On Tuesday, Instagram announced several changes intended to improve security for its 1 billion users. Among the changes is the ability to use third party authenticator apps to log in to Instagram, including DUO Mobile and Google Authenticator.
Instagram did not previously support this capability, although it did allow for 2-factor authentication (2FA) with text messages.
The change comes in the wake of a host of account attacks, as Mashable previously reported. Without notice or explanation, hundreds of people and Instagram-dependent business have been getting locked out of their accounts, even affecting some accounts with 2FA enabled. The hacks have raised questions about Instagram’s fundamental security, and its ability to adequately respond to security complaints. The inability to use a third party authenticator app may have been part of the problem, and in response earlier this month, Instagram promised to make this change.
Another safety feature Instagram announced Tuesday is the ability see more information about accounts that “reach large audiences.” By clicking in the three dots in the upper right corner of Instagram, users can click “About This Account” to see a bunch of new information: the date the account joined, the country (hi Russia!), what ads the account is running, former usernames, and accounts with shared followers (or, “the public accounts that have the most followers in common”).
And at long last, Instagram released the ability to request a verification badge — or, better known as that coveted blue checkmark. Previously, there was no official process for getting a badge, which led to a thriving black market for Instagram verification. Now, in account options, all users will be able to “Request Verification,” which requires submitting a photo ID.
Not just any Joe ThirstTrap will be able to get a badge, though — it’s still reserved for a “notable public figure, celebrity, global brand or entity it represents.” Accounts that request the verification will get a notification confirming or denying the request once it’s been reviewed.
Instagram tested the request form in Australia in July, but it is now rolling out worldwide.
Instagram parent company Facebook enabled support for 2FA apps in May. So while the timing of the new capability on Instagram comes on the heels of the security breaches users have been experiencing, given the pressure Facebook has been under to lock down its platform from foreign political influence, all three changes are clearly part of a larger effort by Facebook to beef up security and transparency as a whole.
For Instagram, it’s not a bad start. Now if only customer service would get back to those locked out users…
Krista, an Instagram user with more than 4,500 followers on her fitness account, noticed something strange on Saturday evening: she had been logged out of her account.
When she tried to log back in, she got a message that her username didn’t exist. She soon realized her handle and photo had both been changed, as had the email address and phone number associated with her account. She tried to request a password reset, only to see the new email linked to her account was now a .ru email: she had been hacked.
Megan, an Instagram user with about 2,000 followers, has a similar story. She woke up Monday morning to a logged out Instagram account. Her user name and profile image had changed, as had the password, email address, and Facebook account linked to her Instagram.
Like half a dozen other hacking victims who spoke with Mashable, her profile photo had been changed, as had all the contact information linked to the account, which was now linked to an email with a .ru Russian domain.
Many of these users have been desperately tweeting at Instagram’s Twitter account for help
Megan and Krista’s experiences are not isolated cases. They are two of hundreds of Instagram users who have reported similar attacks since the beginning of the month. On Twitter, there have been more than 100 of these types of anecdotal reports in the last 24 hours alone. According to data from analytics platform Talkwalker, there have been more than 5,000 tweets from 899 accounts mentioning Instagram hacks just in the last seven days. Many of these users have been desperately tweeting at Instagram’s Twitter account for help.
Though Instagram, which has more than 1 billion users, says it hasn’t seen an uptick in hacks, a search of Twitter data suggests otherwise. Twitter users have directed approximately 798 tweets to Instagram’s official account with the word “hack” since the beginning of the month, compared with about 40 tweets during the same period in July.
There are numerous reports of hacks on Reddit, and a Google Trends search shows a spike in searches for “Instagram hacked” on Aug. 8, and again on Aug. 11.
“We work hard to provide the Instagram community with a safe and secure experience,” an Instagram spokesperson said in a statement. “When we become aware of an account that has been compromised, we shut off access to the account and the people who’ve been affected are put through a remediation process so they can reset their password and take other necessary steps to secure their accounts.”
It’s not clear how hackers are gaining access to these accounts, or if it’s the result of a coordinated attack. But Mashable has identified several commonalities among the hacking victims — like a changed handle and profile avatar (often to an animated character from a Disney or Pixar film), deleted bios, and a new .ru email address on the account. In most cases, the Instagram users did not have two-factor authentication enabled at the time of the hack, but it appears even this setting may not be enough to deter hackers.
The extra security measure didn’t protect Chris Woznicki, who was using two-factor authentication at the time his account was hacked 10 days ago. Woznicki says Instagram sent him security emails notifying him the email address on his account had been changed (once again, to a .ru address) and 2FA had been disabled. But by the time he saw the messages, it was too late and he had already lost access to his account, which had 660 followers. Others have reported similar occurrences.
Interestingly, the hackers don’t appear to be posting new photos or removing old posts from their victims’ accounts, as is often the case when a social media account is compromised. But they are changing all of the contact information linked to the account, which makes it exceedingly difficult for its owner to regain access.
That’s because Instagram’s own security policies can make it challenging for someone to access an account if they no longer own the email and phone number associated with the account. While that policy is in place for obvious reasons — you don’t want just anyone to be able to request a password reset, for example — it also has the effect of making the account recovery process extremely difficult for people who have had their account credentials changed.
“When I reported it, they sent an automated email which told me to log in and change the password,” says Woznicki. “However at this point it was impossible to do that.”
Instagram say it has a process in place to address these types of cases, but many users have found it lacking. Because the company relies on a largely automated account recovery process, it can be time consuming, and leave users feeling like they are moving in circles without anyone actually addressing their situation.
“The maze that Instagram sends you on to get your account back is laughable”
“The maze that Instagram sends you on to get your account back is laughable and leads to broken/dead links and emails from robots which lead nowhere,” says Abigail Nowak, whose Instagram was also hacked.
Nowak, who works closely with Facebook as part of her day job as a social media manager, has not been able to access her account for five days, despite several attempts to contact Instagram, she said. Her account is now linked to an email address with a Russian domain.
For others, regaining access to their Instagram accounts is more than just a personal matter. Krista, the fitness influencer, is worried losing her account could compromise her relationship with several sponsors. “If I am unable to get my account back it’s going to affect the sponsorships I have,” she says.
Some Instagram users have been able to successfully navigate Instagram’s remediation process. One user said her account access was restored after being contacted by Mashable, but described the process as “extremely stressful.”
Instagram hacks are not a new occurrence. With more than 1 billion users, the service has become a major target for hackers of all stripes. But it’s not clear if the company’s policies for dealing with these cases have scaled with the rest of the service. Instagram declined to share specifics on how long its remediation process typically takes, but if the volume of angry tweets is any indication, it’s not addressing these reports quickly enough.
Many users, like Woznicki, have resorted to creating brand new accounts while they wait out a response from Instagram. “I have no hope from Instagram for any real help,” he says.
Has your Instagram account been hacked in this way? Email the author at karissa [at] mashable.com.