On a busy work day, Bengaluru-based copywriter Aishhwariya Subramanian received a message from a friend. She was a fitness influencer and often got sponsorship deals from brands. So, when she asked Subramanian to vote in a contest, she was part of, there seemed no need to be alarmed.
Except, when Subramanian, distractedly clicked on the link, her Instagram account was hacked within seconds. Despite numerous attempts, she could not use her password to log in to her account.
With Mumbai-based Ranjani Iyengar, wedding card designer and founder, Pink Whistle Man, the story was similar. This time though, it involved an OTP. A friend had posted about her Instagram account being hacked, and a new one by her name popped up. She then requested Iyengar to help her retrieve the old account. She asked for her Facebook ID and to confirm her phone number. It lit up with an OTP which Iyengar duly shared over a DM.
In an instant, she lost her business and personal Instagram accounts. In both cases, the victims of the hacking, reached out to these friends later on, only to confirm no such messages of distress had been sent.
Deepika Singh, Chief Cyber Officer, DeepCytes Cyber Lab UK, who has worked with the Cyber Security Cell in the past, says, “It is either a game of fear or greed, to take your data or money, or both. They gain your trust first, by manipulating you. If it is fear, they’ll tell you your account will be blocked if you don’t do this. It is greed when they tell you the benefits you will get if you do this. And every time, the story is different. They could pretend to be your friend, too”.
The grimmest attacks, according to Singh, are ones where users are blackmailed through their private pictures.
It turns out that hacking of Instagram accounts is becoming increasingly common and their recovery, more and more difficult.
So, now there are hackers to retrieve hacked accounts. Decode scoured for a few such hackers and found a few ‘Tech Assist’ pages, right on Instagram. On the condition of anonymity, one promised to recover a hacked Instagram account in eight minutes by installing software on our device that would cost $58.
Another that was based in China, claimed to recover accounts globally and intercept fraud happening through Instagram.
Facebook is fast turning into their playground.
A post about a hacked or impersonated account can make them emerge from the woodwork to offer you, their services. They are anonymous handles that use names like Machel Webtech, Henri Unlocks, Henry Hedric Hack — you get the drift. Their responses are quick and their range of services is extensive.
When we inquired, Henry Unlocks sent us a laundry list of sorts. From Instagram recovery to mobile phone hacking, Telegram hacking, and CCTV hacking, it had it all. They also claim to be able to hack WhatsApp, iCloud, and YouTube.
They are eager to get on the job and reluctant to share anything including costs. Some prodding led us to estimates, and the cost of recovering an Instagram account was set at Rs 5,398 or $65. Some others would do it for as low as $30.
When asked about how they’d complete the task, all three spoke of an access code or template that needed to be purchased. “After we purchase the template, your account will be recovered and we can generate a new login and password,” Henri told us. Payments, Henry Hedric revealed, could be made through PayPal, Bitcoin, Zalle, Cash App, or a gift card.
The time taken for the recovery would be roughly eight minutes. However, one of the hackers played it safe by promising a 45–50-minute turnaround.
We asked Deepika Singh, Chief Cyber Officer at DeepCytes Cyber Labs UK, to comment on these pages. “Shady”, is what she came back with. “They won’t give you the promised deliverable and will later blackmail you for more money,” she cautioned.
What happens next?
Not all hacking attempts are alike, some resort to impersonating the Meta Support, too. Such was the case with Mumbai-based Ulka Mayur, who received a surprising DM from Instagram about a hacking attempt into her account. It looked legitimate and she was asked to confirm a few details.
No links were clicked, and no passwords or OTPs were shared. An artist by profession, Mayur spent the next few hours performing. When she did check her phone, she discovered emails about her Instagram account being used in a new location. All her information was deleted and the hacker was posting new pictures. Just as she was raising a complaint with Meta Support, the account with its new information had been verified.
Despite numerous attempts at reaching out to Meta, requesting friends and acquaintances to report the impersonator, Mayur never retrieved her account.
Subramanian’s account was making tall cryptocurrency claims and urging her followers to invest in a scheme, all while using her picture in the background. “A young colleague fell for it and paid the scammer Rs 10,000. I discovered when he texted me to say, he had taken my advice and made an investment,” she said.
In the case of Dr Mrinal Prakash, a Hyderabad-based orthopedic surgeon, cloned accounts were becoming a nuisance. “They would send messages to patients and request for money and one of them ended up paying. He shared a screenshot with me,” he said, adding, “My patients in small towns don’t understand this, and it beginning to impact my credibility,” he added.
Prakash was forced to pay for a monthly Meta Verification and has since not been the victim of a cloning or hacking attempt.
In the larger picture, Singh tells us, a paid verification does not help safeguard you from hacking, and may make your account more lucrative for potential threats. “Hackers breed for verified accounts. That will make their fraud story in the future more believable. Real followers can instill trust in the victims,” she explains.
Recovery and rationale
In several of the cases that we discovered, there were clear and immediate attempts at extortion through impersonation. But with those like Mayur, there were no such demands. “The hacker did not reach out to any of my followers. It seems to be an attempt to poach followers, but I had no more than 5,000 of them,” she said, still trying to piece together, the rationale behind it.
“Instagram accounts need to be active for six months before you can have them verified with a blue tick, and that seems like the only reason why a real estate agent in another part of the world would want my account,” she said.
Subramanian traced her hacker’s location to Pune and Iyengar Nigeria. Both reached out to Meta Support which has a process in place for recovering a hacked account.
“There are a bunch of ways to get your account back. But it takes a while for them to respond. You have to send a video selfie to Meta and you need to remember your old password. If that video selfie is authenticated, they will send you a link to get your account back,” Subramanian explained. It’s also how she recovered her account after 11 hours of incessant emails and requests.
Amid these stories, there was one of a dentist trying to recover their business account, and failing at the video selfie. Turns out, he had no picture of himself for Meta to validate them, only those of teeth and dental procedures.
“I tried the face ID recognition but by the time I would get into the account, they would keep changing the password. I sat for six hours straight, to clear my cache, and get my two-factor authentication. I got my Instagram account back,” she said, adding, “Facebook is much more difficult and seems impossible to retrieve unless you know someone at META. They are aware of it and have even coined a term for impersonators. They call them ‘actors’. There are bad actors and good actors”.
Mayur, who lost her account to the hack, told Decode that emails to Meta were of no help. On the contrary, when her WhatsApp account was blocked, an email to customer support, helped her get it up and running within the hour.
Singh who has dealt with 40-50 such cases said that Instagram has become cooperative in the recovery process. Aided by sufficient proof like video selfies, her company has been able to recover most accounts in 48 hours.
Singh’s company DeepCytes Cyber Labs UK recovers Instagram accounts and charges between Rs 10,000 to Rs 25,000 depending on the case.
Meanwhile, the accounts that claim to recover your hacked Instagram accounts have been growing. Although they don’t have too many followers, whenever they spot someone posting about a hacked account incident, they gather to offer their services.
Of the two we talked to, one has as few as 26 followers with no posts, and the other has roughly 1,800 followers and posts about recovery and services.
Iyengar recommends not delaying the two-factor authentication on Instagram as a safeguard from hacking attempts. “It was a call. I wouldn’t have done it without this incident. I have also made my accounts private. As for OTPs, I refuse to share any, even with my husband,” she said.
An expert in the matter, Singh recommends a two-factor authentication with additional safety measures. “Keep a two-factor authentication with a secondary phone number that has not been shared with many people. Secondly, enable device-bonded login, so you have to approve the login from your device,” she says.
For cases where your private images are at risk, Singh suggests logging on to www.stopncii.com, to have it taken down. “Lastly, users should stop sharing immensely personal information on social media. Don’t put so much data out there freely for perpetrators,” she says.