This article originally appeared on VICE US
The hacker took everything from 24-year-old Californian Lindsie Comerford. Her email, online banking, and her Instagram account, which had more than 41,000 followers.
Comerford is an influencer, a high profile, heavy Instagram user part of a multi-billion dollar industry who shares not only their own content but also advertises for brands and posts promo codes on behalf of companies.
"After taking two years learning photography, traveling the world, and meeting some of the most incredible people this earth has to offer is not something I am willing to give up or allow to have destroyed by the hands of someone that has no right,” Comerford wrote about the hacking experience on her website.
Hackers have taken notice of how important these Instagram accounts are to their owners, many of which entirely rely on their Instagram presence for their income. Motherboard recently reported on an emerging trend of hackers taking control of Instagram influencers’ accounts and holding them ransom. Now, a wave of fresh attacks and internal Instagram documents obtained by Motherboard provide more detail about the issue. Victims say that Instagram’s process for recovering accounts is so cumbersome that they’ve had to rely on third-party social media experts and, in some cases, white-hat hackers to help them regain access while Instagram itself was largely silent.
Motherboard spoke to four new victims of Instagram account hijacking. All of them said that Instagram was either very slow to respond or only provided computer-generated replies, and ultimately did not help them get back into the accounts.
“Instagram did nothing except for [the] automated procedure which did not help,” Manon van Os and Bram School, the Instagram duo known as The Flip Flop Wanderers with around 57,000 followers and who were hacked on Christmas Eve, wrote in an email to Motherboard.
“I spent the first 72 hours trying to get in touch with Instagram through help and support but I was unable to get anywhere with them,” Comerford told Motherboard of her own experience. “I called tons of times and emailed probably into the hundreds.”
“Cannot get any response at all from Instagram—they just keep sending me these automated emails,” musician Kendra Erike wrote to Motherboard in an email, whose account had 35,000 fans.
Instagram is aware of victims being locked out of their accounts in this way. One internal Instagram document obtained by Motherboard lays out the processes for Instagram employees who are tasked with “verifying ownership of an account.” One of the reasons users contact Instagram is because a hacker has changed the account’s contact details, the document adds.
When someone’s Instagram account is hacked the social media site provides a mechanism for those people to get their account back. Instagram calles this “selfie + code”—it asks the user to send a photo of the user’s face with a code that Instagram sends to them, written on a white piece of paper (and with both hands visible.)
The internal Instagram document explains that Instagram asks for this verification so that a human moderator can use the image and compare it to previous photos that have been posted on the account.
With the selfie, Instagram workers are told to look for “primary face match indicators,” between the image sent in and already posted Instagram photos. These indicators include, for example, the person’s nose or other defining features to determine if the selfie matches the correct account owner (Motherboard is not printing a detailed list of these so as to not give hackers their own advantage at manipulating Instagram’s systems.)
The company does have issues with people trying to abuse the support system to gain access to accounts that are not theirs, according to the documents. Several slides discuss what Instagram employees should do if they receive suspicious selfies or codes that appear to be doctored or photoshopped.
Several of the victims tried this process to no avail, though. Clearly, there is something wrong with Instagram’s account recovery process if multiple hacking victims are having an issue with commands issued by Instagram itself.
“We know that losing access to your account can be a distressing experience. We have sophisticated measures in place to stop bad actors in their tracks before they gain access to accounts, as well as measures to help people recover their accounts,” an Instagram spokesperson told Motherboard in email.
In most of the cases Motherboard encountered, hackers posed as a brand interested in sponsoring the target influencer by paying them for posts or by sending them merchandise in exchange for publicity.
“What is the cost of an advertising post on your page?” the email to the Flip Flop Wanderers asked. “Possible discount for a promotional post during the submission of our clothing as a gift?”
Each email included a convincing looking phishing link, which appeared to go to the sender’s real Instagram account. Instead, it directed the victim to a fake Instagram login page, which then sent the victim’s password to the hacker. The hacker then changes the password and email address, which locks out the owner. They then contact the victim and demand a relatively low amount for extortion—in cases Motherboard saw, it was usually around $300 in bitcoin. Sometimes, even when they’ve received payment, the hackers still delete the account.
Instagram has been so unhelpful for a number of users that they’ve had to turn to third-party social media experts for help re-gaining access to their own accounts. Most of the victims Motherboard spoke to ended up getting help from someone who goes by Juan Diego J Pelaez, a Colombian who bills himself as an Instagram expert. Palaez also suggested to Motherboard that he has engaged in hacking in order to help people.
“I have different ways to recover the account,” Pelaez told Motherboard in an email. “It’s a little difficult, so it takes more time to recover." Palaez has figured out some tricks to progressing through Instagram’s account recovery process, making it more likely that Instagram will act on a stolen account claim. Several of the victims said they were referred to Pelaez either by other victims or members of their Instagram communities.
In at least two cases, Palaez told the victims he needed access to their email in order to effectively get back into their Instagram account.
“Obviously, I was very skeptical and scared but Juan gained both my trust and the passwords to all of my accounts,” Lindsie said. “From there, step-by-step he held my hand through Instagram’s Help and Support system showing me examples of what Instagram needs to see in that initial photo with the code to get past the initial step of the verification process.”
In Comerford’s case, she said Palaez responded to each email from Instagram on her behalf and helped her through the verification process.
In two cases, the victims said the hackers eventually replied with the real passwords to their accounts after days of silence. Asked why the hackers would do this, Palaez implied that he hacks the hackers themselves. “Some of them give the passwords cause I do attacks to their devices,” he told Motherboard in an email, without providing more clear details.
Instagram acknowledged it does not always help users. “We know we can do more here, and we're working hard in both of these areas to stop bad actors before they cause harm, and to keep our community safe,” the spokesperson added. The company said that it was able to help the Flip Flop Wanderers and Comerford regain access to their accounts; both told Motherboard they relied on the help of Palaez who used Instagram’s processes.
Instagram told Motherboard it has not seen a spike in the number of accounts being hacked. Pelaez, though, says that more people have been coming to him: “this increase[s] a lot, every day a lot of people get hacked [in] different ways,” he said. (It is possible this is an issue of only now learning of the hacks, rather than an actual increase in their frequency.)
One hacking victim Motherboard spoke to still hasn’t been able to access their account at all, however.
“I have been forced to open a new account [with] a different name and try to rebuild. Extremely frustrating but I don't know what to do,” Erike, the musician, wrote in an email.
Subscribe to our new cybersecurity podcast, CYBER.