If you haven’t had one of your social media accounts hacked, consider yourself lucky—but don’t assume that you will be safe forever.[1] According to a survey by the University of Phoenix, nearly two thirds of adults have had a social media account hacked.[2] Often, scams start by sending an automated link from an already-compromised friend’s account. That link prompts login entry details to a fake version of the social media platform. Oftentimes if the password is changed by the user right away, it avoids the account being completely taken.
This was not the case for Gina, a third year UBC student. Her Instagram account was hacked and quickly taken over by a real person twice consecutively in March 2022. She shared how the experience changed her approach to social media.
Note: Responses have been edited for length and clarity.
Describe, in your own words, your relationship with your social media accounts before being hacked
Social media is something that I check daily and often. Most of the time I use social media because a lot of my friends use direct messaging on Instagram. A lot of them are international students, so we can’t really use iMessage without being charged. So social media—like Facebook Messenger, Instagram—those kinds of platforms I use pretty often. But around the time that I was hacked, I wasn’t using it that often just because I was so busy with school and I was studying for finals, trying to shift my focus towards that instead of checking social media more often.
How did you know you had been hacked?
I actually received a message from my friend through direct messages, it just seemed like a normal conversation. She asked me how I was doing, how school was going and I rolled with it. She told me that she was working on a school project and wanted to send me this link. I thought, okay, maybe she just wants to share with me what she’s working on. So, she sent me the link [to a google doc] and then when I clicked on it, it brought me to my Chrome browser, but it wasn’t loading. I thought it was an issue with my wifi and I kept shutting everything off. Tried reloading it again. And then it just left me at a blank white screen. I was about to message her back like, oh, the link isn’t working, but right as I was trying to do that, I got logged out of my Instagram account immediately.
After that, I got a text message from this really odd number. I don’t even know how they got my number. It was a five digit number that you would get from some kind of robot, and it was asking to click on another link and I’m like, okay, obviously I’m not gonna do that, because I don’t know who this person is.
I was like, well I’m gonna try logging in again, just thinking maybe it was some glitch and I couldn’t get back into my account. But my username was changed immediately. So my username, I couldn’t use anymore. I didn’t even have access to Instagram, so I couldn’t see what they [the hacker] were using.
Everything was changed. And I thought, okay, I’m just gonna message one of my friends and see if they can see my account and tell me if something’s wrong with it. So my friend took a picture of my account and they had changed my username. Immediately they changed my username, changed my phone number, changed my email. So I couldn’t do any two factor authentication to log back in to my account.
What actions did you take after you realised your account was hacked?
It took me several days [to get my account back]. Instagram has several different authentication methods if you’re hacked. This came in handy, but they were also very difficult to navigate because Instagram does not have a direct phone number, email, or open forum where you can submit questions about how to get around hacking. They just say follow these instructions, which makes it really difficult.
The first time around, they had asked me to take a blank white piece of paper and they sent me a number via an email address that was formerly on my account (as the hacker changed the email to something else). I wrote down the number on a piece of blank paper and held it up to my face so they could match it to the photos of me on my account. I did that, and they said, okay, we’ll respond to you within one business day.
I’m kind of sitting there anxiously, because I don’t know what other information [the hacker is] gathering in the meantime—so I went through and I changed every single account that I had with every company, every bank, everything. I changed the username, I changed the password, I got two factor authentication through a third party app (duo push).
A day later they got back to me and said, “we need more information”. They said, can you do an artificial intelligence facial scan? Essentially you put the phone up to your face and it asks you to move your face in different directions. After you do a series of head turns, it submits that to Instagram and then it uses the technology to do a scan of your account to see if your features match up.
I got into my account, but the hacker was [already] in my account at the same time. It was a race to change my information before they could change it back. They actually managed to kick me out again because they had third-party authorization set up, which allowed them into my account despite me changing the recovery email. I had to repeat the entire recovery process again, but eventually I was able to get my account back for good.
What was the impact on your social media accounts when your Instagram was hacked? Do you still feel those impacts?
I’ve always kept my Facebook and Instagram separate, because I didn’t want the accounts to be linked to each other. Thank goodness for that, because I think if they did have my Facebook as well, that would’ve caused another issue because I did have my bank card details linked to my Facebook at the time. If I’d had my Instagram and Facebook tied together, the situation would’ve been a lot worse.
On Instagram, the hacker started posting cryptocurrency ads with pictures of my face. So they were using me as a marketing tactic and they were advertising it to all my friends. They also unfollowed a lot of people that I followed, and tried to message my friends that they could tell I was close to.
Did you learn anything from this experience?
I would say that, even though people say, “It’s not gonna happen to me”—I thought it wasn’t going to happen to me—and it did. And I feel like I’m really avid about privacy and security, I’ve always had two factor authentication for all of my apps. So when this happened, I thought that I should up my security more—and seeing how aggressive people can be online, in terms of hacking and trying to get other people’s information, it made me really worried about what I’m actually signing up for when I’m downloading these apps—these accounts I’m creating. It made me really weary about how secure these apps are and why I even need to put in all this information. As a result of this experience, I decided to get a third party authorization (duo push) for every single app that I use.
Has this experience changed the way that you interact with your online accounts?
Oh yeah, definitely. Nowadays, I’ve been trying to abstain from even messaging on Instagram. Because still in the back of my head, I’m thinking that there’s a possibility I could get hacked again. If I do have a wifi connection, I’ll use my iMessage or Whatsapp. It’s just kind of been a scary thought of “this can happen to me, so it can happen to my friends, it can happen to my parents”.
So… How can you protect your online accounts?
One of the best ways to protect your accounts is to set up third-party two-factor authentication. When you login to your account, you will be prompted to verify your login through another app. This way, if a hacker tries to gain access to your account, they won’t be able to with only your login information—as you have to manually verify all login attempts. There are a number of services that offer this. UBC [3] and UofT [4] use an app called DUO [5] to secure your student account, which can be linked to any other account as well.
Periodically asking questions about your account security and digital identity can help to protect against cyber security threats. We’ve developed a few questions to consider when trying to protect your digital identity online.
Questions to Consider:
- How do you view your social media accounts? Are they an extension of your personal identity?
- Do you consider how vulnerable your social media accounts are on a regular basis? (ex: Do you have multiple linked accounts? Do you reuse the same or similar passwords on multiple sites?)
- How would your digital identity be altered if your online presence was stolen?
References
[1] Morrison, Sara. “Anyone Can Fall for Online Scams – Even You. Here’s How to Avoid Them.” Vox, Vox, 29 June 2022, https://www.vox.com/even-better/23157229/online-scam-venmo-zelle-cashapp-crypto.
[2] “Nearly Two-Thirds of U.S. Adults with Social Media Accounts Say They Have Been Hacked.” University of Phoenix Media Center, University of Phoenix, 27 Apr. 2016, https://www.phoenix.edu/media-center/press-release/nearly-two-thirds-of-u-s-adults-with-social-media-accounts-say-they-have-been-hacked.html.
[3] Avdich, Justin. “How to Enrol in Enhanced CWL.” KnowIT, UBC, 24 Apr. 2019, https://knowit.ok.ubc.ca/article/how-to-enrol-in-enhanced-cwl-974.html.
[4] “UTORMFA.” Information Security and Enterprise Architecture, UofT, https://isea.utoronto.ca/services/utormfa/.
[5] “Two-Factor Authentication Methods – Duo Push.” Duo Security, Cisco, https://duo.com/product/multi-factor-authentication-mfa/authentication-methods/duo-push.
Written By: Eden Solarik
Edited By: Alex Kuskowski
Image: Photo by Joan Gamell on Unsplash
Special thanks to Gina for sharing her story with us!
People said…