According to Notch's data, an Instagram creator account gets hacked every 10 minutes on average - meaning over 50,000 creator accounts get hacked every year. The hacking figure for all accounts, not just creator accounts, is much higher.
Every year, cybercriminals generate over $3 billion in revenue from social media attacks alone and hacking constitutes a large portion of these malicious incidents.
To help influencers and business owners protect their Instagram accounts, below we breakdown 6 tactics hackers use to extract personal information and bypass 2-factor authentication.
{{learn-more}}
How do hackers hack Instagram accounts? There are default security features on Instagram, like 2-factor authentication, so how can hackers overcome these?
The general answer to that question is, in most cases, some form of social engineering.
In this context, social engineering refers to the act of manipulating and deceiving Instagram users into willingly providing confidential information.
Instagram clearly states that you can only share original content that doesn’t violate copyright infringement laws. That said, it’s possible for you to commit a copyright violation unintentionally, in which case Instagram would take action and reach out to correct the problem.
This has led to many cybercriminals actually impersonating Instagram representatives pretending to address copyright infringement issues. In these cases, a hacker sends a link to your email or through a private message on Instagram and asks you to log in in order to address the issue. This is a real-life example of a message that was used to hack @wandertears:
You can learn more about this case by checking out this article.
The link leads to a fake page that, even though it mimics Instagram’s login page, is actually designed to collect your username and password details.
The only difference between the real page and the fake is a small variation in the URL, which is hard to detect.
To avoid raising suspicion, cybercriminals usually redirect you to one of Instagram’s legitimate FAQ pages that discusses the topic of copyright infringement.
There’s a couple different methods you can use to verify the messages you receive from Instagram. First, urgent Instagram notifications are usually delivered directly through the account interface or via email. If you receive a DM about your account, it won’t be legitimate - even if it’s from a profile that has the name “Instagram” in the username.
Second, Instagram now allows you to see a record of all security and login emails through your account. If you receive a suspicious email directly to your inbox, you should check this part of your Instagram account before opening the message.
From your profile, go to Security>Emails from Instagram. If you don’t see a record of the email, you should delete it right away.
{{subscribe}}
You’re probably familiar with verified badges, the blue pins at the top of Instagram profiles that have been authenticated by the social network. While valuable, this account feature is also at the center of another social engineering that hackers use to break into Instagram.
In this scenario, hackers send a private message or email that offers a chance to add a verified badge, linking to a deceitful website that collects your login information. They may request that you don’t change your profile data, like username or password, until the change has taken effect in order to gain enough time to break into your account.
Here’s an example of a verification badge scam email sent to the owners of pillow business, Cuddle Buddy.
There are a few tell-tell discrepancies here to help you avoid falling for such a scam. For starters, grammar mistakes like excessive capitalization should serve as a warning.
Not only this, but the profile the message is being sent from does not belong to an official account nor does it have a verified account. It has the word “Instagram” in the name, but it doesn’t give any indication of being official. Finally, note how the “contact us” text on the blue button is not centered properly, so it’s not consistent with other Instagram content.
To get a blue verification badge right now you need to apply through your profile, and the form you have to fill in should look a little something like this:
Hackers that employ social engineering attacks leverage every piece of information they have at their disposal. For example, they sometimes design suspicious activity alerts that look like a legitimate notification from Instagram, but actually contain malicious links.
According to the Meta-owned social platform, emails from Instagram only come from “@mail.instagram.
com” or “@facebookmail.com” addresses. Here’s an example of what a legitimate security email from Instagram looks like:
This security message is for a new login from a device that the user didn’t commonly sign in through. Note how the email address is from a trusted source and how all of the design elements are aligned properly.
Even if the emails you receive look legitimate, we advise that you go to your Instagram account and verify that the security email was sent through there.
Fraudulent giveaways are especially troublesome because they exist in an ecosystem that is packed with legitimate promotional freebies. This form of social engineering can take two different shapes.
In its most traditional version, this type of hack operates like a false verified badge attack. The difference is that the hacker impersonates a big brand, exciting start-up, or similar renowned company that’s offering a big giveaway to specific social media influencers.
Some scammers even have legitimate-looking accounts that have been active for a while and have thousands of followers. The first message usually includes at least one spoofed link leading to a false Instagram login that’s designed to extract the username and password submitted.
A more complex form of fraudulent giveaways and sponsorships can occur when hackers have collected information about you, but still need a few more details to successfully breach your account. Instead of sending you a link to a spoofed login page, hackers may ask you to fill in a survey that asks for personal information, like your date of birth, mother’s maiden name, and other answers to common security questions.
Below is a real example of the phishing email that led to @FlipFlopWanderers getting hacked. Read their full story here.
Never rush or feel pressured into clicking links. Take time to investigate if the email looks legitimate: for instance, check for spelling mistakes and hover over the hyperlink to see if the URL leads to a familiar or safe website.
To be extra safe, you could even Google the company supposedly sending the email, and contact them to check if they really did send you an email.
Managing a social media profile can take a huge amount of time, especially if you have a large base of followers. There are many tools that can simplify the process, but you also have to evaluate each platform to make sure it comes from a legitimate developer.
Just as with malicious web extensions, hackers can create counterfeit tools that are supposed to improve functionality, but actually pose a security threat.
These tools usually look and feel legitimate, but bring you very little in terms of functionality and practical value. This type of scheme is not as common because it requires a significant amount of resources, but it’s still used by cybercriminals looking for bigger, more valuable targets.
When this type of attack is successful, target users integrate the counterfeit tool into their social media accounts.
This fake tool can be used to set up man-in-the-middle attacks, intercept all data, and extract login details, among other data.
It’s normal to watch your budget, especially in the early stages of your Instagram account. But, working with lesser-known, low-cost tools increases the chances of being targeted by scammers. To avoid this, you should opt for established tools that come from renowned providers or platforms that have been recommended by trusted peers.
All of the social engineering hacking techniques we’ve covered so far require hackers to manually create fake apps and website pages in order to collect details from their targets. With reverse proxy attacks, hackers don’t need to create a spoof website or app - instead they can automate the theft of credentials.
A reverse proxy attack is a type of man-in-the-middle approach - hackers direct victims to a domain that sits in between the user and the legitimate website.
The URL will be very similar to the legitimate page, and the overall appearance in the malicious domain mirrors the legitimate page.
When applied to the Instagram context, you could receive a convincing email from a hacker that directs you to Instagram’s login page. What you don’t realize is that you’ve been sent to do this via a proxy server - so when you enter your credentials and log into Instagram, your information - including 2FA - is being intercepted in real time.
Be extremely cautious when clicking on links from your email inbox - always verify an email claiming to be from Instagram by checking your Instagram account. From your profile, go to Security>Emails - if the email doesn’t appear there, it’s likely a scam.
Now that we’ve answered the question “how do hackers steal Instagram accounts?” let's go over the reasons why these criminals may want to target your profile.
Like other types of criminals, hackers and other malicious actors flock to the most popular platforms because these present the biggest financial opportunities.
Today, you can generate a significant amount of revenue from a large base of followers and hackers are eager to benefit from this.
Some of the common things a hacker may do once your account is breached include:
Getting hacked on Instagram is a nightmare, especially if you're a business owner relying on your account to market your services and drive sales. Keep reading for a summary of what you can do if you've just been hacked. For more information, watch the video explainer below.
Hackers use a wide range of approaches and develop new techniques regularly to hack Instagram accounts and bypass Instagram’s default security measures.
The number of social media scam victims in the US skyrocketed from 46,000 to 95,000 in 2021, and that number shows no signs of slowing down in the future.
Learning about the different techniques that hackers use and implementing security best practices as a counter are the first steps to keeping your Instagram account safe. Unfortunately, however, there is no way to guarantee your account against hacks - even users with multi factor authentication set up are falling victim. That's why we launched Notch - to finally give creators peace of mind.
{{learn-more}}
There are few things as panic-inducing as discovering you've been locked out of your Instagram account. And I should know.
Earlier this year, my good friend's Instagram account was hacked. Scammers locked him out, reset his password, and started running crypto scams on his followers.
It was a nightmare that took weeks to resolve.
Unfortunately, Instagram hacks have increased every year since 2016. Last year alone, there were more than one million cases of social media account takeovers (ATO) — almost double the amount from the year before [*].
A hacked Instagram account is more than an annoyance. If scammers gain access to your account, they can harvest your personal information to use for identity theft, impersonate you and destroy your online reputation, or scam your friends and family — and that’s not even considering the financial losses that could accrue if your company, influencer, or business account is hacked.
If you can’t log into your account or are seeing signs that it’s been hacked, act fast and follow these steps.
The most obvious sign that your Instagram account has been hacked is that your login and password no longer work.
If this is happening to you, a hacker may have gained access to your account and locked you out. You’ll need to follow the steps below to get your Instagram account back.
Sometimes scammers don’t want you to know that they’ve hacked your account. In these cases, there are some telltale signs indicating that someone else has access to your Instagram account:
If you receive a password reset email that you didn’t request, it means someone else is trying to get into your account. Even worse, it could mean that they’ve hacked your email account and are using it to gain access to your other accounts.
Don’t ignore these emails. Instead, make sure all of your account passwords are updated and secure, and enable two-factor authentication (2FA) with an authenticator app like Google Authenticator wherever possible.
✅ Take action: If your Instagram account has been hacked, your bank account, email, and other online accounts could also be at risk.
Try Aura’s identity theft protection free for 14 days to secure your identity against scammers.
If you get an email from Instagram saying that your email has been changed, your account is hacked. At this point, a scammer has already gained access to your account and is trying to prevent you from changing your Instagram password to get back in.
You’ll need to deny the change from the original email account associated with your Instagram account.
Pro tip: Make sure that the email change message isn’t a phishing scam. All official Instagram emails should come from [email protected]. Any email coming from a different account is a scam.
If scammers try to log into your account from a different location, Instagram will flag it as a suspicious login attempt. To check if someone else is using your Instagram account, log into the Instagram app, then go to Profile > Settings > Security > Login Activity.
Your Login Activity will show you the last few locations from which your account was accessed. If you see anything unfamiliar, press “This Wasn’t Me” and Instagram will log out your account from that device.
If you’re using Instagram on your desktop computer, you can check your Login Activity under Profile > Settings > Login Activity.
One of the reasons scammers don’t want you to know they’ve hacked your Instagram account is that they want to scam your friends. Instagram hackers will often send messages to your friends with the goal of stealing their login information or getting them to invest in fraudulent crypto schemes.
If your friends reach out and tell you that they’ve received weird messages from you, check your account activity immediately.
If you see strange notifications about posts or comments you don’t remember writing, your account is compromised.
A scammer is making posts and comments pretending to be you — most likely with the hope of scamming more of your friends and followers.
💡 Related: The Latest Social Media Scams (and How To Avoid Them) →
If you recognize any of the above warning signs, don’t panic. There are specific steps you can take to recover your account, secure it from hackers, and mitigate the damage done.
But first: If your Instagram account has been hacked, the scammers could use your personal details to log into other services, including your email and online banking.
If you’ve lost access to your Instagram account, make sure to:
Now, here’s what to do if your Instagram account was hacked — whether you still have access to it or if a hacker has locked you out.
If you still have access to your Instagram account, you can usually flush out your attacker if you move fast.
Here are the essential steps to take:
If you see a linked account or other suspicious activity that you don’t recognize, remove it.If a hacker has locked you out of your Instagram account, it’s a much harder issue to resolve. But there are still ways that you can regain access.
Here’s what to do if you’ve been locked out of your Instagram account:
Instagram will email you if a scammer (or anyone) changes your password or email.
If you didn’t ask for these changes, you can revert to your old password by clicking “revert this change” in the email.
Search for any email sent from [email protected]. Be sure to check your junk and spam folders.
A login link helps verify that you’re the account owner. It is a special link that is sent to your email or phone number. Here’s how to request a login link from Instagram:
If the email associated with your account has been changed, you’ll want to send the login link to your phone. If both your email and phone number have been changed, you’ll have to follow one of the next steps instead.
If you’re locked out of your account, you’ll have to make a special support request to Meta (the parent company of Instagram and Facebook).
Here’s how to request support from Instagram’s login page:
On Android:
On iOS:
Once you submit your request, you should receive an email from Instagram detailing the next steps to take.
Pro tip: Make sure that you’re using a secure email account to receive login information. If your email account has been hacked, scammers can bypass all of these measures and retain access to your account.
Eventually, you’ll need to verify that you are who you say you are. There are two ways that you can verify your identity to get your hacked Instagram account back.
Unfortunately, this entire process can take days, weeks, and sometimes even months. Much of it is automated, meaning you can’t directly contact Instagram if you’re hitting a snag. However, it’s still the best process by which to recover your hacked Instagram account.
So even if it takes time, following these steps is far better than letting a hacker have total control over your account.
✅ Take action: If scammers gain access to your Instagram account, they could break into your online bank account. Try an identity theft protection service to monitor your finances and alert you to fraud.
Once you’ve regained access to your hacked Instagram account, you want to make sure that scammers can’t get back in.
So, how did they hack you in the first place? Here are the most common ways that scammers gain access to your Instagram account:
Phishing is a type of attack in which scammers impersonate a known or trusted organization (or person) and entice victims to click on dangerous links or download malicious attachments full of malware.
Scammers may even pose as Instagram and send an email asking you to change your password, or log in to become verified (this is a popular scam). Their website, however, is completely fake and set up to steal your login information for an account takeover.
Beware of common Instagram phishing scams, such as:
Related: The 10 Biggest Instagram Scams Happening Right Now →
Data breaches have leaked billions of usernames and passwords. Instagram, in particular, has had its users’ passwords leaked.
Once a site like Instagram has been hacked, those emails and passwords end up for sale on the Dark Web, where the average price of a hacked Instagram account is just $45 [*].
Hackers don’t even need your Instagram password to get into your account. Because 65% of people reuse passwords [*], hackers will take leaked username/password combinations and try them on different accounts, including your Instagram account.
Pro tip: Sign up for identity theft protection with Dark Web scanning. Aura constantly monitors the Dark Web for your personal information, including logins, passwords, or even your Social Security number (SSN). If any of your accounts are compromised or if your personal information is leaked, you’ll be alerted so that you can shut down scammers before they can do too much damage.
If you click on a link in a spam email or scam text message, there’s a good chance that your device will get infected with malware.
This malicious software has a range of abilities — from stealing your personal data to scanning your device for passwords to even spying on every word you type. If your phone has been hacked, scammers can get into your Instagram account.
Related: How Do Hackers Get Passwords? (And How To Stop Them) →
Over the years, you may have connected multiple third-party apps with your Instagram profile or Facebook account — and then forgotten about them. Unfortunately, each third-party app poses a potential risk. If hackers attack a third-party app that has weak security, they can get into your Instagram account.
Related: How To Know if Your Phone Is Hacked →
Hackers can intercept your Wi-Fi via a “Man In the Middle Attack” (MitM), which allows them to access details and information from your connected device.
They may also be able to discover your password or access your account directly, compromising your Instagram account. This is particularly risky if you’re using public Wi-Fi in a café or airport.
You should also be cautious of logging into Instagram on unfamiliar devices. If you use a public computer or a friend’s phone — and forget to log out — someone else could change your account settings and lock you out.
Related: What Is Cyber Hygiene? 10 Easy Habits That Will Protect Your Online Accounts →
Any login attempt will need a second form of authentication, such as through your phone or email. 
If hackers trick you into downloading malware, they can spy on everything you type — including your Instagram password. 
If you’ve publicly posted about your Instagram account being hacked, bots can use that against you. They’ll reach out about a recovery service that will help you “reclaim” your account. Don’t fall for it. ✅ Take action: Protect yourself from the risks of identity theft and fraud with Aura’s $1,000,000 in identity theft insurance. Try Aura free for 14 days to see if it’s right for you.
Instagram accounts are in high demand, and scammers are targeting the social media service at an increasing rate.
Many of the cybersecurity steps we recommend to protect yourself can help protect more than just your Instagram account. Practicing online hygiene and basic security steps can help secure your data and prevent dangerous and damaging attacks. If you think you might be at risk, consider signing up for Aura.
A notification pops up on the smartphone screen: "We detected an unusual login attempt from Rio de Janeiro, Brazil." The first reaction is panic, especially if you live in, say, Vladivostok. What could it be? System failure? Or is someone from the other side of the world really encroaching on your account?
There is no way to panic in such a situation - this will only play into the hands of the burglars. So that you can remain calm and survive this incident with minimal losses, we will arm you with knowledge: we tell you what the matter might be and how to act.
nine0003
First, let's figure out how a stranger could gain access to your account at all. There are several options here.
A third party site where you registered might have been leaked. Having acquired a list of logins, e-mail addresses and passwords, scammers use them for a substitution attack, that is, they try to enter stolen credentials on many sites. Unfortunately, many people set the same passwords to protect their accounts in different services - this is what criminals are counting on. nine0003
Alternatively, your Facebook or Instagram credentials may have been leaked from the app you trusted them to. For example, in June last year, thousands of passwords from Instagram accounts leaked to the network, the owners of which used the Social Captain service to buy likes and followers. It turned out that he did not encrypt customer data, and anyone could get access to it. It is reasonable to assume that many users of the service have since experienced hacking attempts.
It may also be that some time ago you fell for phishing, and your login with a password fell into the hands of scammers directly. They clicked on some link, and on the page that opened, very similar to the Facebook or Instagram login screen, they entered their credentials. So they ended up with the criminal. For example, most recently, our experts discovered a phishing campaign in which victims were lured to phishing pages by the threat of blocking their Facebook account due to copyright infringement.
Your password may have been stolen by malware you picked up somewhere. Many Trojans have a built-in keylogger, a program that registers keystrokes on the keyboard. All logins and passwords that the victim enters, the keylogger directly passes into the hands of attackers.
Someone may have stolen your access token. So that you don't have to enter a password every time you log into Facebook or Instagram, it saves a small piece of information needed to log in to your computer, which is called a token or access token.
If an attacker steals the current token, he will be able to log into the account without a username and password. nine0003
Tokens can be stolen in different ways. Sometimes this is done through vulnerabilities in Facebook itself - for example, in 2018, attackers were able to get access tokens to 50 million Facebook accounts. Also, attackers can use browser extensions to steal tokens.
It's possible that you logged into Facebook or Instagram from someone else's device - at a party, in an Internet cafe, in a hotel lobby, and so on - and did not log out after that. Or, for example, they forgot to log out of their account on a device that they had already sold or donated. Now someone has discovered your oversight and logged into your account. nine0003
Your account may not have been hacked at all, but they are trying with a fake suspicious login notification. This is the same phishing that we talked about above, but a slightly different version of it.
Instead of the threat of blocking, scammers can use fake suspicious login notifications with a link to phishing sites similar to the login page. Attackers expect that the victim in a panic will go to a fake site and enter their username and password there. nine0003
We have sorted out the possible causes, now it's time to act. To get started, log into your account - but in any case not through the link from the notification (as we already know, it can lead to a phishing site), but through the mobile application or by entering the address in the browser manually. If the password does not match and you can no longer log into your account, refer to the detailed instructions on what to do if your account has already been hijacked, which we published earlier.
If you are still allowed into your account, go to your account settings and verify the authenticity of the notification. For each social network, the path to the desired settings item will be different - see how this is done on Facebook and Instagram.
Then go to the “Account Logins” section: if there are no suspicious entries there, then everything is in order, and the message about the hack was still phishing. nine0003
If you really see a suspicious one in the list of logins to your account, then it's time to hurry up to take protective measures - timely actions will help soften the blow:
If you're not sure you can remember it, save it in a password manager. By the way, at the same time the program will help you come up with a reliable combination. Many famous break-ins began during the Christmas holidays. A few simple tips will reduce your risk of becoming the next victim.
Avast solutions have a good reputation, but several incidents cast doubt on their reliability. We tell you whether you can trust Avast products.
How to watch the World Cup and not become a victim of fraud.
Take action on the website or app to secure your Instagram account if you think it has been hacked or is being used by someone else. If someone has accessed your account or you're having trouble signing in, visit this page in a browser on your computer or mobile device to help protect your account.
You can also try to restore access according to the instructions below. Some of the actions listed are not available for all account types, but we recommend trying each one.
nine0003
Check if you received an email from Instagram
If you received an email from [email protected] informing you that your email address has changed, please try to cancel and secure your account by clicking on the link. If some other information has changed (for example, the password), and you cannot restore the previous email address, request a login link or Instagram security code.
Request Instagram login link
To help us verify that the account belongs to you, request a login link, which we will send to your email address or phone number.
To request a login link:
Click Get help signing in (Android) or Forgot your password? (iPhone or browser).
Enter the username, email address, or phone number associated with your account and click Next. If you don't have access to that username, email address, or phone number, enter the login information you last used. Then click Can't reset your password? under the Next button and follow the instructions on the screen.
nine0003
Pass verification to verify you are human (browser only).
Select your email address or phone number, and then click Next.
Follow the login link provided in the email or SMS and follow the instructions on the screen.
Request a security code or support on Instagram
If you are unable to recover your account using the login link, please request support.
To do this, follow the steps below. nine0003
Instagram app for Android
Instagram app for iPhone
Enter a secure email address that only you can access. After submitting your request, expect an email from Instagram with further instructions.
Learn more about what to do if you don't know your username.
Verify your identity
If you request support for an account that does not have a photo of you, you will receive an automatic email response from Meta Support. In order to verify your identity, we will ask you to provide the email address or phone number that you provided during registration, as well as the type of device from which you registered (for example, iPhone, Android device, iPad, etc.
