On Monday, Instagram announced it is testing changes that could make it easier for users to regain access to hacked accounts, as well as security features that could make it harder to steal Instagram usernames in the first place.
The news comes after a wave of Instagram users have faced issues getting back into their locked accounts. In some cases reported by Motherboard, hacked victims even turned to third-party white-hat hackers to help them recover access to their Instagram after becoming frustrated with the company's lack of customer support.
"We know that losing access to your account can be a distressing experience. We have measures in place to stop accounts from being hacked in the first place, as well as measures to help people recover their accounts. But we heard from the community that these measures aren't enough, and people are struggling to regain access to their accounts," an Instagram spokesperson said in an emailed statement.
Do you work at Instagram? Did you used to? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
The first change, which Instagram will begin testing on Monday, "will make it easier for you to sign in and reclaim your account if it has been hacked," the spokesperson wrote.
After either repeatedly entering an incorrect password—presumably because the hackers have changed the one linked to your Instagram account—or by clicking the "Need more help" option on the login page, Instagram users will be asked to enter the email address or phone number linked to your account or the ones used when you signed up to Instagram, the spokesperson wrote. Instagram will then send a six digit code to allow you to regain access to the account, the spokesperson added.
An issue with some Instagram account takeovers, however, is that the hacker sometimes also has access to the victim's email account or is in control of their phone number, as well. With that in mind, the spokesperson added, "When you re-gain access to your account, we will take additional measures to ensure a hacker cannot use codes sent to your email address [or] phone number to access your account from a different device."
This process can allow a hacking victim to get back into their account even if the hacker has changed, say, the account's username, the spokesperson wrote.
This is a common issue across Instagram, with hackers targeting users with sought-after handles such as single words or first names. Motherboard has covered the trade of these valuable usernames extensively, which can sometimes sell for tens of thousands of dollars on underground forums.
Building on that first change, and specifically around the issue of stealing usernames, the Instagram spokesperson said another feature will "ensure your username is safe for a period of time after any account changes, meaning it can't be claimed by someone else if you lose access to your account."
"With this feature, we give the account holder the security of knowing that their username will not be available to be claimed by someone else for a period of time following any changes," the spokesperson added. The feature is currently available to Android users and is rolling out on iOS, they added.
One source familiar with the trade of stolen Instagram handles said the new measures would likely slow down some account takeover methods, including the use of so-called "auto claimers", which try to register usernames as soon as they become available.
But hackers will then change their own tactics.
"Their measures for regaining accounts will just make the market stricter by forcing users to put the usernames on accounts where email access is included as well as no previous number attached," the source, who went by the handle "Seb", said in an online chat.
Last year, Motherboard reported how hackers were holding high profile Instagram accounts hostage. Targets included fitness and lifestyle influencers, and the hackers typically broke into an account by pretending to be a brand wanting to sponsor the target and then sending a phishing email. Once inside, the hackers changed the victim's password and demanded a payment made in Bitcoin.
Subscribe to our new cybersecurity podcast, CYBER.