Last month, not one, but three of my Instagram accounts got hacked. If you've ever experienced this, you know what a sickening feeling it is! All those hours spent curating your feed and building engagement, and suddenly all of that is at the mercy of some anonymous stranger hell bent on destroying your hard work.
If you've found your way to this article because you've just found out your account was hacked, don't panic. Let me walk you through what you need to do next, step by step. Hopefully, at the end of it, you'll have your account back without too much damage done to it. The most important thing is to act fast and not sink into despair.
So, without further ado, let's sort this mess out.
1. Reset your password
If you catch the email telling you that your password has been changed instantly, you may still have time to reset your password before someone takes over your account. Often, hacks are conducted via automated scripts, which means it might be a little while before an actual person starts doing anything nasty with your account. (If you're wondering, that nastiness might look like spamming other users via your account and filling your beautiful gallery with advertising.)
First of all, head over to Instagram and request a password reset. Once you receive the email to reset your password, change it to something secure (we'll get to this later).
When my accounts got hacked, I caught two of the hacks while they were happening and managed to reset my password before anything sinister went down. Unfortunately, I wasn't so lucky with the Her Lovely Heart Instagram account. When I tried to reset my password, Instagram told me my email address wasn't associated with the account, which meant the hacker had managed to change the address on the account before I acted. Queue heart in throat moment.
If this happened to you, move on to the next step.
2. Report your account as hacked
Head over to this Instagram help page and report your account as hacked. You'll have to click the little arrow to expand the section, which says ‘I think my account has been hacked' and then click on the words ‘Report it to us'. For some reason, this link isn't very obvious, but even if it doesn't show up as an active link for you, you should be able to click on it. You'll then be taken through a questionnaire in order to report your account as hacked.
UPDATE 17 March 2017:
Instagram has changed the way you report hacked accounts (plus, for some reason they made it even more difficult to find this information!). If you can't log in, and your email address has been changed, follow the steps on this help page. Basically, you will have to open the app and follow the ‘Get help signing in' protocol and you should be able to report a hacked account that way.
UPDATE 30 March 2017:
From the reports in the comments, it looks that Instagram has removed even the updated method of reporting a hack. I find this quite shocking from a customer service point of view! If anyone manages to contact Instagram regarding their hacked account, please share in the comments how you did it, there are many desperate people trying to find a fix.
UPDATE 22 May 2017:
Do read the comments to see how some people had success with reporting their accounts. I can't personally help anyone, so please don't send me emails or other messages directly about this. I don't have any sort of inside information, I simply shared my experience and since then IG has changed the way things work. I'm leaving this post up because the security measures are still valid for those who haven't been hacked or have managed to get their account back, and because there are comments that might help someone in this process.
It's SUPER important that you list the email address you gave to Instagram when you signed up for the account. I learned the hard way how difficult it is to get any communication from Instagram if you list any other address here. If you are worried that that email address is also vulnerable, secure it first by changing your password.
Once you've sent your report Instagram will email you with a request to send a photo of yourself holding a reference number. For reals. This sounds very strange indeed, but it's their way of determining you are the correct owner of the account (this is why it's good to have at least a few pictures of yourself in your account, whether as your profile pic or posted among your images).
After this, it's a waiting game. If you don't hear anything back in 24 hours, I personally found that polite and kind pestering helped to move things along. There's no reason to be rude, whoever is helping you is just doing their job, but you can press the urgency of the matter in a kind way. Also, once you get your account back, don't forget to thank the person who helped you!
3. Change all your passwords to secure ones
Experiencing being hacked is one of those situations which should make you re-evaluate how seriously you take online security. I would urge you to change all your passwords, whether email accounts, FTP logins, Apple password, everything, to something secure. Make a point of once and for all breaking the habit of using the same password you don't change for years on every account.
4. Use a password manager
To make things easier, I couldn't recommend using a password manager highly enough. Not only will it store all your passwords so you don't have to A) keep them in your head, B) scribble them on random pieces of paper, it also generates super strong passwords for you so you don't have to spend hours thinking of the perfect combination.
I personally use 1Password and love it. You can securely sync your manager with your desktop computer, laptop and your mobile phone, so you'll always have your passwords at hand when you need them. You can also install a browser extension, which will prompt you to let 1Password create a new password for you when you sign up for a new service online.
As well as passwords, you can also save bank account details and secure notes, among other things. In this digital day and age, there's just no excuse to not use one of these babies!
5. Turn on two-factor authentication
Two-factor authentication adds a layer of security to your important accounts. It means that when you log into a service, you'll have to provide your password and an additional one-time code, which might be delivered via a text message or through an app such as Google Authenticator, which works with many different services apart from the obvious Gmail, such as Evernote and Dropbox. Having this second layer of security means that it's impossible for someone to remotely hack your account.
When it comes to Instagram, you can also turn on two-factor authentication. You'll find the option under your settings menu once you've clicked on the cog at the top right corner of your profile.
Instagram sends you an authentication code via a text message, so you'll have to link your mobile phone number to the account. Even though it sounds like a bit of a hassle, it really isn't, especially if you use Instagram mostly on one device. You'll stay logged in as normal, and only need your password and authentication code if you log in again (or, you know, if you're a nasty hacker trying to get in).
If, like me, you have multiple Instagram accounts, you will run into one problem. You can link one mobile number to only one account. If you try to turn two-factor authentication on for another account with the same mobile number, your first account will have its two-factor auth turned off. Slightly frustrating, no?
I got around this problem by using a service called OnOff. What OnOff allows you to do, is to have multiple mobile numbers via an app on your phone. It's fairly inexpensive to have an extra number, especially if you don't use it for making actual phone calls, and receiving authentication codes to these numbers works pretty seamlessly. If you wanted, you could use your OnOff numbers even more efficiently, for example having a ‘business number' that you give out, so that you don't have to give your personal mobile number to clients, or list it anywhere on the internet.
I really hope this walkthrough helped you through any possible hacking incident and prompted you to upgrade your online security efforts. Stay safe out there!