Instagram has a growing security problem: As the service swells to more than 1 billion users, these accounts are also becoming popular targets for hackers.
And if you’re one of the thousands of people trying to regain control of a hacked Instagram account, it’s often a long, frustrating process. In the past five months, Mashable has received more than 1,000 emails and messages from people who say their Instagram account has been stolen by hackers. Nearly all of them describe a support system that’s confusing, slow, and nearly as distressing as getting hacked in the first place.
Last week, a story from Motherboard’s Joseph Cox exposed just how desperate some hacking victims are to recover their lost accounts, even if it means going about it through unofficial channels.
Instagram has been so unhelpful for a number of users that they’ve had to turn to third-party social media experts for help re-gaining access to their own accounts. Most of the victims Motherboard spoke to ended up getting help from someone who goes by Juan Diego J Pelaez, a Colombian who bills himself as an Instagram expert. Palaez also suggested to Motherboard that he has engaged in hacking in order to help people.
Yes, Instagram’s support system is so frustrating and difficult, some users have resorted to hiring other hackers to get the accounts back.
As ridiculous as it may seem, the problem is emblematic of just how frustrating and difficult to navigate Instagram’s official support system can be for those targeted by hackers.
“At this point, I’m at a loss as to what to do.”
Here’s how Instagram says the account recovery process is supposed to go: After you report your account as hacked, the company sends an automated email instructing you to either write down a code on a piece of paper and take a selfie with it, or reply with some of the information you used to first sign up for your account.
“Once you provide information to help us verify your identity, we’ll send you specific instructions to recover your account at the secure email address you provided,” Instagram says on the support page for hacked accounts. A company spokesperson said its community operations team “respond to the majority of reports within 24 hours.”
What Instagram doesn’t say is that account remediation (the company’s official term for reuniting hacking victims with lost accounts) can take weeks or months to resolve, and some users are never able to regain access to their accounts.
In a tweet, Instagram chief Adam Mosseri told Mashable: “This is definitely an area we need to do better, and we’re currently working on making it easier for people to get their accounts back.”
This is definitely an area we need to do better, and we’re currently working on making it easier for people to get their accounts back. We will keep everyone posted as we have updates.
— Adam Mosseri (@mosseri) January 17, 2019
But until Instagram changes the way it handles hacked accounts, those who have been targeted by hackers will be forced to navigate a support system that is exceedingly difficult to understand.
If your Instagram account is hacked, Instagram points you to its help center, which walks you through how to get your account back according to official policy. But it’s not as easy as it sounds. If you don’t follow the exact sequence of steps within the app, you might not be able to find the form that lets you report the account as hacked. It becomes even more complicated if hackers have changed the email address or other information associated with the account, which is frequently the case.
Some users aren’t able to find this page at all, and resort to other methods, such as emailing the now-defunct firstname.lastname@example.org. A company spokesperson told Mashable the email address “hasn’t been used in several years” as Instagram support was folded into Facebook’s community operations team following Instagram’s acquisition in 2012. When Mashable sent a message to the address, we received an automated response saying “you’ve reached us at a channel that we no longer support,” along with a link to Instagram’s help center.
But others try to find more creative ways to get Instagram’s attention, reporting their inaccessible account for impersonation or fake copyright violations, in an effort to flag their account to the app’s support staff.
“I ended up deciding I would rather get the account taken down”
Gabrielle Turi, a photographer and Boston University student, discovered her Instagram account had been hacked in September. She first tried several times to get it back through Instagram’s help channels, but each time received a message back that she was reporting the wrong account. (The hackers had changed the information associated with the account, including the username, which she believes tripped up the company’s automated support system). She then tried a different approach.
“I ended up deciding I would rather get the account taken down than have the hacker find the personal information of some of the people I’d been in contact with through the direct messages. I reported it for copyright violations,” Turi says.
The account was removed, but she soon found she had a new problem: She could no longer access the second account she had made through her phone. “When Instagram saw my report, they took down the account which then blocked my phone from using the app,” she says.
Now, she’s stuck in a “weird limbo,” where her only option is to use Instagram from a laptop, making it nearly impossible for her to manage the accounts of campus organizations she’s a part of.
“Instagram won’t respond to my requests for help with the issue,” she says. “At this point I’m at a loss as to what to do.”
An Instagram spokesperson said in a statement to Mashable that the company was “working hard” to protect users.”We have sophisticated measures in place to stop bad actors in their tracks before they gain access to accounts, as well as measures to help people recover their accounts. We know we can do more here, and we’re working hard in both of these areas to stop bad actors before they cause harm, and to keep our community safe.”
Things can go wrong even when you try to follow all of Instagram’s instructions. It can take days to get responses from company support and, even when you provide all of the requested information, you might still get messages that the company was unable to verify your identity, forcing you to start the process all over again. Because these emails are automated, you don’t actually get an explanation about what you did wrong or why your claim was rejected.
Instagram makes the specifics of account remediation opaque, so as not to make it easier for hackers to circumvent, but it also makes the process much more confusing for those trying to navigate it. If your hand isn’t visible in the verification photo, for example, it may prevent Instagram from verifying your identity, but the company’s automated emails wouldn’t tell you if that’s why it rejected your claim.
“When I got to the last step, Instagram wanted to send a confirmation to the hacker’s email”
One Instagram user named Claude, who requested Mashable withhold his last name, says he spent more than a month going in circles with Instagram support after his account was hacked and the email on his account changed to a .ru email address in October. He attempted to follow the steps laid out in the help center, but the automated process quickly broke down.
“I followed these instructions to the letter, and when I got to the very last step, Instagram wanted to send a confirmation email to the Russian hacker’s email,” Claude told Mashable. He had previously provided an alternative, secure email, at Instagram’s request. “I contacted Instagram again, and they responded by sending the exact instructions that hadn’t worked to begin with.”
After again explaining why Instagram couldn’t contact him through his hacker’s email address, he received the same automated email. Finally, after several failed attempts, he tried something different.
He found a phone number for Instagram after some searching online. He called the number and, eventually, was able to leave a “short, but detailed message.”
He says the call cost him $6 in long distance charges,and although he never received a call back or any acknowledgement of his complaint, the message seemed to have gotten through: Two days later, he tried again to log in to his account and found the two-factor authentication phone number had been changed back to his own. After more than a month without access, he was finally able to get into his account.
“If I could have spoken to a human being at Instagram it could have been saved”
“It ended well, but it shouldn’t have taken this much time, energy, work, and frustration to get it resolved,” he says now of the experience.
Losing access to an account can be even more devastating if you’re a business owner who relies on the app. For, Andrew Fullerton, a New York City photographer who used his account for networking with models and clients, “Instagram was not only proof of my abilities as a photographer, but proof that I had other people validating my work.”
When his account was recently hacked and username changed, he says, “it genuinely felt like my digital existence vanished overnight.” His original handle is now tied to a different account, while the account showcasing his work now appears under a separate name.
Since then, he estimates he’s tried to reach Instagram through its support form at least a half a dozen times, but each time gets a message that he’s not using a valid email address. He has also tried calling and leaving voicemails, but hasn’t gotten a response.
“At the moment, I feel pretty defeated,” he told Mashable. “I don’t know what it says about the state of culture today that I feel defeated over a lost Instagram account, but I can’t help from being frustrated. It’s become so integral to the way I live my life.”
Others also report confusing, circular interactions with the company’s automated support system. Bob Bentz, who is president of a digital marketing agency, lost his account in August, when a hacker changed the email address, username, password, and profile photo on his personal Instagram page.
After reporting his account as hacked, he received an email asking him to confirm his identity. He followed all the instructions in the email, but received a message back that he was reporting the wrong account. “It looks like you contacted us for help with a different Instagram account. To make sure we’re helping the right person, we’re only able to help you with one account at a time,” the email said. It also included a link to Instagram’s help center.
Bentz even tried reaching out to the Facebook support team he works with professionally as part of his day job. “I felt like maybe I had a leg up on the average person struggling with Instagram’s support system,” he told Mashable in an email. “After 10 business days, I learned that they don’t handle that type of thing.”
Thirty days after losing his Instagram, the hacker deleted his account entirely. He believes the automated system was not able to deal with the specifics of his case. “If I just could have spoken to a human being at Instagram, it could have been saved.”
Have a tip? Email the author at: karissa [at] mashable.com.