Hacking Seconds: A Quick Story about Turkish Hackers, Blackmailing and a Potential Backdoor to Instagram


As some of you might already have noticed, WatchTime’s Instagram account got hacked last week. Unfortunately, attacks on Instagram users, while rarer than other forms of cyber crime, are becoming increasingly common (and sophisticated), and not only high-profiles celebs have recently come under attack. In short, we were not the first nor will we be the last victim of hackers targeting Instagram, and with more than 270,000 followers, one can easily see why we were targeted in the first place. The good news is that we were able to successfully initiate the painfully slow and difficult process of recovering our hacked account. We’ve obviously also beefed up security (you’ll find Instagram’s safety recommendations here), and have worked hard to to limit the damages done to the account (like restoring deleted posts, cleaning up the profile, etc.). Nevertheless, we’ve lost around 3,000 (rightfully irritated) followers due to the hack, and we are still trying to figure out how the perpetrator was able to hack into the account.

Unfortunately, the story doesn’t end here. It appears that the hacker was able to exploit a weak link between Instagram and Facebook, Instagram’s parent company: While in full control, he created a fake profile page on Facebook using WatchTime’s (publicly available) email address and phone number. He then linked the fake Facebook profile page to WatchTime’s official Instagram account, which somehow allows him to access the Instagram profile up to this day (and we really do apologize for the colorful language he’s been using). Much to our surprise, it also appears that we, the official owner of the profile, are currently not allowed to unlink these two accounts: Last year, Paris Martinau, a former staff writer at WIRED, covered this in her story about how the tech giant decided that “Clicking on Unlink Account does not actually unlink a Facebook account from Instagram”:

Common sense suggests that if you unlink a Facebook account from your Instagram profile, you’ve unlinked that Facebook account from your Instagram profile. But like many things Facebook, common sense does not always apply here. Clicking on Unlink Account does not actually unlink a Facebook account from Instagram, a Facebook spokesperson told WIRED, because it isn’t possible to separate the two.

WIRED, 08.28.2019

Equally difficult, linked accounts can only be discovered while using the app; they are not visible when accessing Instagram via browser.

Needless to say, we’ve spent the last days trying to reach out to Instagram to have them look into it and make sure the account is fully secured. We’ve also alerted the authorities, now that we are officially being blackmailed since last Thursday. Same with Facebook.

We think we may have finally understood how the hacker is still able to access our profile, despite two-factor authentication, ridiculously difficult passwords and us monitoring the account constantly. But the uncomfortable truth as of today is, that

  • we are currently not the only ones capable of accessing our Instagram account, and we don’t know to what extent the other user has access
  • we are still having difficulties making Facebook and Instagram aware of the ongoing hack, and, more importantly, getting them to act immediately and remove both the link on Instagram and the fake page on Facebook

The sad reality is that we are currently not only seeing a rise in watch-related crimes; we are also seeing a constant increase in cybercrime. We’ll obviously continue to work on a solution to make the account secure again, and we will update you all once the issue has, hopefully, been resolved. In the meantime, feel free to share this with anyone at Instagram you might know. Adam Mosseri, for example, seems to share our passion :-)

Adam Mosseri, Head of Instagram (Photo: Source)

And just in in case:

How to recover a hacked Instagram account:
In case you ever find yourself locked out of your Instagram account and want to get it back: On the login screen of the app, “tap Forgot password? followed by Need more help? below the Next button and follow the on-screen instructions” to report what happened. Unfortunately, this really only works when accessing your profile via app. You won’t find this option while using a browser (in our case, we additionally had to deal with the fact that, on some of our iPhones, the form couldn’t be sent, because the keyboard on the screen overlapped the send button).
You should hopefully receive an official email (created by a bot) from Facebook (ending with @support.facebook.com), asking for more information (make sure to also check your spam folder), which has to be provided using the same email address the email was sent to. In our case, we also had to deal with the fact that the language of the account was changed during the takeover, resulting in official emails from Instagram being written in Turkish (and thus more likely to end up in our spam folder). You can read more about this process here: https://help.instagram.com/149494825257596
3 Responses to “Hacking Seconds: A Quick Story about Turkish Hackers, Blackmailing and a Potential Backdoor to Instagram”

Show all responses
  1. Unfortunately our account was also hacked, every single email we’ve received from Instagram was an automated response. We only had 18k followers, and now we have to start from 0. I’m in California, we paid for ads on that Instagram account so we are using that angle to get some sort of communication from them. It’s already been 2 months and we finally got someone to sorta of help. I suggest filing a complaint with TRUSTe, through them I was able to get in contact with Facebook.

    Reply
Leave a Reply