Here's why hackers want your Instagram account

ByRenee Koury KGO logo
Saturday, August 24, 2019
Why does a hacker want your Instagram?
Why would hackers want to take over the Instagram accounts of a college student and first-grade teacher? Their stories reveal why anyone can be a target.

SAN FRANCISCO (KGO) -- Instagram is now considered the king of social media, with a billion users worldwide. While it's a fun way to post cute pictures and stories, it's also a growing target for hackers.

Cyber thieves are snatching accounts not just from the rich and famous, but from ordinary folks as well. Two Bay Area residents are among the latest victims -- a college student and a first-grade teacher. Why would anybody want to steal their Instagram accounts? What are the bad guys doing with them, and why won't Instagram help them recover their accounts? When they couldn't find a way to snatch their accounts back from the hackers, they came to 7 On Your Side for help.

"So, a Russian hacked my Instagram," college student Sofia Esna-Ashri explained how it all began. She awoke one day to find she couldn't log into her Instagram.

The same thing happened to San Francisco first-grade teacher Jamie Lee. "I don't know what they wanted with my account,'' she said.

Both seemed like unlikely targets for a hacker. Esna-Ashri, a fashion student at the Academy of Art University, had posted only ordinary pictures of her designs, her friends, her classes. Likewise, Lee posted only whimsical photos of food and friends. But both found their accounts suddenly hijacked by someone somewhere, and linked to an email based in Russia. They could tell by the "RU" country code in the email address.

The hacker had changed the email and password associated with their accounts, so they were powerless to get back in to claim them back. And they said Instagram ignored their pleas for help.

RELATED: FBI investigating Facebook hack as company reveals new information

"Panic, just panic, and I want to do something to fix it," Lee said. "I worried about what they might be doing, sending messages in my name, using pictures." Her voice trailed off.

"It was a scary feeling because I was imagining a bunch of things they might be doing,'' Esna-Ashri said. "Like human trafficking or taking the pictures, finding me here."

Both tried to contact Instagram to get their accounts back. There was no phone number, no customer service. Just a tab on the site to report a problem. It spit out a digital reply.

"It was clear it was a robot just giving automated responses," Lee said.

"I sent email after email, nobody responded," Esna-Ashri said. She got so frustrated she marched down to the Instagram building in Menlo Park and knocked on the door.

"I asked them if they could help me and they said this is a private facility, a private building and you can't come in," Esna-Ashri said.

Social media sites are teeming with reports like theirs - hackers, many seemingly in Russia, stealing ordinary Instagram accounts. And like many others, Esna-Ashri and Lee wondered: why theirs?

"Instagram is the king of social media," TechCrunch editor Josh Constine said. "And so it's a crown jewel for hackers to steal." Constine says your Instagram account may be highly valuable on the black market, even if it only has cute animals and foodie photos. Why?

One reason: it's legitimate. So Facebook, which owns Instagram, won't delete it as being "fake."

"Facebook deletes billions of fake accounts each year across its services," Constine said. "That's partially why there's been increased interest from hackers for stealing existing, well-used, legitimate-seeming accounts instead of starting new ones."

Hackers sell the accounts; buyers use them to spread spam or propaganda, or maybe use them to try to squeeze money from their owners. And yes, they're used to influence elections.

"We should be careful about assigning blame to specific countries because hackers do anything to cover their tracks and make it look like they're from a particular place," Constine said. "But we do know that the Russian government's propaganda arm did try to disrupt the 2016 presidential election using stolen Instagram accounts and fake Instagram accounts that they created."

RELATED: Instagram users falling for hoax about platform changing its privacy policy

Lee and Esna-Ashri were locked out so they couldn't see what the bad guys were doing to their accounts -- but friends who still followed them could see.

"They were following three thousand people, mainly girls," Esna-Ashri said. "They had Russian names. A lot of Russian people."

"It was just there for a long time, existing in space," Lee said. "I had no idea what they were going to do with it."

"It was terrifying," Lee said, watching and wondering what the hackers might do in her name. After all, the account was still registered to her, and friends thought she was in control.

She thought of her first-grade students. She said many as young as in kindergarten have their own Instagram accounts.

"All these kids and their parents think it's a platform for entertainment but it's so much more," she said. "When you post your information and photos it's a very serious thing. Until they go on the dark side of the web they don't know."

Lee and Esna-Ashri gave up on getting help from Instagram. They came to 7 On Your Side. Could we get their accounts back?

"I was told to create a separate email account which nobody knew except ABC7," Lee said.

We found a way - creating a secret email known only to Lee and 7 On Your Side. Instagram sent a secret code to that email, which she typed in.

RELATED: Expert believes Capital One hack is one of largest data breaches ever

"And I saw a link from Instagram themselves allowing me to change my password,'' she said.

Within minutes, she was back in her account.

"I feel like I regained my identity,'' Lee said. "It was so liberating."

Esna-Ashri had to take a photo of herself holding a piece of paper with a secret code number written on it, then email that to Instagram. The social media site then compared her posted photos with the one she emailed.

"After less than a day I got it back!" Esna-Ashri said. "If I didn't contact 7 On Your Side I wouldn't have got my account back. There was no way, noooo way."

Instagram chief Adam Mosseri promised an easier system to recover hacked accounts, saying on Twitter: "We've heard from the community we weren't doing enough here."

"To this day, I am so grateful to 7 On Your Side," Esna-Ashri said.

Lee said she was about to let the hackers have her account. "If 7 On Your Side hadn't helped me, I know it would have just been lost forever."

The best way to protect yourself? Use two-factor authentication for your email and Instagram account. Also, tell your cellphone carrier to never port your number to a different device. That's a common way to hijack accounts. Instagram says its recovery process is purposely difficult so hackers don't use it to claim accounts. Victims say hackers are already doing that. If your account was stolen let 7 On Your Side know about it -- we want to help.

Take a look at more stories and videos by Michael Finney and 7 On Your Side.