So I've been secretly in a cold war with some weird crypto bros for like 6 months now, and worryingly in the last couple days it's looking like they've won. They wanted my Instagram handle, and somehow they've now got it. Without my consent. And it's kinda scary. Strap in for a toot storm (is that what we call it?) [1/16]
So it started around 6 months ago with a DM on that other place, it was from someone who claimed to be a "brand influencer" or whatever, with NFT profile pictures abound. They wanted to buy my Instagram handle for some stupid amount of money. I ignored it, because that's against the Insta ToS, and I didn't trust them anyway so what was the point in engaging. [2/16]
Over the following 6 months I proceeded to get more messages, in different venues, from different users offering the same thing. It got to the point where they found my husbands blog, found the contact form, and messaged him! Kinda desperate. [3/16]
I continued to ignore the messages, and started to find it kinda funny. The idea they wanted it so much and just couldn't understand why I wasn't replying to them was just... really funny to me? Satisfying. I don't owe them anything, right? [4/16]
So things changed last weekend. I opened Instagram on a whim and found I was signed out. Weird. I try to sign in and find the password and email on my account has changed. That's not good. At this point you're probably thinking "he had a weak password" or something, so let's briefly talk about the security on my account. [5/16]
It had a strong, unique, @1password generated password. It had 2FA enabled (with 1Password). It was also connected to my Facebook account, which also had a strong, unique password and 2FA. The email address is my Fastmail account at my own domain, protect with a st... you get the idea. [6/16]
So, back to last weekend. When they compromised the account they made one mistake: they didn't disconnect my Facebook account. I was able to sign in with Facebook, get the email changed back, change my password, replace the 2FA with a new one, disable password reset emails. [7/16]
At this point I was kinda worried, because I didn't know how they got in. I tried to contact Instagram but of course there's no way to do that. I took every step I could, audited my Facebook access logs in case they got in that way. But it didn't feel like I actually succeeded in plugging any holes because I didn't find any.
Now it gets interesting: Instagram say if the email on your account is changed you will receive an email from security@mail.instagram.com where you can reverse the change. I didn't receive that. I've checked the Fastmail logs and am absolutely certain that account has not been compromised. Not only that but Instagram have a complete log of emails they've sent you in the account settings and when I got back in to the account there was no record there of them sending me that email. [9/16]
What else can I do? I forget about it and move on with my life. Fast forward to last night, I open Instagram and I'm signed out. They got in again. And this time they've disconnected Facebook, changed my handle, and created a new account that's claimed my old handle. This is interesting because Instagram say you can't claim a handle from an account that's recently changed their handle (I've heard 30 days floated, but can't find official confirmation of that) [10/16]
Once again: no email, no sign my email has been compromised. The only theory I have right now is that they had someone inside Instagram do it. Maybe they paid that person what they offered me? [11/16]
So you're maybe thinking "Instagram must have a process for this, something you can do when your account is hacked?" and the answer is... kinda, but also it's completely useless. You follow the account hacked form on the website and it just endlessly redirects you to the "I need help logging in" page. If I follow the "I can't login" process for the handle they stole Instagram wants me to enter a previous password for the account, which I can't do because it's brand new (I tried). [12/16]
If I follow that for what they changed my handle to (which I guess is now my account) then they accept my password but want to send a login code to the email they changed my account to. How does that help?! I can find no way to contact a human, there is no other process to follow. I'm out of options. Stuck unable to get into the account that stole my handle or my original account. Totally locked out. [13/16]
The stupid part is I don't even care about my Instagram handle. I barely use Instagram these days, and the handle alexprice isn't one I use anywhere else; it reflects my pre-married name, so doesn't feel much like me anymore... but it's the fucking principle of the matter. It's my account and I don't want these asshole thieves to win... and right now, it looks like they have. [14/16]
To be fair to the weird crypto bros, I have no proof they are connected to whoever has compromised my account... but it's hardly a big leap is it?
If you're curious, here's my account with the bullshit handle I didn't pick: https://www.instagram.com/alexprimediallc/
And here's the account with my stolen handle: https://www.instagram.com/alexprice/ [15/16]
That's all I got. I'm stuck, and it seems like they've won. If you have any theories on how they did this, or you know anyone at Meta who could help; please get in touch with me! Hope you enjoyed reading this mess. ¯\_(ツ)_/¯ Please boost the first post in this thread in case someone out there can help me! [16/16]
One thing I did try is filling out the "Report an account impersonating you" form, which is clearly not intended for the purpose I used it for, but was the only approach I could find that seemed to let me write text in a box that presumably a human at Instagram will see. So far I've only received some generic form responses, but fingers crossed that'll yield some results.
Apparently I’m on the front page of Hacker News now
I’ve had a couple of Meta folks reach out, so I’m cautiously optimistic I might get somewhere? Fingers crossed the thieves won’t win in the end!
Amusingly, this thread has seemingly caused people to start following me on Instagram, on an account I cannot access, and yet I’m still getting push notifications for! ¯\_(ツ)_/¯
@alexjsp I had the account @ jordan for about 10 years. Signed up on first day. Got endless requests for it. Was hacked similarly twice but had a contact at meta that helped. Year and a half ago my account got reported for “impersonation” and meta contact wasn’t reachable anymore. Eventually account seemed to go to someone else. Endless traps in that reporting interface that’s impossible once you properly lose it. https://medium.com/@jordancox/how-my-beloved-instagram-account-jordan-which-brought-joy-to-millions-was-hacked-and-deleted-by-8d881466b933
@jordancox Euch, that sucks.