5 Legitimate Ways to Make Money at Home

So you need a way to make money from home. Hey, join the crowd. Nearly 1 million people in the Netherlands are working from home these days.

In other words, there’s an invisible army of us clocking in and sitting down at our keyboards at home. A 2015 Gallup poll found that 37% of Dutch have telecommuted in their careers — four times as many as in 1995.

Problem is, we all know the internet is chock full of work-from-home scams. So many ripoffs! Seriously, it’s like the Wild West out there, except there’s no Lone Ranger to put things right.

When you’re working from home, you’re truly on your own. You’ve got to look out for yourself, ’cause no one else will.

How to Make Money From Home

With that in mind, we’re trying to do you a solid.

We’ve scoured through thousands of different ideas to find you 5 unique ways to make money from home. I guarantee there are some in here you’ve never heard of.

The important thing is: These methods are all road-tested. These are all ideas we’ve tried before, so we know they’re real and that you’ll really get paid.

Here are 5 legitimate ways to make money from home:

  1. 1. Get Paid to Give Your Opinion 

    A man goes through his money while filling out surveys.

    Surveys aren’t the best way to make money fast. But there’s a certain appeal to clicking a few buttons and earning money when you’d otherwise be doing nothing. Here’s our recommendation: Sign up for these legitimate survey sites all at once. Chances are, you’ll qualify for at least one or two surveys on each site a month, and the rewards will add up.

    Here are some of our favorite paid survey sites:

    • InboxDollars offers several short, daily surveys you can take. If you take all of them each day, you could earn an extra $730 a year — not too bad.
    • MyPointsThis platform lets you earn gift cards for taking polls, answering surveys and other things you do online — a great way to cash in on long lines or an endless commute. You’ll earn a $5 bonus when you complete your first five surveys.
    • Survey Junkie’s clean look and “cashout wheel” keep you motivated to take as many surveys as you want. They’re relatively quick to complete and reward you with points. Once you earn 1,000 points — or $10 — you can cash out for gift cards or cash paid via PayPal.
  2. 2. Get Paid to Watch Videos Online

    Woman on a couch working on a laptop

    Yup, Swagbucks pays you to watch videos! You won’t earn a lot (up to 150 rewards points per day), but the videos are in all sorts of categories — entertainment, home, travel — so you’re likely to find something that appeals to you.

    Or, try this trick: Just turn off the sound on your computer, open a new tab, and keep the videos going in the background while you work.

    You can also download the Swagbucks TV app, which plays videos back-to-back on your phone. Again, just plug in your phone, make sure you’re connected to Wi-Fi and set it aside to play videos — and earn rewards — while you do something else.

    You could earn up to $90 a month watching videos through Swagswabucks!

  3. 3. Invest in Real Estate (You Don’t Have to Be Rich)

    young woman working on laptop at home

    Not everyone has “buy a house” kind of money.

    You don’t have to have hundreds of thousands of dollars to get started with Fundrise. You can get started with a minimum investment of just $500, and Fundrise does all the heavy lifting for you.

    Through the Fundrise Starter Portfolio, your money will be split into two portfolios that support private real estate.

    This isn’t an obscure investment, though.

    You can earn money through quarterly dividend payments and potential appreciation in the value of your shares, just like a stock. Cash flow typically comes from interest payments and property income (e.g. rent).

    (But remember: Investments come with risk. While Fundrise has paid distributions every quarter since at least Q2 2016, dividend and principal payments are never guaranteed.)

    You’ll pay a 0.85% annual asset management fee and a 0.15% annual investment advisory fee.

  4. 4. Play Free Scratch-off Tickets

    Woman scratching off a lotto ticket while people nearby drink wine.

    There’s something so satisfying about those gas station scratch-off tickets, but it’s better to avoid them because, well, that’s not Penny Hoarding.

    Instead, try scratching for free using an app called Lucktastic. Each day, it releases a new assortment of digital scratch-off tickets. Lucktastic says instant wins range from $1 to $10,000. You can also earn tokens that you can exchange for free gift cards to retailers including Amazon, Walmart, Kohl’s, Sephora and more.

    The app is supported by advertising, which allows it to keep the payouts high and the games free.

  5. 5. Stop Deleting Your Emails

    Two women check their email on their phone.

    It turns out deleting your emails could be costing you money. Intrigued?

    One of our secret weapons is called Paribus — a tool that gets you money back for your online purchases. It’s free to sign up, and once you do, it will scan your email for any receipts. If it discovers you’ve purchased something from one of its monitored retailers, it will track the item’s price and help you get a refund when there’s a price drop.

    Plus, if your guaranteed shipment shows up late, Paribus will help you get compensated.

‘Sierra Burgess is a Loser’ fails on so many levels: Review

‘Sierra Burgess is a Loser’ fails on so many levels: Review

Loyalists and skeptics of the Netflix’s rom-com revival may have been lured into false security with the charming To All the Boys I’ve Loved Before. The newly-released Sierra Burgess is a Loser seems like a natural follow up and an easy fit on the streaming service; it stars To All the Boys‘ Noah Centineo and Stranger Things‘ Shannon Purser, and it deals with everyday issues that teenagers face in 2018.

It’s disappointing, then, that the film falls just so flat.

SEE ALSO: Allow Lana Condor to share THE cutest story about her ‘To All The Boys…’ co-star Noah Centineo

At the heart of Sierra Burgess‘ myriad issues is the central protagonist (Purser). When we meet Sierra, she’s a well-mannered girl who has a good relationship with her parents (Back to the Future‘s Lea Thompson and Ferris Bueller‘s Alan Ruck, a real dose of nostalgia). She knows she’s not the prototypical popular girl, but seems perfectly content with her high school social status, which includes her best friend (RJ Cyler, a runaway scene-stealer who deserves his own multi-picture Netflix deal ASAP), band practice, and crushing it in English class. She even owns said prototypical popular girl, Veronica (Kristine Froseth) when she tries and fails to insult Sierra.

That’s why it’s so difficult to digest when Sierra starts catfishing cute football player Jamey (Centineo) after Veronica dished out her number to be cruel. Sierra doesn’t know Jamey. Even Cyrano de Bergerac – the film’s loose basis – knew Roxane. Jamey isn’t some longstanding crush that Sierra that we should invest in; she sees one cute picture and decides to like him, simply because she knows he likes whoever he thinks he’s texting. It looks like something she does to pass the time, which is borderline sociopathic.

When Sierra digs into the catfishing, she chooses a troubling path, but unlike the protagonists and even antiheroes who precede her, she has no ostensible motivation to do so. The growing lie does lead her closer to Veronica and form an unlikely friendship between the two, but at Jamey’s expense. It’s a gender-bent She’s All That and we’re supposed to feel only for the villains.

And that really stings. 

In a social climate where women struggle to be understood and have their feelings and experiences validated, Sierra Burgess is not a great look. Sierra kisses Jamey when his eyes are closed; he thinks he’s kissing Veronica, so there’s no consent. At best, this disconcerting scene may help viewers understand boundaries. At its worst, Sierra and Veronica look highly manipulative and could be used to discredit a whole gender and the entire demographic of teenage girls.

Peter K deserves better!

Peter K deserves better!

Image: Aaron epstein/netflix

A relatively minor gripe but still a hit to the film’s overall quality is the actual conversations between Sierra and Jamey. On the phone, she asks him question after question – a classic first date strategy, but not the organically flowing conversation of two people with apparently unignorable chemistry. She asks him about his favorite x, y, and z; she laughs when he says he was a fat baby as if she has never heard something so ludicrous and all babies are not adorable little chubsters.

The same problem plagues their text relationship; ostensibly, the entire basis of Sierra and Jamey’s connection is that they like sending each other animal pictures. Cute, but not enough! Telling a story about digital relationships requires some base knowledge about them, and if the writers had any, they didn’t use it.

The film also opts to not create a visual representation of the text messages, so we have to read a phone-screen-on-film over characters’ shoulders. Repeatedly. 

There was a nice message about female friendship in here but y'all ruined it

There was a nice message about female friendship in here but y’all ruined it

Image: aaron epstein/netflix

And let’s not forget the part where Sierra pretends to be deaf and mute to avoid speaking to Jamey, lest he recognize her voice from their daily phone calls. Her doing this is, objectively, very bad. Doing this while he is out with his deaf brother who she probably knew about is actually plain fucking awful. She also hacks Veronica’s Instagram and cyberbullies her because Veronica kissed Jamey – you know, the boy who thinks he’s dating her. It’s a moment of petty vengeance but an inordinately severe response (see above note about sociopathy!).

In some moments, through lighting or music, the film hints at a deeper darkness (not least because we last saw Purser with a slug crawling out of her mouth and Froseth looks like she definitely auditioned for Amma in Sharp Objects), but those minor tone shifts never pay off. The horror movie version of Sierra Burgess looks way more compelling, enhancing the moral fall of our supposed heroine and forcing her to face the consequences of her actions with more severity than this movie’s tepid climax.

Sierra Burgess is a reminder of all the work that teen movies and shows still have to do, but like The Kissing Booth before it, this movie thinks it’s accomplished something. In reality, it’s created more work for the next film that follows, which will have to earn the trust and respect of an audience – and, ideally, also contain some moreconvincing texting.

Sierra Burgess is a Loser is now streaming on Netflix (or you could just rewatch To All the Boys I’ve Loved Before). 

9 best Ikea hacks to help upgrade your home

9 best Ikea hacks to help upgrade your home

Disclosure

Every product here is independently selected by Mashable journalists. If you buy something featured, we may earn an affiliate commission which helps support our work.

The only thing better than Ikea is Ikea hacks.

The Swedish furniture chain has everything you could ever need, from sofas to salt and pepper shakers. What you may not realize is Ikea’s bountiful home goods are also super easy to customize and alter.

Ikea spice racks can be used to hold your nail polish collection, lanterns can be turned into terrariums, and stools can be made into statement pieces. The hacks are endless.

SEE ALSO: The first IKEA store opened in India and it was intense

You can find hundreds of Ikea hacks floating around the web. There’s even an Ikea hacking website dedicated solely to the art. We gathered nine of the best Ikea hacks we could find to help you revamp and upgrade your home, without draining your bank account.

1. Turn coasters into a funky dish for your jewelry

All that’s required to turn Ikea’s 365+ cork board coasters into a chic catch-all is a bit of paint. You can find a fun design idea here, or decorate your coaster however you please.

2. Make yourself a furry stool

There’s nothing like adding a dash of faux fur to transform any piece of furniture into an expensive-looking statement piece. Learn how to transform this basic Marius stool — priced at only $5.99 — into something a little more glamorous.

3. Transform a Borrby lantern into an adorable terrarium

IKEA” data-credit-provider=”custom type” data-fragment=”m!7b7f” data-image=”https://i.amz.mshcdn.com/-boS5UalkTpA_2bfOZvZ03_pF6Y=/https%3A%2F%2Fblueprint-api-production.s3.amazonaws.com%2Fuploads%2Fcard%2Fimage%2F836538%2Fcba56857-7983-4e51-ac0a-e47d6cf2cfac.png” data-micro=”1″ src=”https://i.amz.mshcdn.com/ricGBn8e33o-bFwkSPokxdvti8M=/fit-in/1200×9600/https%3A%2F%2Fblueprint-api-production.s3.amazonaws.com%2Fuploads%2Fcard%2Fimage%2F836538%2Fcba56857-7983-4e51-ac0a-e47d6cf2cfac.png”>

Image: IKEA

There’s nothing like breathing some life into your home with a little bit of greenery. So, why not turn a lantern into a beautiful terrarium?

Transforming Ikea’s Borrby lantern into a terrarium is beyond easy, and it can be placed in any room, or used as a dinning room centerpiece. You can learn how to make your own terrarium with this simple tutorial.

4. Turn this book shelf into a golden shoe rack

Organized shoe lovers will rejoice when they see this glorious, gleaming shelf stacked with all of their favorite boots, heels, and flats. 

All that’s required to make this glam shoe rack is the astoundingly, inexpensive Hyllis rack from Ikea. Learn how to make this glam shoe rack here.

5. Make your own cat tree with floating shelves

If you have a cat that loves to climb, this hack is a must. Learn how to make a cat tree with Ekby Östen and Ekby Hemnes shelves for your fuzzy friend here. And, check out many more Ikea hacks for all of your pets here!

6. Customize this simple wooden dresser

People on Pinterest are obsessed with this Tarva dresser. It’s plain surface and easy to replace handles makes this dresser the perfect blank slate to customize. You can find 25 different design ideas for this dresser here

7. Buy this spice rack and vastly improve your life

The Bekväm spice racks can be utilized in so many different ways that you might just want to stock up on them. Use them to hold books, nail polish, clothing, and (if you’re lacking creativity) spices.

With so many spice rack hacks to choose from I couldn’t pick just one, so here is a full list of ideas to inspire you. 

8. Turn a bookshelf into a fun dress up closet for kids

IKEA” data-credit-provider=”custom type” data-fragment=”m!d8bf” data-image=”https://i.amz.mshcdn.com/Qto8_og820op5f365Woy3nzHFlY=/https%3A%2F%2Fblueprint-api-production.s3.amazonaws.com%2Fuploads%2Fcard%2Fimage%2F837593%2F08de107f-c3c5-4af6-87f1-f67afcf082cd.png” data-micro=”1″ src=”https://i.amz.mshcdn.com/jagYyUQlKHSXS0AqRBCHjJ24eeA=/fit-in/1200×9600/https%3A%2F%2Fblueprint-api-production.s3.amazonaws.com%2Fuploads%2Fcard%2Fimage%2F837593%2F08de107f-c3c5-4af6-87f1-f67afcf082cd.png”>

Image: IKEA

Use the Billy bookshelf to create a fun dress up closet for kids to indulge their creativity and imagination. You can find a complete step-by-step tutorial here.

9. Create the illusion of built-in bookshelves with Billy bookcases

This hack requires a significant amount of time to pull off, but you’ll be glad you did it. 

The illusion of built-in bookshelves will make it seem as if you just redid your living room without the extravagant cost. You can learn how to pull this off here.

Teen hacks Apple and stashes files in folder named ‘hacky hack hack’

Teen hacks Apple and stashes files in folder named ‘hacky hack hack’
Zoom. Enhance. Save to
Zoom. Enhance. Save to “hacky hack hack.”

Image: Shutterstock / Andrey_Popov

2017%2f10%2f18%2fe1%2fkeithwagstaff3.786faBy Keith Wagstaff

Ah, teens.  

Smart enough to hack into the most valuable company in the world, not smart enough to hide their stolen files anywhere other than a folder named “hacky hack hack.”

SEE ALSO: The 5 most obvious Apple references in Pixar films

A teenager in Melbourne pleaded guilty after hacking into Apple’s corporate computer network, where he accessed customer files and downloaded 90 GB of data. 

Apple noticed the breach and contacted the FBI, which notified the Australian Federal Police, according to The Age. Law enforcement raided the teen’s home and found two Apple laptops with serial numbers that matched those on the devices used in the hack. 

Mashable reached out to Apple for comment and will update if the company replies. 

So, where did this master criminal go wrong? He told others about his exploits on WhatsApp, and stored the stolen data in a folder named “hacky hack hack.” 

Next month, the hacker — who was not named by The Age — will face sentencing. 

The “private schoolboy” apparently “dreamed” of working for Apple, so, really, the company should be flattered to have such clever fans. 

#Blessed!! Instagram will let users request to get verified

#Blessed!! Instagram will let users request to get verified
2017%2f09%2f19%2ffa%2frakheadshot.f59fbBy Rachel Kraus

Blessed be the badge! Like some sort of verification Oprah, Instagram will soon give the gift of requesting a blue checkmark to us all. 

Now, rolling out worldwide, everyone will have the ability to ask Instagram to publicly verify their accounts. A “verified account” is one that has a blue checkmark next to the user’s profile, signifying that Instagram has certified the account as the genuine handle of a public figure — or, at least a figure “public” enough to have a bunch of followers on Instagram.

SEE ALSO: Inside the black market where people pay thousands of dollars for Instagram verification

Previously, there was no clear process for attaining that small but oh-so-poweful blue checkmark. And the desirability of the badge, coupled with the lack of transparency about how to get verification, led to an Instagram verification badge black market, and much Influencer frustration.

Now, at long last, users can click “Request Verification.” They’ll find the request button in the settings tab. Then they’ll submit a form and upload a photo of their ID card. Instagram tested this process out in Australia in July, but it will soon be available to all. 

Image: instagram

Image: instagram

Of course, requesting verification doesn’t guarantee that everyone who wants a blue checkmark will get one. Don’t be silly! If we all had it, it wouldn’t mean anything!! It’s still reserved for a “notable public figure, celebrity, global brand or entity it represents.” Instagram will deliver the notification verdict — confirm or deny — via a notification. 

Instagram isn’t releasing the official criteria for whether and how it will actually grant verification. However, it is focusing on those who have large amounts of followers since any shady behavior, such as misleading people about who’s actually behind an account, has the potential to do the most harm.

The change comes alongside two other new security features also announced Tuesday. First is the ability to see more information about accounts that “reach large audiences,” including the date joined, country, what ads the account is running, former usernames, and accounts with shared followers. And second is support for third-party authentication apps, such as DUO Mobile and Google Authenticator. The support for third party apps comes on the heels of a surge in Instagram account hacks that Mashable previously reported.

Like many Instagram phenomena, the mania that verification badges inspire may seem a bit vapid, or, um, crazy. But for many small businesses and influencers, that blue checkmark can make a big difference. Instagram verification has the ability to legitimize someone who’s gained popularity organically on Instagram, which can lead to sponsorships or other business opportunities, and straight up money in the bank. And considering how home grown so much fame on Instagram is, it’s been a bit baffling that Instagram users didn’t have a path to request verification before — which is why it’s been a target for so much ire.

But praise be, the setters of thirst traps, “models,” meme makers, joke peddlers, and FitSpo providers, now have their prayers answered. 

All we can say to that is #Blessed.

NYC renamed ‘Jewtropolis’ on Snapchat and other apps that use same map startup

NYC renamed ‘Jewtropolis’ on Snapchat and other apps that use same map startup
Maps across the web had changed New York City's name in an act of anti-Semitic vandalism.
Maps across the web had changed New York City’s name in an act of anti-Semitic vandalism.
2018%2f06%2f26%2fc2%2f20182f062f252f5a2fphoto.d9abc.b1c04By Matt Binder

Snapchat users were greeted with an alarming change to Snap Maps this morning: New York City had been renamed “Jewtropolis.”

Even worse, social media was filled reports of maps on other websites and services with the same change, including Zillow, The Weather Channel, Citibike, and Streeteasy. 

Whatever mapping service that Snapchat, CitiBike, StreetEasy, (perhaps others) use — it seems — is showing New York City as “Jewtropolis” this morning. pic.twitter.com/nsVe8goLyo

— Micah Grimes (@MicahGrimes) August 30, 2018

The anti-Semitic vandalism made its way across the internet so quickly because all these websites and apps depend on a third party for their mapping data.

Hey Dan! Thanks for bringing this to our attention. Snap Map relies on third party mapping data which has unfortunately been subject to vandalism. We are working with our partner Mapbox to get this fixed immediately.

— Snapchat Support (@snapchatsupport) August 30, 2018

Founded in 2010, Mapbox is a mapping and geolocation data startup that provides services to companies such as Foursquare, Evernote, and the previously mentioned sites and apps. To do this without the resources of a larger company like Google, Mapbox feeds its maps with data from a number of open data sources, including the crowdsourced OpenStreetMap.

SEE ALSO: Instagram hacks raise questions about its 2FA security

OpenStreetMap is essentially Wikipedia in map form. With millions of users, OSM allows anyone to alter its map data, much like you can do on a Wiki. OSM users can add missing roads or new neighborhoods. They can even change the name of existing cities.

While its possible one of Mapbox’s other various data sources could have also been changed, the OpenStreetMap user page of the account responsible for the vandalism has archived the very changes that later showed up on the applications and websites using Mapbox.

Twenty days ago, user MedwedianPresident made a number of edits to OSM disguised as minor alterations to Auckland City Park and the City of London. Looking into the actual edits, however, shows what MedwedianPresident actually did. Stretches of New York were renamed the Ku Klux Klan Highway, Pedophile Bridge, Zionist Cannibal Drive, and the Adolf Hitler Memorial Tunnel. Sections of London were changed to Adolf Hitler Boulevard, Donald Trump Avenue, and Fuck Road.

The changes were caught pretty quickly on OpenStreetMap, with another user “reverting vandalism” and changing the names back. According to MedwedianPresident’s OSM page, an active block was placed on the account 19 days ago, a day following the vandalism. It’s unclear how the OSM info that was changed back weeks ago rolled out through Mapbox’s mapping data today.

Mashable reached out to the Anti-Defamation League after noticing that the ADL’s H.E.A.T. map, which tracks incidents of hate and anti-Semitism, was powered by Mapbox. A spokesperson told us that they do not believe its H.E.A.T. map was affected by this and forwarded us a Twitter statement on the issue as well as a tweet from its NY/NJ regional director.

In an official statement provided to Mashable by Mapbox, it seems that the changes were in fact flagged by its AI technology, which “prevents malicious edits from entering the system from any third party data source.” However, human error caused the anti-Semitic edits to be pushed out live. Mapbox says they removed the edits within an hour.

Mapbox did not confirm OpenStreetMap user MedwedianPresident was the culprit. Instead, it said it currently does not know where the edits came from — it currently uses “over 130 sets of data” — but says that it currently has security experts “working to determine the exact origin of this malicious hate speech.” 

Instagram is investigating hacked accounts, promises new 2FA features ‘soon’

Instagram is investigating hacked accounts, promises new 2FA features ‘soon’
Instagram has acknowledged a wave of reports that people have lost access to their accounts.
Instagram has acknowledged a wave of reports that people have lost access to their accounts.

Image: mashable/lili sams

2016%2f09%2f16%2f8f%2fhttpsd2mhye01h4nj2n.cloudfront.netmediazgkymde1lza3.c1888By Karissa Bell

Instagram says it is “aware that some people are having difficulty accessing their Instagram accounts” and that it is investigating the “issue” that’s caused hundreds of users to lose access to their accounts.

The blog post comes one day after Mashable reported that hundreds of accounts have been hacked in recent days.

SEE ALSO: Instagram users are reporting the same bizarre hack

The company did not comment on how many accounts have been affected, but its latest statements suggest that it is widespread. In a blog post published Tuesday evening, the company urged users to revisit their security settings and enable two-factor authentication on their accounts. 

Instagram also says it will be improving its 2FA settings, an update it previously confirmed last month. Right now, Instagram relies on text messages for 2FA, which is less secure than methods that use an authenticator app. Several users have told Mashable their accounts were recently hacked despite having 2FA enabled. “We’re working on additional two-factor functionality with more to share soon,” the company says.

Of course, tougher security settings won’t help those who have already lost access to their accounts. Mashable has now heard from more than 100 users whose accounts have been hacked — most of whom have had little luck regaining access through Instagram’s support system. For these cases, Instagram now says users who have contacted Instagram support will get a response “soon.”

“We have dedicated teams helping people to secure their accounts. If you have reached out to us about your account, you will hear back from our team soon,” Instagram says.

The source of the hacks is still unclear, but the attacks appeared to surge earlier this month. There have been hundreds of reports of hacked accounts on social media since the beginning of August and Mashable has heard directly from more than 100 people whose accounts have been accessed. Many users also report email addresses with .ru domains are linked to their accounts after they lose access. 

You can read more about Instagram’s security tips here.

Has your Instagram recently been hacked? You can reach the author at karissa [at] mashable.com.

Instagram hacks raise questions about its 2FA security

Instagram hacks raise questions about its 2FA security

Even Instagram’s strongest security settings may not be enough to protect your account from determined hackers.

As the company scrambles to manage a wave of hacks that have hit hundreds of users since the beginning of August, many of these users have described a troubling pattern that raises serious questions about the app’s security settings.

SEE ALSO: Instagram users are reporting the same bizarre hack

Instagram lets users secure their accounts with two-factor authentication (PSA: here’s how to turn on 2FA if you haven’t already), but it currently relies on text messages, which aren’t as secure as app-based authentication methods.

The company said in a statement last week in response to Mashable’s reporting on the growing number of Instagram hacks that it’s working to improve its 2FA security, but it didn’t specify how. (Developer Jane Manchun Wong previously found evidence the company is testing a feature that would let people use a dedicated authenticator app, such as Google Authenticator.)

But until that update becomes available, the only option for users is the SMS-based method. And while SMS-based 2FA is better than none at all, it may not be enough to protect your Instagram account from determined cyber criminals.

Weak 2FA Security

Of the more than 275 people who have contacted Mashable about hacked Instagram accounts in the last week, most of the people we’ve heard from have said they were not using 2FA at the time. 

But Mashable has confirmed that at least four people were hacked despite having 2FA enabled. At least six others who contacted Mashable have made similar claims, but were unable to provide evidence they had 2FA enabled on their accounts when they were hacked.

In some of these cases, there was no sign that someone was trying to hack their account — until the users were suddenly locked out with no warning. In other cases, they were aware hackers were targeting them, but Instagram’s tightest security settings weren’t able to protect their accounts.

“It’s not an exaggeration to say that Instagram is my number one security problem that I deal with as an IT professional”

One IT professional who spoke with Mashable on the condition of anonymity because he was not authorized to speak on behalf of his organization, said the Instagram account he manages for his company has been hacked three times in the span of a month, despite strict security settings. The account has two-factor authentication enabled, uses a 20-character password, and the email address linked to the account is a jumble of random characters, He has even given special instructions to his carrier to prevent unauthorized ports of his SIM. 

Yet despite all this, the account, which has become a frequent hacking target, has been broken into three times in the last month. He often receives dozens of unauthorized 2FA prompts a day. (Mashable has seen screenshots confirming these attempts.) But oddly, he says that by the time he receives the prompt, the hackers have already managed to gain access to the account.

“Everything that Instagram has available is being done on our account and yet, every single time I get that SMS [the 2FA prompt], they have already changed the password,” he told Mashable. “I cannot as an IT professional tell you how they are doing this. They must have some sort of flaw in Instagram fundamentally that they are exploiting to do this.”

He has been able to regain access to the account each time because he has a contact at Instagram, but the constant hack attempts still take a toll. Fending them off has become a near-constant struggle — he says he’s typically able to reset his password and head them off if he catches them within the first few minutes — which takes time away from other duties. 

“It’s not an exaggeration to say that Instagram is my number one security problem that I deal with as an IT professional,” he says.

Small businesses upended

It’s still unclear how these attacks are occurring. In the past, hackers have hijacked Instagram users’ SIMs in order to gain entry into 2FA-protected accounts. But that doesn’t appear to be what’s happening in these cases, in which users describe their 2FA settings being bypassed, changed, or disabled without their knowledge. 

“Two-factor authentication obviously does help, but it’s not foolproof”

“Two-factor authentication obviously does help, but it’s not foolproof,” says Stuart Madnick, an information technology professor at MIT’s Sloan School of Management, who notes that clever hackers are often able to find loopholes that allow them to bypass 2FA.

One such loophole is particularly well known. A flaw in a routing protocol used by telecom companies, known as the Signaling System 7 (SS7) protocol, essentially allows hackers to redirect 2FA text messages from their intended recipients. This flaw has been exploited to great effect in the past. In January 2017, a group hackers exploited the SS7 flaw in order to empty their victims’ bank accounts, ArsTechnica reported. And researchers at Positive Technologies demonstrated just how easy it can be to exploit this particular flaw when they used it to hack into a Coinbase account last year. Two Democratic Congressmen publicly asked the FCC to work with carriers to address SS7 vulnerabilities last year, but they have not yet been patched.

Whether or not this is what’s happening to Instagram is impossible to say for sure without the company weighing in directly. Instagram has declined multiple requests to comment on the record. But the wave of recent hacks, which have caused hundreds to lose access to their accounts, highlight the fact that security is a growing concern for the service, which now has more than one billion users. 

SEE ALSO: Instagram is investigating hacked accounts, promises new 2FA features

For small business owners who rely on Instagram for customers, these hacks can be especially devastating.

Robert Jordan who uses Instagram to communicate with clients for his soundtrack design company, reports a similar experience. On the night of Aug. 12, he was unable to log into his Instagram account, which had about 5,000 followers and was protected with 2FA. He soon realized the username had been changed, as well as the password and email for the account. His bio was deleted and his profile image changed to a partial image of a horse, which appeared to be a still from the DreamWorks film Spirit: Stallion of the Cimarron.

“For business profiles like mine that deal with multiple clients day to day through Instagram and other social media, it puts a huge dent in customer satisfaction”

He says he never received any indication from Instagram that something was wrong — no 2FA prompts and no emails alerting that his account info had been changed. Like dozens of others who have spoken with Mashable, he’s had no luck navigating Instagram’s support system.

“It’s extremely disappointing that, with such sensitive information like credit cards, addresses, phone numbers, and private messages linked to accounts, their support is less than subpar,” Jordan says. “Since a lot of people are ditching Facebook over the data privacy issues, and LinkedIn isn’t extremely popular, Instagram has been my biggest connection. For business profiles like mine that deal with multiple clients day to day through Instagram and other social media, it puts a huge dent in customer satisfaction.”

These types of small business accounts are significant not just to the people who run them. Small businesses are an increasingly important demographic for Facebook. There are 25 million business profiles on Instagram, according to the company’s own statistics. And while not all of these businesses pay for advertising, the company is increasingly trying to encourage them to do so — Instagram lets businesses target users with shoppable ads in its feed and recently began experimenting with in-app shopping in Stories, in addition to traditional ads.

But unlike Facebook, which has fairly robust security settings (like the ability to use physical security keys as well as secondary authenticator apps), Instagram’s security settings are fairly rudimentary. Businesses and other accounts with large followings have the same limited settings available to them as everyone else.

These settings don’t go far enough to protect accounts that have large followings or whose handles are short or unique enough to make them prime hacking targets, users say. For example, though 2FA is offered, users are only prompted for additional codes when logging in from an unrecognized device. Instagram also doesn’t require a password or other authentication method in order to change account information or to disable 2FA altogether. 

Keeping users informed

Instagram, may also not being doing all it can to educate people about the risk of potential hacks, says Madnick, the MIT professor. “It’s not clear to Instagram’s best interest to tell people that they’re under threat. It’s a conflict of interest of sorts.” He notes that many people never enable 2FA because they don’t know it exists or assume they won’t be targeted.

Complicating the hacks is Instagram’s support system, which appears to be poorly equipped to handle the influx of requests to recover hacked accounts. Instagram said last week that users’ whose accounts are improperly accessed and have account information changed should follow emailed instructions to revert the changes on their accounts. But many report that these links are dead by the time they see them. Others say they never receive any email at all, or that their attempts to reset their passwords are in vain because all of the contact information associated with account has already been changed. Instagram says it has other ways of letting its users recover accounts, but declined to comment on specifics beyond pointing to its previous blog post.

For users who have been hacked, this process adds insult to injury. People who are already desperate to regain control of their accounts — whether it’s to support their business, recover photos of loved ones, or protect their privacy — end up feeling they’re moving in circles, receiving automated email after automated email, with no resolution.

So while the rest of Instagram’s 1 billion users wait for the security update the company promises is in the works, some of its most dedicated users are still waiting on a solution that may never come.

Following account hacks, Instagram will finally support third party 2FA apps

Following account hacks, Instagram will finally support third party 2FA apps
Multiple ways to authenticate.
Multiple ways to authenticate.

Image: LightRocket via Getty Images

2017%2f09%2f19%2ffa%2frakheadshot.f59fbBy Rachel Kraus

About time, Instagram.

On Tuesday, Instagram announced several changes intended to improve security for its 1 billion users. Among the changes is the ability to use third party authenticator apps to log in to Instagram, including DUO Mobile and Google Authenticator.

Instagram did not previously support this capability, although it did allow for 2-factor authentication (2FA) with text messages.

SEE ALSO: Instagram hacks raise questions about its 2FA security

The change comes in the wake of a host of account attacks, as Mashable previously reported. Without notice or explanation, hundreds of people and Instagram-dependent business have been getting locked out of their accounts, even affecting some accounts with 2FA enabled. The hacks have raised questions about Instagram’s fundamental security, and its ability to adequately respond to security complaints. The inability to use a third party authenticator app may have been part of the problem, and in response earlier this month, Instagram promised to make this change.

Image: instagram

Image: instagram

Another safety feature Instagram announced Tuesday is the ability see more information about accounts that “reach large audiences.” By clicking in the three dots in the upper right corner of Instagram,  users can click “About This Account” to see a bunch of new information: the date the account joined, the country (hi Russia!), what ads the account is running, former usernames, and accounts with shared followers (or, “the public accounts that have the most followers in common”). 

Image: instagram

Image: instagram

And at long last, Instagram released the ability to request a verification badge — or, better known as that coveted blue checkmark. Previously, there was no official process for getting a badge, which led to a thriving black market for Instagram verification. Now, in account options, all users will be able to “Request Verification,” which requires submitting a photo ID. 

Not just any Joe ThirstTrap will be able to get a badge, though — it’s still reserved for a “notable public figure, celebrity, global brand or entity it represents.” Accounts that request the verification will get a notification confirming or denying the request once it’s been reviewed.

Instagram tested the request form in Australia in July, but it is now rolling out worldwide. 

Image: instagram

Image: instagram

Instagram parent company Facebook enabled support for 2FA apps in May. So while the timing of the new capability on Instagram comes on the heels of the security breaches users have been experiencing, given the pressure Facebook has been under to lock down its platform from foreign political influence, all three changes are clearly part of a larger effort by Facebook to beef up security and transparency as a whole.

For Instagram, it’s not a bad start. Now if only customer service would get back to those locked out users…

Following account hacks, Instagram will finally support third party 2FA apps

Following account hacks, Instagram will finally support third party 2FA apps
Multiple ways to authenticate.
Multiple ways to authenticate.

Image: LightRocket via Getty Images

2017%2f09%2f19%2ffa%2frakheadshot.f59fbBy Rachel Kraus

About time, Instagram.

On Tuesday, Instagram announced several changes intended to improve security for its 1 billion users. Among the changes is the ability to use third party authenticator apps to log in to Instagram, including DUO Mobile and Google Authenticator.

Instagram did not previously support this capability, although it did allow for 2-factor authentication (2FA) with text messages.

SEE ALSO: Instagram hacks raise questions about its 2FA security

The change comes in the wake of a host of account attacks, as Mashable previously reported. Without notice or explanation, hundreds of people and Instagram-dependent business have been getting locked out of their accounts, even affecting some accounts with 2FA enabled. The hacks have raised questions about Instagram’s fundamental security, and its ability to adequately respond to security complaints. The inability to use a third party authenticator app may have been part of the problem, and in response earlier this month, Instagram promised to make this change.

Image: instagram

Image: instagram

Another safety feature Instagram announced Tuesday is the ability see more information about accounts that “reach large audiences.” By clicking in the three dots in the upper right corner of Instagram,  users can click “About This Account” to see a bunch of new information: the date the account joined, the country (hi Russia!), what ads the account is running, former usernames, and accounts with shared followers (or, “the public accounts that have the most followers in common”). 

Image: instagram

Image: instagram

And at long last, Instagram released the ability to request a verification badge — or, better known as that coveted blue checkmark. Previously, there was no official process for getting a badge, which led to a thriving black market for Instagram verification. Now, in account options, all users will be able to “Request Verification,” which requires submitting a photo ID. 

Not just any Joe ThirstTrap will be able to get a badge, though — it’s still reserved for a “notable public figure, celebrity, global brand or entity it represents.” Accounts that request the verification will get a notification confirming or denying the request once it’s been reviewed.

Instagram tested the request form in Australia in July, but it is now rolling out worldwide. 

Image: instagram

Image: instagram

Instagram parent company Facebook enabled support for 2FA apps in May. So while the timing of the new capability on Instagram comes on the heels of the security breaches users have been experiencing, given the pressure Facebook has been under to lock down its platform from foreign political influence, all three changes are clearly part of a larger effort by Facebook to beef up security and transparency as a whole.

For Instagram, it’s not a bad start. Now if only customer service would get back to those locked out users…