I know you’re probably tired of hearing about Russia and hacking, but I promise this is not about politics and could potentially save you a heap of heartache if you’ve worked diligently to cultivate a following on Instagram like I have.
Last week, my Instagram account was hacked by someone in Russia. I know this because when I couldn’t login on the app, I tried to request a password reset, and the message following the request notified me that the message had just been sent to an address with a .ru extension.
After the initial shock that someone on another continent would commit such a nefarious act to co-opt a feed that is basically 98% food photos and 2% photos of my cat and that doesn’t have hundreds of thousands of followers, I did my best to remain calm. I was in the process of packing for a meditation retreat that began the next day, so after some purposeful breathing, I sat down and figured I would just write a clear and concise note to a friendly person at Instagram, and voila – my account would be back in my rightful hands in no time.
I’ll spare you all the details but I couldn’t have been more wrong. Long story short: the Instagram Help Center should not be allowed to use the word “help” in its name. It may very well be the least helpful place on the entire Internet for someone in my situation. Not only has Instagram disabled a feature that once allowed hacking to be reported and resolved, but if you do manage to get a response through one of the other reporting channels, you will essentially be dealing with a human masquerading as a robot. It seems that IG Community Operations folks who respond to emails can only send a very finite set of pre-written responses, most of which tell you to report hacking using a link that doesn’t allow you to actually do so. In most cases, if I wrote back to clarify exactly what I needed with an explanation of why the previous response was inadequate, I would receive exactly the same response back.
I reached out eight times via various Instagram channels, and also sent notes to Facebook, IG’s parent company, tweeted IG, and sent IG multiple messages via Facebook, which was a recommended technique in the myriad articles I found talking about what crappy service IG offered.
I also quickly found out after posting something about the hack on my Facebook page that at least half a dozen people I personally know had been affected by the same or similar hacks in the past month or so. One of them reported to me she lost her entire account thanks to the inaction of IG, so I knew after reading her note that I had to prepare myself to lose all my photos, witty hashtags and followers I’ve established over the past two years. With my retreat just hours away at the time of this realization, I figured there couldn’t be better timing to surrender to a serious act of letting go. And nonetheless, I kept firing off responses to the IG robots, and again and again, I was led down the same dead-end paths.
I went to my retreat, and as I do every time I visit the Buddhist monastery where it was held, I shut off my phone. As I slid my finger across the screen to power it off, I said a little prayer requesting that when I next turned it on, my IG account would not have been altered in any way (up until that point, the hacker hadn’t modified any content except to change my profile description to “Athlete,” which anyone who knows me would probably find at least a bit humorous). I also prayed that there would be a friendly email from someone at IG who would swiftly return my account to me.
Fast forward five days to the end of a wonderful retreat during which I barely thought about Instagram or hackers at all. I am always trepidatious turning my phone on after a retreat because I really enjoy the freedom of being unplugged and it usually means an onslaught of texts, voicemails and emails all demanding my attention. I took a few breaths to center myself and then within seconds of being on, I knew my account was pretty much lost. I had 10 texts from various friends telling me the hackers had started posting images of scantily clad busty women on my page, which by this point had no mention of me or my business on it thankfully.
After thanking friends for their messages, I surrendered. I had done all I felt I possibly could to reach out and possibly get resolution. I had tried every possible channel at my disposal, short of showing up on the doorstep of an IG office, and at that point I suspected even that would have been ineffective.
After being at a retreat and hearing so many people open up about their suffering, I clearly knew that the loss of a social media account was truly a first-world problem. Sure, I felt anger towards the hackers, but I also knew that people wouldn’t spend time doing such petty crimes if they weren’t in some situation of desperation for income or spinning in the daze of delusion that greed can spur on.
Forgiving the hackers and even sending them compassion was more an act I could do for myself, and not something that could influence them in any direct way. (I did try emailing them via the contact address they associated to my profile, but the message bounced back immediately.)
After five days spent in quiet, considering how to share my practice in an engaged way with the world, a question remained: how can I use this experience for some greater good?
The answer was to write this. If you’re like me, chances are you don’t have two-factor log-in set up on your IG account if it you’ve had it for more than a few months. IG apparently rolled out the option of additional verification in waves over the past couple months, but it seems there was never any prompt either within the app or via email to enable it. It seems the only way you might have caught wind of it would have been if you’re a reader of tech news sites or friends on Facebook with someone who is and shared something about it.
I did a very informal and unscientific poll of six of my most prolific IG friends, and only one had two-factor login enabled at the time I asked. (Now they all do, thanks to my prompting.)
Although there are certainly many far worse things that could happen than losing your Instagram account, I do want to save anyone reading this even the smallest bit of distress that a hack and the very real potential of losing all your photos poses.
So, please … I ask that if you’re reading this and have not (or are not 100% sure that you have) enabled two-factor verification, please take a moment to turn it on.
Like me, you probably have not engaged in any of the high-risk actions that IG claims lead to hacking, like sharing your password or using third-party apps. The reality is that hackers seem to have stolen lists of login info from various sites, IG and Twitter included. Let this be a wake-up call to also be diligent about changing passwords regularly. I know I don’t. I’m committing now to changing mine quarterly in sync with the solstices and equinoxes since those are days I pay attention to.
If there is a bright side to any of this (beyond hopefully preventing anyone reading this from being hacked), I was able to get my original username back, so I am back on Instagram as @pranaful. I’d love to connect (or reconnect) there. I also learned this morning that my old account is now disabled and seemingly vanished forever. I’d already let go of the possibility of getting it back, but learning this via a friend who had reported the page after it started flooding her feed gave me a true sense of finality.
Please also take time to share this with others who use IG. My hope is that as many people as possible will protect themselves to the best of their ability in the light of the widespread hacking that is happening. My suspicion is that part of why IG disabled channels for reporting hacking is that they simply became overwhelmed.
My other hope is that IG makes a commitment to better customer service. I am not holding my breath, but I’m putting it out there. I learned in the process of all the research I’ve done in the last week that they recently launched Instagram Together, a site supposedly dedicated to “fostering kindness in our community,” and while this seems like a nice PR front, I’d like to see ripples of kindness extended to people who find themselves the victims of hacking. If you know anyone employed at IG, I would love to meet them.