If you’re a social media content creator or business owner searching for the words “Instagram hacked” or “my Instagram account was hacked,” you’re probably in a little bit (or a lot) of trouble.
Losing access to your Instagram account can be extremely stressful, especially if you engage your audience daily. Besides losing the ability to control what’s being posted, a hacked Instagram account can put years of work in jeopardy, seriously disrupt in-store purchases as well as sponsorship revenue, and lose you a whole lot of followers.
At Notch, we specialize in helping content creators and business owners protect their social media accounts, providing insurance for any lost income whenever there’s a security breach. So we understand the severe impact that these events can have.
By the end of this article, you'll:
- Understand what to do if your Instagram account gets hacked
- Become familiar with the common ways hackers target social media creators
- Be equipped with tips to protect your account from hackers
What to Do If Your Instagram Account Gets Hacked
Whether it’s phishing or another form of social engineering, cybercriminals use a wide range of techniques to hack Instagram accounts.
When this occurs, you’ll need to act as quickly as possible to minimize your losses and increase your chances of regaining control swiftly.
Was your Instagram account hacked? Here are the steps you need to follow:
1. Reach Out to Your Instagram Insurance Provider
If you have insurance for your Instagram account (like Notch), the first thing you should do is reach out to your insurance provider (if they haven’t already contacted you), and file a claim.
Once the claim is processed, you’ll begin receiving daily payouts that cover any losses to your income due to being hacked. At the same time, the insurance company will help recover your account so you can get back to business as soon as possible. If you don't have insurance for your account, continue reading for the steps you should take.
2. Check Your Email Inbox
In many cases, the first thing that hackers do is attempt to change your login credentials to revoke access to your account.
When an email address is changed on Instagram, the system sends out an automated message to the old address for security purposes.
You should log into your email and check for this message before going any further. If you’re lucky, you’ll be able to tap on the link within the email that says “revert this change” to regain access to your account.
3. Request a Login Link
If the link to revert the change has expired or is not available, you can still contact Instagram and request a login link.
On your Instagram app login page, tap on “Get help logging in” (Android) or “Forgot Password?” (iPhone). Then, enter your email address, phone number, or username, then select the method you want to get the login link.
Check your email or SMS messages (depending on which one you chose) to see if you received a link. It’s important to note that, unless the hacker is very inexperienced, it's unlikely this will work because long-time criminals change these contact details as soon as they’ve hacked an account.
4. Change Login Credentials, If Possible
If any of the two steps above allowed you to successfully log in, the first thing you should do is change your password.
The most secure approach is to use a password manager.
5. Report Instagram Account Hack and Verify Your Identity
If neither of the first two steps worked, it’s time to reach out to Instagram. More often than not, this is a hopeless process, but photographer Jared Quackenbush shared a method that worked for many victims: reporting the hack while verifying your account with a video recording of your face.
If you want to submit a video of your face to verify your account, you have to:
- Go to the Instagram login page and type your username
- Tap on “Forgot password”
- Select “Need more help?”
- Choose the account you want to verify
- When you get the prompt, choose to receive recovery code via text message
- The hacker has likely set up 2FA at this point so you’ll be asked for another code
- On this same screen, tap on “Try Another Way”
- Tap on “Get Support” and select the optioned labeled “My Account Was Hacked”
- Select “Yes, I have a photo of myself in my account
- Type in your email address and tap on “Submit”
- You should be met with a selfie video recording, so follow the instructions and you’ll get contacted by Instagram within 24 hours (usually occurs right away)
Note that this verification system only works if you’ve posted pictures of yourself recently, and because it’s powered by AI, it has some limitations - for example, if your picture has a filter, it may not recognize you.
Updated [December 2022]: At the end of 2022, Instagram built an all-in-one support page for its users, summing up the different forms and flows needed to recover your account for whatever reason. Check instagram.com/hacked and select 'My account was hacked', enter your username, email or phone number and then follow the instructions (remember that it is very important to use the same device when going through recovery processes).
6. Create a Facebook Business Account to report your hacked Instagram account
Now for the tactic that not many people are aware of.
If the video verification isn’t working either, your next move is creating a business account on Facebook if you don’t already have one.
All it costs is $5 to run an ad, but what you’re really doing is getting faster access to Meta representatives. And we’ve come across multiple Instagram creators who’ve actually managed to get their hacked accounts back using this method.
Here’s what you need to do:
- Login to Facebook and create a Business account (if you already have one, skip this step)
- Set up an ad (if you've run one before, skip this step too). You can run one for $5 just to get your ad account active! There are plenty of tutorials on YouTube to show you how.
- Once you've run your ad, go to your Facebook Business dashboard and select ‘help’.
- Select “contact Facebook support team” and then select ‘my ad account was hacked’.
Even if it wasn’t your ad account that got hacked, you’ll at least be able to speak to a human by doing this. With a bit of luck and persistence, you can then be connected with the relevant person who'll help recover your account.
How to know if my Instagram account is hacked
There are several obvious signs that your Instagram account has been hacked:
- You've suddenly been logged out of your account and can't log back in
- Instagram has emailed you saying the email and/or phone number associated with your account has been changed
- You've received an email from the hacker who is holding you to ransom
- Your account is now posting content about investment opportunities and other scams
When you're insured with Notch, we'll alert you immediately if we detect any suspicious activity - meaning you won't waste a whole day or night before realizing you've been hacked.
How likely is it to get hacked on Instagram?
Notch's data shows an Instagram creator account gets hacked every ten minutes on average in the U.S. And according to this report from NordVPN, 37% of Americans have had their social media profiles hacked, while 9 in 10 people know someone who has been hacked.
Can you protect your Instagram from being hacked?
Yes and no. You can certainly reduce your chances of being hacked by following best practices like having a strong password, setting up two-step verification, and not clicking on suspicious links.
However, hackers are increasingly sophisticated in 2022 and can hack even the most tech-savvy of users, using a variety of social engineering and phishing methods. We'll go into more detail about Instagram account security later in this article.
Because it is impossible to fully protect yourself against getting hacked on Instagram and other social media platforms, insurance like Notch is highly recommended.
How Do Instagram Accounts Get Hacked?
Common tactics used by cybercriminals to hack Instagram accounts include social engineering and phishing methods. Here are three tactics you should be aware of:
The Copyright Infringement Scheme
In the copyright infringement scheme, fraudsters impersonate Instagram team members and reach out to Instagramers claiming they’ve violated copyright infringement laws.
Users are provided with a link to solve the issue. But, instead of going to the real Instagram page, users are redirected to a lookalike phishing site that collects their username and password data as soon as they attempt to log in.
The Verified Badge Scheme
Cybercriminals also use the verified badge scheme to gain access to their victims’ accounts. Verified badges appear on accounts that Instagram has reviewed to show that they’re legitimate.
Unfortunately, hackers are now impersonating Instagram support agents that offer creators the chance to add a verified badge to their accounts.
As with the copywriting scheme, users are redirected to a fake page that records their login data as soon as it is submitted.
You might be interested in: 6 ways hackers steal Instagram accounts
Real Time Phishing Schemes
A more sophisticated method hackers use, which lets them bypass Two Factor Authentication (2FA), is referred to as ‘man-in-the-middle’ real time phishing.
Hackers send emails impersonating a legitimate company - let’s say Instagram - and dupe users into clicking on a proxy server. Unlike the typical scams we mentioned earlier, in this case the hacker-run web page is a mirror image of the legitimate web page, like Instagram’s login page.
When users click on an online proxy controlled by the hacker, their browser connects to it and forwards the information - like log in details - to the legitimate website that the user believes they’re already on.
It’s easy to be tricked - the page operated by the hacker is exactly the same as the real log in page, the only difference is a small discrepancy in the URL.
Instagram will ask the user to provide their 2FA code - which they’ll enter on the hacker’s proxy server. So the user thinks they’ve logged into Instagram without any suspicion, and Instagram also believes the user has logged in. Meanwhile, the hacker has gained access to the account and can now change the login information.
The key takeaway here is to never be complacent, even with 2FA set up, and to always double check the URL of the website you’re entering sensitive information into.
6 Tips to Protect Your Instagram Account from Hacks
Hackers can trick even the most vigilant Instagram creators, so it’s vital you do everything possible to limit the chances of this happening to you. Here are 6 of the best security measures we recommend.
Double check links
This is the most common piece of advice victims of Instagram hacks have given in our How I Got Hacked blog series. That's because the majority of hacks are a result of creators clicking on links they receive by email or DM, from hackers impersonating legitimate accounts. The links they include seem legitimate at first glance, but it's crucial to stop yourself from clicking before thinking. Instead of blindly opening up the link, hover over the hyperlink and check the URL. Does it look suspicious? If so, it's better to be safe than sorry. Delete the email.
Use a Password Manager
A common piece of advice to prevent hacks is to strengthen your password. In truth, brute force attacks, in which hackers guess your password, are less of a threat than social engineering or phishing attacks. After a few failed login attempts, Instagram recognizes suspicious activity.
So while having a strong password can only help, our advice is to use a password manager app. These help protect you against the most prevalent hacker tactic - phishing - while also simplifying the login process.
A password manager works like a centralized vault that stores all of your login credentials. Instead of remembering each one individually, you only have to provide the master password for the management tool. The password manager then autofills the login details as long as the domain is legitimate, allowing users to log in safely with minimal hassle.
Because password manager apps recognize your known websites, they can help prevent phishing attacks. For instance, if you've been tricked by a hacker impersonating Instagram, and they direct you to a fake lookalike website where they ask for your credentials, the password manager will recognize that this is an unfamiliar URL. As a result, the password manager won't autofill your details, helping you avoid the phishing scam.
Password managers also provide features like password generators. This feature gives the ultimate level of security because Instagramers can generate secure passwords without knowing what they are and store them in the manager tool right away.
Set Up Two-Factor Authentication
Two-factor authentication is a feature that allows you to add another layer of security to your account. In addition to your password, two-factor authentication requires you to provide a second piece of information in order to access your account from a new device.
You can obtain the second piece of information through two different channels: either through a third-party authentication app like Google Authenticator or via SMS text message. The idea is that anyone that wants to access your account will need to have your password and your unlocked smartphone at the same time, which is unlikely if it’s not you.
Having said that, you can still get hacked with a 2FA setup - as influencer Jessica Wenjia found out.
Limit Third-Party Account Access
As an Instagram entrepreneur, you probably leverage a variety of tools to monitor and improve your performance. In a lot of cases, you need to provide access to your account to enjoy the benefits that these platforms provide.
This can represent an additional risk, especially if you’re working with a provider that doesn’t have a strong security system in place. Providers with weak security are more susceptible to being hacked and jeopardizing all of their partner accounts, including your own.
Risks involved with third parties don’t stop here. Some cybercriminals are known for crafting fake platforms in order to gain access to their victims’ accounts. These non-existent tools can be so convincing that Instagramers are willing to try them out, which gives cybercriminals exactly what they want.
To counter this, you need to reduce the number of third-party tools that have access to your account and verify that you only work with reliable providers. The list of partners you can trust includes, but it’s not limited to:
- All Adobe platforms
Working with trustworthy providers will not only reduce the chances of experiencing a hack via third-party access, but it will also protect the details you collect about your followers.
Verify Emails by Checking Security Messages on Instagram
A common phishing tactics used by hackers involves impersonating Instagram's official email. But, the good news is that you can now verify all email communications through your Instagram account.
All legitimate and official emails sent by Instagram will also appear in your profile settings.
From your Instagram account, go to Settings>Security>Emails.
By monitoring this part of your account, you can keep track of all your security notifications and ensure that all emails you receive are actually from the Instagram team.
If you received an email that seems to be from Instagram, but there is no corresponding message in your profile’s security section, consider it suspicious and do not engage with it.
Get covered by Instagram Insurance
For anyone using Instagram to earn income, build a community, and market a product, insuring this digital asset is a must. That's why we created Notch, the first bonafide insurance for social media accounts.
Notch insures Instagram accounts against hacks - meaning, if you get hacked, Notch will pay you every day you’re locked out of your account to cover your revenue loss, for up to 3 months. At the same time, we work to retrieve your account to get you back in business ASAP.
We predict it to become the norm for savvy Instagram creators and business owners to insure their accounts against hacks: all valuable assets need insurance, and Instagram accounts are no different.