked?

The short answer: It depends.

If you’ve had your Instagram hacked, it is possible to get it back, but you need to move fast, so that the hacker can’t compromise your account further. If you act quickly, you might be able to kick out the hacker while they’re in your account and before they’ve changed your info, deleted your photos, or posted to your profile. That way you can save yourself the trouble of having to recover your Instagram account through a Meta support request.

But if the hacker has already gone beyond logging in and potentially changing your password, Instagram account recovery becomes a lot more difficult. Depending on how much damage they’ve done, Instagram may be able to help you recover your account. But brace yourself: If your account has been deleted by a hacker, there might be nothing the Instagram support team can do to recover your account.

How do I get my Instagram account back?

There are two different levels of hacking: One that only changes your password, and another that changes your password and contact info. Here’s how to report a hacked Instagram account, and how to recover your Instagram account as soon as possible.

What to do if a hacker has changed your Instagram password

If you’ve found that your password no longer works, simply follow the steps for setting a new one, as prompted by the login page on the Instagram app. Hopefully, the login link will be sent to your email account or phone number, and you can use a security code to log back in to your account and change your password. This would be the best case scenario, as you can solve the problem yourself without having to contact Instagram. (That said, it’s not a bad idea to contact Instagram customer service anyway and let them know that your Instagram account has been hacked—the company may point out some helpful security tips to keep your account safe in the future.)

You’ve had your Instagram hacked, and the hacker changed your password and contact information. Now what?

Hitting a brick wall at the login screen? Yikes. If you’re locked out of your social media account, and you don’t receive a password reset link when you request one via the Forgot password button, a hacker may have changed your email and phone number. This is a more common type of hacking, as scammers know you will try to reset your password yourself, and they will want to keep control of the account for themselves. They may even hold your Instagram account for ransom, and request bitcoin or other plunder for you to get it back. If that’s the case, you’ll need to report the activity to Instagram by following the instructions here. They will ask you to verify your identity—you might even have to take a video selfie to prove you are who you say you are. This process likely won’t give you immediate access; it could take days or even weeks to recover your Instagram account.

Can you recover your Instagram account if it has been deleted?

In some cases, hackers might delete all your posts, or they might delete your account entirely. If they’ve deleted some but not all of your account, you might be able to retrieve posts by going into the Your Activity section of your Instagram account and selecting Recently deleted. There, you’ll find posts from the last 30 days as well as stories from the last 24 hours. You can then restore those images or videos.

But if your account has been totally deleted, you might be out of luck. Instagram itself says, “When you delete your account, your profile, photos, videos, comments, likes, and followers will be permanently removed.” You can create a new account with the same email address you used before, but you may not be able to get the same username.

That said, there is a window in which you can recover your Instagram account. “If someone has deleted your account, you technically have 30 days to contact Instagram to explain that you have been hacked and [ask them] to put your account back up. Instagram claims it stores your data for that long,” says digital marketer Jonathan Simon, director of marketing and communications at the Telfer School of Management at the University of Ottawa. “However, this is a long shot. Once your account is deleted, it is likely gone.”

Interior designer Kristen McGinnis, for instance, was not one of the lucky ones. Back in 2020, she found that she was logged out of her Instagram account due to suspicious activity—even though her two-factor authentication was enabled. “Instagram’s account retrieval process includes going through identity confirmation. I submitted this well over a dozen times within a month and received zero response,” McGinnis says. “Sadly, I never received any help, only headache and heartache.”

After a month, McGinnis gave up. She started a new Instagram account and used her inaugural post to explain what had happened to her former handle. She then started the arduous process of re-following her former connections, hoping they’d follow her back. Although many of them did, she needed to message others to reintroduce herself. The small silver lining was that her photos were auto-saved to her phone. Still, the mishap had a cost. “I lost a few thousand followers, many of whom I will never get back because I don’t know who to reach out to,” McGinnis says.

Even though no method of account protection is completely fail-safe, staying on top of security best practices can hopefully prevent you from having to rebuild your following. You can also download your data periodically in order to keep a record of your posts, your followers, and even your comments—that way, if you have your Instagram hacked and eventually need to rebuild your account, you have a head start.

What should you do if you’re locked out of your Instagram account?

For starters, remain calm. Sometimes getting locked out—especially for business accounts—is simply due to an oversight. “For instance, let’s say a social media manager moves on from the company,” says New York– and London-based digital content consultant Charlene C. Lam. “If a transition plan isn’t in place, it may be a while before the remaining team members realize they don’t know the Instagram password.”

To mitigate that risk, keep your Instagram account recovery codes stored in a secure place. These recovery codes will be used to reset two-factor authentication, which will help you get your Instagram account back. They can be found on the Security page of the Instagram app.

Unfortunately, there may be an instance where you’ve been locked out because you were genuinely been hacked by a scammer.

What should you do if you suspect someone is trying to hack your Instagram?

There are a few red flags that may indicate that someone may be trying to hack your Instagram account (or already has). Three big ones: receiving a changed-password email from Instagram that you didn’t trigger yourself, receiving an unprompted email-change request from [email protected], and seeing posts you didn’t make. Here’s how to get help.

What to do if Instagram noticed suspicious activity on your account

If someone attempts to reset your password, Instagram will send you an email informing you of the change. “I take immediate action as soon as I get a notification or email from Instagram letting me know there was suspicious activity on any of the accounts I manage,” Matthew Krull says.

If you receive an email that someone has requested to change your password, and it wasn’t you, someone may be trying to hack your Instagram account. Report the situation to Instagram via the link in that email, then immediately change your password.

If you received an email from [email protected] asking about changing the email address associated with your Instagram account, but didn’t make that request yourself, click the link in the message that says Secure My Account. If you are unable to get through the login page, the scammer may have changed your password. Don’t lose hope yet—you can still get help by requesting a login link or a security code.

But remain attentive when it comes to these Instagram emails: Some messages that appear to be from Instagram could be phishing attempts or scams from hackers. The good news is that Meta has developed a function to help protect you. If you enter the security section of the Instagram app, you can see what emails Instagram has sent you within the last two weeks. Reviewing that data should help you verify an email’s authenticity.

Keep in mind that other messages, like Instagram DMs and WhatsApp chats, can also contain phishing scams. Stay alert!

What to do if you noticed suspicious activity on your account

If you notice photos or stories you didn’t post yourself appearing on your page, but you’re still logged in, you’ve probably been hacked on Instagram. You should change your password immediately, as doing so will kick the hacker out of your account. You should also manually log out of any suspicious devices via your login activity page, as well as revoke access from any third-party apps that might have had a security breach and exposed your login information.

How to protect your Instagram account

Hacking isn’t limited to high-profile Instagrammers. “Any account can be a target, because if the hackers are successful, they can use the hacked account to try to get important information like credit card numbers, addresses, and PINs from other unsuspecting users,” Jonathan Simon says.

A strong password is an obvious place to start—and yes, those strings of letters and numbers suggested by Apple’s iOS are pretty safe. (If you’re concerned about remembering all of your logins, a digital password manager can help.) Still, there are a few additional steps you should take to thwart a potential hacking.

Turn on two-factor authentication

Two-factor authentication requires users to enter a security code from an authentication app or your cell phone via text message (SMS) every time they log in to a new device—and it’s a solid deterrent to scammers. Meta offers this service, and you can set it up via the security page in the app.

Check your login activity

Keep an eye on your login activity, which can also be found under the security section of the app. There, you’ll see all the devices that your Instagram account is currently logged into, plus their geographic locations. If you see suspicious activity here, you can log out of those devices from your current one.

Check which third-party apps have access to your Instagram account

Granting third-party apps access to your account is an easy way to share content across different platforms, but it does come with some level of risk: Hackers can break into those apps and steal your Instagram login info. Head to your security settings, then click Apps and Websites to see what other apps have access to your Instagram account. Keep an eye out for any big data breaches that might affect those apps—if one happens, you’ll want to change your password immediately.

Enable auto-save

Though this measure won’t necessarily protect your account from hackers, it does give you a chance to save all your photos to your phone in the event you have your Instagram hacked and deleted. In the app, click on Settings, then Account, then Original Photos (iPhone) or Original Posts (Android), and make sure that Save is toggled on.

How to Recover a Hacked Instagram Account [2022 Update]

Are You Locked Out of Your Instagram Account? Don’t Panic!

There are few things as panic-inducing as discovering you've been locked out of your Instagram account. And I should know.

Earlier this year, my good friend's Instagram account was hacked. Scammers locked him out, reset his password, and started running crypto scams on his followers. It was a nightmare that took weeks to resolve.

Unfortunately, Instagram hacks have increased every year since 2016. Last year alone, there were more than one million cases of social media account takeovers (ATO) — almost double the amount from the year before [*].

A hacked Instagram account is more than an annoyance. If scammers gain access to your account, they can harvest your personal information to use for identity theft, impersonate you and destroy your online reputation, or scam your friends and family — and that’s not even considering the financial losses that could accrue if your company, influencer, or business account is hacked.

If you can’t log into your account or are seeing signs that it’s been hacked, act fast and follow these steps.

Here’s How To Tell If Your Instagram Account Is Hacked

The most obvious sign that your Instagram account has been hacked is that your login and password no longer work. If this is happening to you, a hacker may have gained access to your account and locked you out. You’ll need to follow the steps below to get your Instagram account back.

Sometimes scammers don’t want you to know that they’ve hacked your account. In these cases, there are some telltale signs indicating that someone else has access to your Instagram account:

You receive a password reset email that you didn’t request

If you receive a password reset email that you didn’t request, it means someone else is trying to get into your account. Even worse, it could mean that they’ve hacked your email account and are using it to gain access to your other accounts.

Don’t ignore these emails. Instead, make sure all of your account passwords are updated and secure, and enable two-factor authentication (2FA) with an authenticator app like Google Authenticator wherever possible.

✅ Take action: If your Instagram account has been hacked, your bank account, email, and other online accounts could also be at risk. Try Aura’s identity theft protection free for 14 days to secure your identity against scammers.

Your account email has changed

If you get an email from Instagram saying that your email has been changed, your account is hacked. At this point, a scammer has already gained access to your account and is trying to prevent you from changing your Instagram password to get back in.

You’ll need to deny the change from the original email account associated with your Instagram account.

Pro tip: Make sure that the email change message isn’t a phishing scam. All official Instagram emails should come from [email protected]. Any email coming from a different account is a scam.

You get a “suspicious login attempt” alert

If scammers try to log into your account from a different location, Instagram will flag it as a suspicious login attempt. To check if someone else is using your Instagram account, log into the Instagram app, then go to Profile > Settings > Security > Login Activity.

Check your Instagram "Login Activity" to see if anyone else has accessed your account.

Your Login Activity will show you the last few locations from which your account was accessed. If you see anything unfamiliar, press “This Wasn’t Me” and Instagram will log out your account from that device.

If you’re using Instagram on your desktop computer, you can check your Login Activity under Profile > Settings > Login Activity.

Friends and followers are getting strange messages from you

One of the reasons scammers don’t want you to know they’ve hacked your Instagram account is that they want to scam your friends. Instagram hackers will often send messages to your friends with the goal of stealing their login information or getting them to invest in fraudulent crypto schemes.

If your friends reach out and tell you that they’ve received weird messages from you, check your account activity immediately.

Your account is posting and commenting on its own

If you see strange notifications about posts or comments you don’t remember writing, your account is compromised. A scammer is making posts and comments pretending to be you — most likely with the hope of scamming more of your friends and followers.

💡 Related: The Latest Social Media Scams (and How To Avoid Them) →

My Instagram Account Was Hacked! What Should I Do?

If you recognize any of the above warning signs, don’t panic. There are specific steps you can take to recover your account, secure it from hackers, and mitigate the damage done.

But first: If your Instagram account has been hacked, the scammers could use your personal details to log into other services, including your email and online banking.

If you’ve lost access to your Instagram account, make sure to:

Update passwords on all of your accounts. Use secure and unique passwords for all of your accounts — especially if you have a habit of reusing passwords. Whenever possible, enable 2FA so hackers can’t get into your account, even if they have your passwords.
Regularly check your credit report and bank statements. Scammers are almost always after your financial accounts. Check for the warning signs of identity theft — such as strange charges on your bank statement or accounts you don’t recognize. An identity theft protection service like Aura can monitor your credit and statements for you and alert you to any signs of fraud.
Consider signing up for identity theft protection. Aura’s top-rated identity theft protection monitors all of your most sensitive personal information, online accounts, and finances for signs of fraud. If an Instagram scammer tries to access your accounts or finances, Aura can help you take action before it’s too late. Try Aura’s 14-day free trial for immediate protection while you’re most vulnerable.

Now, here’s what to do if your Instagram account was hacked — whether you still have access to it or if a hacker has locked you out.

How to secure a hacked instagram account that you still have access to

If you still have access to your Instagram account, you can usually flush out your attacker if you move fast.

Here are the essential steps to take:

Check the phone number and email address listed in your account settings. These are the key points of entry that will allow you to reset your password and recover your account. Before you try to change your passwords, go to Settings > Account > Personal information and make sure that a scammer hasn’t changed your email address or phone number.
Log out of all active Instagram sessions. Go to your Instagram Login Activity, and close all active sessions by selecting the three dots beside each session and choosing “Log out.” Repeat for each listed login session. This means that you’ll have to log back into Instagram on your phone, iPad/tablet, and computer — but it’s a small price to pay to boot hackers out of your account. ‍
Change your Instagram password. Next, you’ll want to reset your Instagram password under Profile > Settings > Security > Password. Choose a unique and strong password that is at least eight characters long and includes a combination of letters, numbers, and symbols. ‍
Turn on two-factor authentication (2FA). 2FA is an additional security measure that requires a special one-time-use code along with your password in order to log into your account. This means that even if hackers have your password, they can’t get into your account. For added security, use an authenticator app for 2FA rather than SMS — as scammers can hack or steal your phone and bypass this extra security measure.

Enable 2FA on your account under Profile > Settings > Security > Two-factor authentication.

Check your Accounts Center. This is a Facebook setting that allows you to see all your accounts associated with Facebook, Instagram, and WhatsApp. If you see a linked account or other suspicious activity that you don’t recognize, remove it.‍
Remove any third-party apps. Hackers may have been able to access your account via third-party apps. Look over the linked third-party apps under Settings > Security > Apps and websites, and remove any apps that you don’t recognize or use.

How to regain access to a hacked instagram account

If a hacker has locked you out of your Instagram account, it’s a much harder issue to resolve. But there are still ways that you can regain access.

Here’s what to do if you’ve been locked out of your Instagram account:

Check your email for a message from Instagram

Instagram will email you if a scammer (or anyone) changes your password or email. If you didn’t ask for these changes, you can revert to your old password by clicking “revert this change” in the email.

Search for any email sent from [email protected]. Be sure to check your junk and spam folders.

Request a login link

A login link helps verify that you’re the account owner. It is a special link that is sent to your email or phone number. Here’s how to request a login link from Instagram:

On Android: Open Instagram and select “Get help logging in” and then follow the prompts.
On iOS: Open Instagram and select “Forgot password?” and then follow the prompts.

If the email associated with your account has been changed, you’ll want to send the login link to your phone. If both your email and phone number have been changed, you’ll have to follow one of the next steps instead.

Request more support or a security link

If you’re locked out of your account, you’ll have to make a special support request to Meta (the parent company of Instagram and Facebook).

Choose "Need more help" to request an Instagram security link.

Here’s how to request support from Instagram’s login page:

On Android:

Tap “Get help logging in.”
Enter your username, email address, or phone number.
Tap “Need more help?” and then follow the on-screen instructions.
Select your preferred contact method, and then tap “Send security code.”
If you don’t receive the code, you’ll need to tap “I can’t access this email or phone number.”

On iOS:

Tap “Need more help?”
Select your preferred contact method, and then tap “Send security code.”
If you don’t receive the code, you’ll need to tap “I can’t access this email or phone number.”

Once you submit your request, you should receive an email from Instagram detailing the next steps to take.

Pro tip: Make sure that you’re using a secure email account to receive login information. If your email account has been hacked, scammers can bypass all of these measures and retain access to your account.

Verify your identity with Instagram

Eventually, you’ll need to verify that you are who you say you are. There are two ways that you can verify your identity to get your hacked Instagram account back.

If your account doesn’t have photos of you: Instagram will ask for details such as the email address, phone number, and device type (iPhone, iPad, Android, etc.) that you used when signing up for your account.
If your account does have photos of you: Instagram will ask you to send a video selfie (in which you turn your head at different angles) to confirm you’re a real person. Instagram claims the video is only for verification purposes and will be deleted from their servers within 30 days.

Unfortunately, this entire process can take days, weeks, and sometimes even months. Much of it is automated, meaning you can’t directly contact Instagram if you’re hitting a snag. However, it’s still the best process by which to recover your hacked Instagram account.

So even if it takes time, following these steps is far better than letting a hacker have total control over your account.

✅ Take action: If scammers gain access to your Instagram account, they could break into your online bank account. Try an identity theft protection service to monitor your finances and alert you to fraud.

How Hackers Hack Your Instagram Account (And How To Stop Them)

Once you’ve regained access to your hacked Instagram account, you want to make sure that scammers can’t get back in.

So, how did they hack you in the first place? Here are the most common ways that scammers gain access to your Instagram account:

Phishing attacks that steal your login information

Phishing is a type of attack in which scammers impersonate a known or trusted organization (or person) and entice victims to click on dangerous links or download malicious attachments full of malware.

Scammers may even pose as Instagram and send an email asking you to change your password, or log in to become verified (this is a popular scam). Their website, however, is completely fake and set up to steal your login information for an account takeover.

Beware of common Instagram phishing scams, such as:

Bitcoin investment “advice” and special crypto exchanges.
Fake Instagram “support” accounts.
Accounts that claim they can help your account get “verified.”

Related: The 10 Biggest Instagram Scams Happening Right Now →

Using leaked passwords from data breaches

Data breaches have leaked billions of usernames and passwords. Instagram, in particular, has had its users’ passwords leaked.

Once a site like Instagram has been hacked, those emails and passwords end up for sale on the Dark Web, where the average price of a hacked Instagram account is just $45 [*].

Hackers don’t even need your Instagram password to get into your account. Because 65% of people reuse passwords [*], hackers will take leaked username/password combinations and try them on different accounts, including your Instagram account.

Pro tip: Sign up for identity theft protection with Dark Web scanning. Aura constantly monitors the Dark Web for your personal information, including logins, passwords, or even your Social Security number (SSN). If any of your accounts are compromised or if your personal information is leaked, you’ll be alerted so that you can shut down scammers before they can do too much damage.

Malware that steals your username and password

If you click on a link in a spam email or scam text message, there’s a good chance that your device will get infected with malware.

This malicious software has a range of abilities — from stealing your personal data to scanning your device for passwords to even spying on every word you type. If your phone has been hacked, scammers can get into your Instagram account.

Related: How Do Hackers Get Passwords? (And How To Stop Them) →

Through third-party apps

Over the years, you may have connected multiple third-party apps with your Instagram profile or Facebook account — and then forgotten about them. Unfortunately, each third-party app poses a potential risk. If hackers attack a third-party app that has weak security, they can get into your Instagram account.

Related: How To Know if Your Phone Is Hacked →

Through a Wi-Fi attack or on public devices

Hackers can intercept your Wi-Fi via a “Man In the Middle Attack” (MitM), which allows them to access details and information from your connected device. They may also be able to discover your password or access your account directly, compromising your Instagram account. This is particularly risky if you’re using public Wi-Fi in a café or airport.

You should also be cautious of logging into Instagram on unfamiliar devices. If you use a public computer or a friend’s phone — and forget to log out — someone else could change your account settings and lock you out.

Related: What Is Cyber Hygiene? 10 Easy Habits That Will Protect Your Online Accounts →

Here's What To Do If Your Instagram Account Gets Hacked

Update and upgrade your passwords. Change any outdated or reused passwords. Consider using a password manager that helps you create and store unique and complex passwords so that you don’t have to remember them.
Turn on two-factor authentication (2FA). This can help stop hackers from accessing your account even if they know your password. Any login attempt will need a second form of authentication, such as through your phone or email.
Never give up your login or account details. Be wary if you get a direct message about an investment opportunity, a way to get verified, or tech support. Instagram will never ask you for your login information.

Example of a scam Instagram account that tries to steal login information.

Be cautious of “verification scams.” Hackers will pretend to be one of your friends who can’t access their account, and ask to send a 2FA code to your phone. But in reality, they’re trying to hack into your account. Never give out a 2FA code — no matter what the circumstances.
Don’t click on suspicious links. Many Instagram scams and hacks start via private or direct messaging. A good rule of thumb is to never click on a DM link unless you’re certain it’s safe.
Use antivirus software to protect against malware. If hackers trick you into downloading malware, they can spy on everything you type — including your Instagram password.
Scan and remove third-party apps and other accounts. Removing third-party apps and accounts tied to your account limits the number of access points to your account.
Be careful when entering your login details. Scammers will try and phish you by impersonating Instagram officials over email or DM, or linking to fake login sites. Before responding, always make sure any email comes from an official “Instagram.com” email address.
Call or video chat with someone who is contacting you via DM. If you suspect that someone is reaching out to you from a hacked account, initiate a video call to see if it’s really them. You can also reach out to them directly via other communication channels like text, WhatsApp, or Telegram.
Don’t trust account recovery services. If you’ve publicly posted about your Instagram account being hacked, bots can use that against you. They’ll reach out about a recovery service that will help you “reclaim” your account. Don’t fall for it.
Sign up for identity theft protection. Your Instagram account can be the gateway to identity theft or even financial fraud. Aura’s all-in-one identity theft and digital security solution keeps your accounts, credit, and finances safe from scammers. And if the worst should happen, you’re covered by a $1,000,000 insurance policy for eligible losses due to identity theft.

✅ Take action: Protect yourself from the risks of identity theft and fraud with Aura’s $1,000,000 in identity theft insurance. Try Aura free for 14 days to see if it’s right for you.

The Bottom Line: Keep Instagram Scammers Out of Your Account

Instagram accounts are in high demand, and scammers are targeting the social media service at an increasing rate.

Many of the cybersecurity steps we recommend to protect yourself can help protect more than just your Instagram account. Practicing online hygiene and basic security steps can help secure your data and prevent dangerous and damaging attacks. If you think you might be at risk, consider signing up for Aura.

Stop scammers in their tracks. Try Aura for free for 14 days.

What to do if someone tries to access your Facebook or Instagram

A notification pops up on the smartphone screen: "We detected an unusual login attempt from Rio de Janeiro, Brazil." The first reaction is panic, especially if you live in, say, Vladivostok. What could it be? System failure? Or is someone from the other side of the world really encroaching on your account?

There is no way to panic in such a situation - this will only play into the hands of the burglars. So that you can remain calm and survive this incident with minimal losses, we will arm you with knowledge: we tell you what the matter might be and how to act. nine0003

What could have happened

First, let's figure out how a stranger could gain access to your account at all. There are several options here.

Data leak and wildcard attack

A third party site where you registered might have been leaked. Having acquired a list of logins, e-mail addresses and passwords, scammers use them for a substitution attack, that is, they try to enter stolen credentials on many sites. Unfortunately, many people set the same passwords to protect their accounts in different services - this is what criminals are counting on. nine0003

Alternatively, your Facebook or Instagram credentials may have been leaked from the app you trusted them to. For example, in June last year, thousands of passwords from Instagram accounts leaked to the network, the owners of which used the Social Captain service to buy likes and followers. It turned out that he did not encrypt customer data, and anyone could get access to it. It is reasonable to assume that many users of the service have since experienced hacking attempts.

Phishing

It may also be that some time ago you fell for phishing, and your login with a password fell into the hands of scammers directly. They clicked on some link, and on the page that opened, very similar to the Facebook or Instagram login screen, they entered their credentials. So they ended up with the criminal. For example, most recently, our experts discovered a phishing campaign in which victims were lured to phishing pages by the threat of blocking their Facebook account due to copyright infringement.

Password theft

Your password may have been stolen by malware you picked up somewhere. Many Trojans have a built-in keylogger, a program that registers keystrokes on the keyboard. All logins and passwords that the victim enters, the keylogger directly passes into the hands of attackers.

Access token stolen

Someone may have stolen your access token. So that you don't have to enter a password every time you log into Facebook or Instagram, it saves a small piece of information needed to log in to your computer, which is called a token or access token. If an attacker steals the current token, he will be able to log into the account without a username and password. nine0003

Tokens can be stolen in different ways. Sometimes this is done through vulnerabilities in Facebook itself - for example, in 2018, attackers were able to get access tokens to 50 million Facebook accounts. Also, attackers can use browser extensions to steal tokens.

Login from someone else's device

It's possible that you logged into Facebook or Instagram from someone else's device - at a party, in an Internet cafe, in a hotel lobby, and so on - and did not log out after that. Or, for example, they forgot to log out of their account on a device that they had already sold or donated. Now someone has discovered your oversight and logged into your account. nine0003

False alarm (phishing again)

Your account may not have been hacked at all, but they are trying with a fake suspicious login notification. This is the same phishing that we talked about above, but a slightly different version of it. Instead of the threat of blocking, scammers can use fake suspicious login notifications with a link to phishing sites similar to the login page. Attackers expect that the victim in a panic will go to a fake site and enter their username and password there. nine0003

And what to do?

We have sorted out the possible causes, now it's time to act. To get started, log into your account - but in any case not through the link from the notification (as we already know, it can lead to a phishing site), but through the mobile application or by entering the address in the browser manually. If the password does not match and you can no longer log into your account, refer to the detailed instructions on what to do if your account has already been hijacked, which we published earlier.

If you are still allowed into your account, go to your account settings and verify the authenticity of the notification. For each social network, the path to the desired settings item will be different - see how this is done on Facebook and Instagram. Then go to the “Account Logins” section: if there are no suspicious entries there, then everything is in order, and the message about the hack was still phishing. nine0003

If you really see a suspicious one in the list of logins to your account, then it's time to hurry up to take protective measures - timely actions will help soften the blow:

Log out of your account on all devices. On Instagram, you will have to manually end each session in menu Account Logins . And on Facebook, this can be done with a single click in the Security and login section in the settings. This will reset the access tokens.
Make sure that the correct phone number and email address are specified in the account settings: attackers could change the data so that the link or code to change the password is sent to them. If they managed to do this, change it back to yours. nine0052
Set a new password that is strong and one that you don't use anywhere else. If you're not sure you can remember it, save it in a password manager. By the way, at the same time the program will help you come up with a reliable combination.
Turn on two-factor authentication to make it harder for attackers to break into your accounts, even if they know your password.
After that, be sure to check all your devices with a reliable antivirus to make sure that they are free of malware. Attention to security settings along with good protection will make your account your fortress. nine0052

Tips

Christmas and security

Many famous break-ins began during the Christmas holidays. A few simple tips will reduce your risk of becoming the next victim.

Is it safe to use Avast in 2023?

Avast solutions have a good reputation, but several incidents cast doubt on their reliability. We tell you whether you can trust Avast products.

Football cyberthreats

How to watch the World Cup and not become a victim of fraud.

Subscribe to our weekly newsletter

Email*
*
- I agree to provide my email address to AO Kaspersky Lab in order to receive notifications of new publications on the site. I can withdraw my consent at any time by clicking on the "unsubscribe" button at the end of any of the emails sent to me for the above reasons. nine0052

A hacker hacked Instagram in 10 minutes and got $30,000.

Cybersecurity expert Laxman Mutiya found a way to hack any Instagram account in ten minutes - he announced this on his blog. According to Mutiiya, the vulnerability was in a password recovery system where a one-time numeric code is sent to a user to verify their identity.

Information security researcher Laxman Mutiya told on his blog how he managed to hack Instagram in 10 minutes. While Facebook, which owns the photo hosting, is constantly trying to improve security and prevent outside interference, Mutiya's example proves that this problem can be worked on indefinitely.

An expert discovered a vulnerability in the password recovery system for his Instagram account. The fact is that when a user enters his phone number to resume access to the profile, Instagram sends him a six-digit numeric code that must be entered to verify his identity. nine0003

Laxman Mutiya decided that if he could try a million different codes at this stage, then one would definitely work, which would lead to a password change on any Instagram account.

Nevertheless, the expert rightly decided that the photo service would most likely have protection against such a blunt attack.

Indeed, Instagram has limited the number of shift requests a user can send. Then, by calculation, Mutiya determined that for a successful hack, he would need 5 thousand IP addresses, each of which would send 200 thousand requests. According to the hacker, this is not so difficult to implement if you use the Google or Amazon cloud service. In this case, the entire attack will cost the attacker $150. nine0003

Laxman Mutiya sent his research to the Facebook administration, which was convinced of the insecurity of the existing system. As follows from a letter sent by the leadership of the social network, the vulnerability in Instagram was eliminated, and Mutiya himself received $30,000 as a "bug bounty" - compensation for identified shortcomings.

The expert also gave some advice to those who use Instagram to protect themselves and their data.

He recommends changing your password regularly, using only unique and varied combinations, and be sure to use two-factor identification so that any manipulations with the account are made only with the user's approval. nine0003

In May of this year, it became known about the massive leak of personal information of bloggers and celebrities from Instagram - in total, about 50 million people suffered from it. A database containing the data of millions of Instagram stars using popular photo hosting has been discovered on the Internet, TechCrunch reported. This database, located in the public cloud of Amazon Web Services, was in the public domain and was available to everyone.

As it turned out, each of the entries contained personal data of Instagram bloggers and influencers, including their biography, profile photo, number of followers, geolocation, as well as email and mobile phone number. nine0003

Shortly after the leak was reported in the foreign press, the database went offline and Facebook announced its own investigation.

“We will conduct an investigation to understand where the data, including email addresses and phone numbers, got into the network - from Instagram or other sources. We will also contact Chtrbox [the company that leaked] to find out where they got this information from and how it was made public,” Facebook said in a statement. nine0003

In June, Instagram management announced the simplification of the procedure for recovering an account after a hacker hack. The new system will ask the user a series of questions that can confirm his identity, such as the original email address (if the hacker changed it) or phone number.