Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How does my Instagram keep getting compromised?
188 points by china on Dec 28, 2021 | hide | past | favorite | 112 comments
I was an early Instagram user and got my nickname as my handle and I keep getting either locked out of my account or compromised altogether.

Over the years, hackers have tried a number of things to steal my handle and I can usually tell how they get in. These days, I have no idea. I've been SIM swapped a handful of times. One time a hacker faxed a fake ID to Godaddy to try and swap out my domain to gain control of my email (they were successful).

Now, I will try to log in to my account and will just be locked out. The email I created specifically for Instagram is not recognized, and there is no way to reset my password.

I have two-factor auth on, I don't use the same password anywhere else, I change it regularly, etc.

My current theory is there is some employee at Meta that's ultimately stealing the account. Does anybody have any idea how they're hacking me?

PS: the worst part about all this is in order to get the handle back, I have to pull strings with folks I know at Meta, for a normal user, they would have absolutely no way of regaining access...

[Update] Just got the account back and still have no idea how my email was removed from the account...

[Update 2] Reviewing the security section I see a password reset email was sent to [username]@instagramz.com. No clue how or who changed the account email to that though.




Your situation is apparently common nowadays with OG usernames and can get very dangerous. I had no idea this was a thing until I listened to an episode on Darknet Diaries [0] recently.

In the old days, I remember people going after short domains in the same manner. ICANN ended up adding locking (auth codes) - perhaps IG and other social sites can learn from it.

Be safe!

[0]https://darknetdiaries.com/episode/106/


I'm not up-to-date with what OG means. Apparently OG "original gangster" usernames refer to common words such as "@Miracle", that were registered by early adopters.

https://www.nytimes.com/2021/02/04/style/instagram-account-f...


Yes indeed - I thought everyone knew that /s :)

You’ll be amazed how much googling I do when having conversations with friends - I wasn’t born in the West and things like movie references leave me confused af! But I hide it… thank goodness for urban dictionary


Looks up "af"


The other problem is people not capitalizing abbreviations as they should. You see even major news organizations doing it. The entire nation of Great Britain appears to think there's a space agency called "Nasa." Ignorant AF.


I think I read somewhere that there’s a rule for abbreviations that if they’re “pronounceable” you shouldn’t use all caps. For example, you write IBM because you articulate the letters, it’s not “Ibbem”. Conversely you don’t say the letters in Nasa, but you do in NSA and so forth.


It's dependent on the organisation's style guide, so not a 'hard and fast' rule, but you're correct

Other examples like this are whether numbers are spelt out (eg one vs 1), and at what point that changes (eg spelling out "ten" but writing 1,000)

But yeah, depends on the organisation.

Check out how the New Yorker deals with the word co-operation :P


As a Swede I have unfortunately lost all my respect for the New Yorker as an authority on language since I learned about their usage of the letter ö, which I guess is what you're referring to.[1]

Having a native language where this letter is very much present and carries phonetic meaning, it completely trips me up. It annoys me almost as much as when people use the equivalent letter Ø instead of the actual ∅ for "empty set". I'd probably even choose ⦰ but of course all of these choices require some awareness that a character is "taken" as well as some measure of consideration for people other than yourself and those just like you.

End of old man rant.

[1]: https://www.newyorker.com/culture/culture-desk/the-curse-of-...


Hahaha yes, that's what I was referring to and you're right to be infuriated by it. It's purely elitist horse-dust from The New Yorker to use ö rather than chucking a hyphen in there instead.


Was a little surprised by your comment - I don’t think you’re aware of usage in subcultures, it’s not about grammar.

Capitalization or lack thereof can indicates tone - e.g yelling etc.

For example - What’s up mf! (greetings) vs. What’s up MF! (fight/challenge)


Abbreviations are not capitalized but acronyms are.


But what's considered as an OG account? Age? Short handle? Something that isn't imaginative or a portmanteau of something?

I remember the ICQ days where the shorter your ICQ number, you are the OG of OG's..


OG refers to precedence due to age. It also tends to correlate with short names, but that's just because people like short names - and so short names are registered earlier and thus are older.


urban dictionary can warp your belief in humanity.


Can be simply read as OriGinal


Well TIL. I thought it stood for Old Guard meaning "original or long-standing members of a group", but I'll take "original gangster" instead, sounds better :-)


OG does not mean “original gangster”, only confused senile journalists believe this. Just read it as “original”, or accept that nobody uses it as an abbreviation anymore.


Or that guy @slack on Twitter. Or @gusto on same


The ultimate example to me is the nissan.com guy.


Oh! How could I forget! Legend! And they had to get NissanUSA.com


OG is the old gang of people, the original early founders/adopters/users.


OG means "original gangster": https://www.merriam-webster.com/dictionary/OG (see History and Etymology section)

> slang: someone or something that is an original or originator and especially one that is highly respected or regarded


Old Gang of people... the original gangster. This doesn't seem wrong. OG directly translates to Original Gangster, but is used to refer to the old crowd, the original people, the firsts, etc. In extreme example, it would not be considered incomprehensible (but perhaps strange) to say something like "native americans are the OG north american inhabitants"... really nothing to do with gangsters.


Technically true, but... if you say it means "old group" or "original gaggle" or "oldest goat," you should probably expect to be corrected, because it sounds like an implication that that's what OG actually stands for.


It is notable in this case that gang is the root of gangster.


Here's another podcast episode about it, and I remember it being really really good. They actually befriend a scammer who is pretty open about how it works:

https://gimletmedia.com/shows/reply-all/v4he6k


TL;DR: The only methods discussed in this episode are SIM swapping and password guessing. Neither of which are relevant for OP. Unless OP is lying, there must be some other method used.


Halfway through this pod. This is terrifying.


Reply All also did an episode about this a few years back.

https://gimletmedia.com/shows/reply-all/v4he6k

tl;dr There's underground marketplaces where shady people buy and sell OG usernames for money, which creates an incentive for shady people to steal them from the original owners.


Perhaps incentives don't line up... but I'm wondering if social media sites like IG should make renting out usernames a thing - obviously there's a market for it. If I'm taking social media hiatus, for example, I wouldn't mind getting paid while away.


Sooooo how does that work? I rent your username while you’re on holiday for a month and then spam your followers with crypto scams and viagra ads?

Or they decouple followers from the username so the username becomes a transient thing, which then gets ignored, and becomes worthless?


I prefaced it with perhaps incentives don’t necessarily line up… maybe there’s a clever way to go about it. I was thinking it will be pre-approved category of content… there’s already such model with sponsored content influencers post.


That is basically how domains work, but there are grace periods for recovery.


How is my username made in the last 4 years different from an OG username?


OG names are names that are (and always were) in high demand, and therefore were quickly taken. The fact that your name was still available means that it wasn’t in high demand. OG names are being pilfered because they are in high demand and therefore highly valuable.


It’s like trying to register a .com domain - OG ones (short 2-4 letters) are only available in the aftermarket, and only if you have millions. You end up with along-ish name that’s also taken - so end up with domainhq or .io or whatever is popular now.


Because all the good obvious ones are already taken. Simple ones like "kevin" or "a". Unless your name is super unique, your username from the last 4 years has some sort of quirky thing, like a weird spelling with extra letters or numbers to get around that.


I'll have to listen!


Came here to post the same episode. Strongly recommended; it's eye-opening, and it will give you a good idea of the incentives and the type of people you're dealing with (although you'll see the techniques are the ones you are already know: SIM swapping, social engineering, escalation of personal attacks, etc).

Good luck defending your handle!


I'd auction and sell it and be done with the headache personally. It's likely one day your meta well will dry up and that will be it, years of back and forth to see the handle gone and promoting crypto eventually or some crap.


This is what a friend did in the exact same situation. He just moved into the house he built with the dough. Life is weird now.


Many companies forbid the sale of usernames in their terms of service, so an attempt to auction it off could result in it being revoked. Generally, when sales of usernames do happen, it’s in private so there’s little reason to take action… it’s why there’s no reputable marketplace for usernames.


> I'd auction and sell it

Where could you even do this?


I believe there's a website called ogusers, I can't personally vouch for it, but I've heard from friends that's what they use


Thank you.


Have you tried reporting this to Meta’s security team and copying your state’s attorney general? Sounds like the CFAA would apply. You may not win, but making noise may help, and if it’s an insider they might be fired if Meta knows the legal apparatus is notified.

https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act


I haven't yet... so far I have always been able to get it back via a friend at FB.


Get on record with law enforcement and state legal reps. Unauthorized authorization is a federal crime, and a paper trail is crucial for seeking recourse.


I'd report it to the FBI, as well.


My account seems to have gotten hijacked too. Someone has (apparently) posted something that's against community standards in my profile, as a consequence of which FB has disabled my account and says if I don't appeal in 30 days, the account will be disabled.

The strange thing is when I try to appeal I get this page.

"Security check To confirm your identity, we will text a confirmation code to your phone."

I select my phone number, and receive the right SMS, but it says

"Error Sending SMS Could not send confirmation SMS. Please check the phone number and try again."

So I cannot actually enter the code.

I also have 2FA enabled and this doesn't seem to have been breached.

On deviced that are still logged in I see them telling me I have posted something that is in typical photos grid format, but they don't show me what the photos were. When I press the button to request review, it does nothing.

<https://savolai.net/uncategorized-en/banned-from-facebook-an...>


I would look at your email forwarding filters. It's common to see compromises with this pattern where the email for your account was compromised and all the email is being forwarded to an attacker.


This! Have seen this personally in multiple friend’s mail accounts. This way it is “surviving” password changes, 2FA changes etc


Meta just seems to be superhackable with the company not giving a shit these days.

There was another user here the other day who had their heavymetal community page hacked, and facebook's advice page was to "politely ask the new owner to let them back in" [1].

Absolutely ridiculous.

[1] https://news.ycombinator.com/item?id=29706571


If you are using the nickname china and have registered it a lot of places, even if you are completely non political and in no way associated with the country China, I can imagine the existence of these accounts outside of the governments control is a risk the government will be willing to spend millions trying to get rid of. I'm not sure you can fight that, at least not by yourself.


> My current theory is there is some employee at Meta that's ultimately stealing the account

This happens all the time, there is no recourse. Instagram employees are constantly taking usernames for themselves.


Seems like employees can manually escalate accounts into a locked state and my guess is if it remains in that state long enough its easier to claim.

So they frustrate users long enough to eventually give up on constantly reclaiming the account, then they get it for themselves to sell or whatever.


Not just themselves, often it's stolen to order: there's been a few mainstream stories about this and they often mention that paying off Facebook employees is pretty commonplace because the value of these usernames and the low paid customer service representatives are a recipe for bribery.


Interesting, do you have any links to that end?


Just my personal observation. I earned around half a million dollars by running an "autoclaimer" that would automatically register Instagram names as they'd become available. I'd regularly see Instagram employees grabbing names from my portfolio for themselves.


If you could post before / after screenshots showing proof of this theft somewhere - along with the real-world names of these employees -- that might get a lot of eyeballs.


I can understand the company pulling usernames from an automated name squatter... but I wonder if this happens to fully established accounts too?


Well, I tracked the previous UIDs and saw a lot of names that weren't squatted getting released and shortly after ending up with Instagram employees.

E: Oh yeah, there was also the whole "trademarking" thing that was used to steal generic names from active accounts using obviously invalid trademarks. https://www.vice.com/en/article/zma3w4/scammers-fake-tradema...


How do valuable usernames 'become available'? Like the person deletes their account?


People deleting their accounts, or trying to sell their usernames and messing up the transfer.


Wow that's a shitty thing to do


Meh, it's their site. It's just weird that they don't seem to have any controls around this.


Dont hate the player, hate the game.


This is not kind of game that they're forced to play. So hate both.


Should be easy enough to post a list of stolen accounts someplace public.


wait what? how are they not fired, thats got to be against the "community guidelines" (unless of course its for an advertiser or political organisation. )


I assume they aren't emailing Mark Zuckerberg with every account they steal. All it takes is lax internal auditing and a culture where customer service[1] is not valued and this could go on for a very long time.

[1] Ok, this is a little unfair. They do have customer service, but what they don't have is product service, and this guy is just part of the product, not a customer.


If your IG handle is the same as your HN handle, could it be some very motivated people from that country's bureaucracy looking to take that handle for the state?


Likely a phone call is all it would take and Meta would happily hand it over.


Instagram stole @sussexroyal from a real user, and gave it to some entitled "royals" who used the account for like a year before dropping it. So annoying how your handle isn't your handle, it's the company's, and they will steal your handle at a whim.

I never even figured out why the "Royals" wanted specifically @sussexroyal or whatever it was so badly. The Royals can't even be like the rest of us and pick a handle that is available, they have to be like "well no we deserve this one even though someone has it already"


> So annoying how your handle isn't your handle, it's the companies, and they will steal your handle at a whim.

You don't own digital assets in any sense (excepting crypto, which is a whole other set of problems), at best you have a contract with some rights of use.


> You don't own digital assets in any sense

One of the largest classes of digital assets are personal files on individual phones and other personal computers. So yes, sometimes you do very clearly own digital assets (and no, a link about one time where some government broke the law and stole someone's files doesn't refute that).

Your personal photos on your PC are digital, they're a digital asset, and you do own them. No contract necessary. The same is true for all sorts of other types of personal digital files you might hold as personal property, from spreadsheets to backup email records to pdf files of contracts and on it goes.


> on individual phones

But most people don't even own that!

Apple can unilaterally and arbitrarily decide at any time to lock your phone remotely and 100% disable your access to iCloud.

You're correct about stuff which is more bare metal than a phone like a hard drive with data on it, but, I would argue that that only encompasses a tiny if not non-existent amount of data for an average (not HN) user these days.


You don't own crypto, either - the consensus does. If the consensus is that you don't have the crypto (such as if they fork after you successfully stole millions of dollars worth of crypto on the main chain), you don't.


Sorry, I didn't mean to suggest that you did own crypto. I was singling it out largely because the normal dispute resolution process, the courts and legal system, are irrelevant to crypto. You can't sue bitcoin to make the blockchain reverse a fraudulent transaction the same way you can (ostensibly) sue a bank.


Assuming that China itself is trying to capture it, and not a rogue state that still wants to use the username for political means.


> My current theory is there is some employee at Meta that's ultimately stealing the account.

This was my first thought given the e-mail address change. Someone e.g. bribing a support person.

My (uninformed) guess would be that given that you got the account back, this probably got escalated, someone looked at it, fixed it, and hopefully got the criminal support person's access disabled, until the next one gets bribed...


>China

You will be forever fucked, as big as Meta/Facebook/Instagram's exploit attack surface is. Microsoft/Office/Xbox is in a similar position as well.

early lucky adopters not employees will always have their accounts poached constantly on every common platform. eventually those who have the names paid for the 'rights,' or defend it communally.

yes, communally - it is a literal racket of cybergangters on every platform leveraging anything from social engineering your doxxed naive grandma into reading a private key to 0-daying your teamviewer to install a common keylogger.

bribing csr's is extremely common, as is sim-swapping (bribing att/verizon csr's), and there are a myriad of attack vectors in between

but of course 94% are just script kiddies using a "turbo"/api-spammer to take the username between other 3rd party transactions. it's a parasitic economy of bottom-feeders and iGangsters.


You should tie your IG account to a Google Voice number instead of a your cell that way it cant be SIM swapped.


My insta account keeps getting reset password requests every week for years. I’ve had multiple people ask to buy it, then threaten to sue, etc

I’ve tried to contact meta/Instagram about 50 times and not once has anyone emailed me back

How is it this hard to get support? It’s a personal account and I still have it so I don’t really care that much but there must be a way to get a hold of someone isn’t there!?


This happened to me several years ago. My account got locked out and I had no way to contact a human to get it back.


Same, I was going to pen something to instagram legal and such.


https://www.nytimes.com/2021/12/13/technology/instagram-hand...

Her Instagram Handle Was ‘Metaverse.’ Last Month, It Vanished.


And then she got it back.


Only after bad press.


Ok, so I had a similar situation. What it was is that I signed up for insta pre Facebook merger. Then I connected my Facebook account to insta. So my old username password combo were compromised because I re used them when I was a moron when I was younger. So someone gained access via the original Instagram password and username, changes my email. Then I would login via Facebook and have access at the same time. The different geo locations and unusual activity caused my account to be locked periodically. When they unlocked it I logged in quick, changed the email address and password on the account on the Instagram side and enabled 2 factor and haven't had an issue since.


What devices are you using the account on? If it's on a desktop browser, my assumption would be that you've got malware. That allows them to trivially steal the session cookies, steal the passwords the next time you log in, steal any device identification cookies that are used to control not using 2FA on logins from trusted devices / sending new device notifcations, and also hijack your recovery and notification email address.

If you're only using this via the app from a mobile device, then malware is an unlikely explanation though.

(Why are you regularly changing the password anyway? What's the threat model you're trying to guard against?)


99% of the time I am on an iPhone, the other 1% (which is generally right after I have been hacked) is on a fully updated MacOS install.


Any browser extensions installed?


instagramz.com is a legit domain owned by Facebook


Sure looks like it, nameservers point there. Seems a Facebook\b\b\bMeta employee did this to you OP.


Not necessarily a hacker changing the email to a whitelisted domain that will reject the email probably makes it the safest email address to use.


Instagram is severly broken. I have never had an account on there and it has repeatedly happened that I was logged into some random stranger's account as I clicked on some Instagram weblink. I could read all their private conversations, message people in their name, mess with their settings. Their security is so badly broken, I wonder if they can be held criminally liable for it.


I had a two letter name which got hacked. I called in a favor from a friend of a friend at instagram/FB and got it back.. then it happened again and I didn't want to ask the favor again. IIRC they did not yet have 2FA even though I asked for it ( I was assuming it would happen again and it did. )


On top of all security measures, Meta, Google and other big tech that offer Auth-as-a-service need to offer paid service to reclaim an account. I am sure people would be happy to pay to talk to a real human and take back their account.


>@instagramz.com

ha....someone stole this domain or hijacked/spoofed an email chain in the password reset api. you should be honored.

>Last updated from Registry RDAP DB: 2021-12-28 06:35:41 UTC

it of course still resolves to instagram.


Plot twist, you are the hacker


This is a honeypot for new hacking ideas, right?


Someone at Facebook stealing your domain is quite an accusation. Assuming your domain was similar to your username/IG handle, wouldn't it be more likely to be people wanting your "china" domain for spam/malware/propaganda/etc?


I think the stealing of my domain was a bit of social engineering by a hacker (not somebody at FB).

Now, my account gets taken without any noticeable trace on my end. No security emails, no suspicious login attempts, nada...


Contra the above dude, I don't think it's all that strange for Facebook employees to profit directly off of their access to these systems. See this article about how employees charge for verifications: https://mashable.com/article/instagram-verification-paid-bla...


there is a lot of precedent for Meta employees taking usernames. here's another example:

https://news.ycombinator.com/item?id=7598226


Not really. It already happened several times since short usernames go for crazy amounts.


> Someone at Facebook stealing your domain is quite an accusation.

NSA employees do it, why would META employees would be better than the average?


I wouldn't count a NSA employee as "average", I'd assume they have access to tools the "average" doesn't have. Comparing that to someone at Facebook just doesn't make sense.


I guess he didn't meant the guy from marketing. But mods and customer support people do have admin access over accounts.


Publicly pondering a theory is an accusation now?


It read to me like that, yes.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: