A friend's instagram account apparently got hacked, and their username, email and password changed.

Has anyone experienced this before? According to Instagram, the old email account should have received an email about that name/email change, which didn't seem to happen.

I can't make sense of how they managed to hack that account. Any pointers appreciated!

[Thanks for Boosting]

Did they tie their mobile phone to the account? If so, it's not hard to do a sim swap attack. However, it does require the attacker to specify target their victim,which normally don't happen for just about any user.


No, they didn't link neither mobile nor their Facebook account to Instagram. Which now makes it pretty much impossible to recover the account.

Maybe they hacked the old email rather than Instagram directly?
They could have deleted the email...


That was my first thought, too. No signs of that, though.

@fribbledom Even the twitter-account of CEO Jack Dorsey had been hacked once, with strange anouncements appearing...
Insta should have a support?

@fribbledom One possibility is that the email account was compromised, allowing the attacker to request a password reset and change the email address, then delete the related emails.

@fribbledom Instagram accounts can be hacked in many ways: whether it's through a phishing link, or if the victim uses the same login and password for another service that suffered a data breach. Victims have complained in the past that Instagram did not do much to help them retrieve their hacked accounts. Good luck

@fribbledom Could be as simple as the email having indeed been sent but the friend accidentally has such emails going to spam or something? Or is just misremembering what email address was originally used?

@fribbledom Some insight into the how and why can be found in this great episode from Reply All, "The Snapchat Thief" -

@fribbledom Instagram can probably verify if the old email account actually was sent an email. What probably happened is that the receiving email server either didn't work or simply marked the email as spam and tossed it.

@fribbledom could have been a not super strong password re-used from a site that was hacked. (geniouses still use MD4 and MD5 to hash it) Doesn't explain nothing happening on the email end, though. (unless that is what was hacked)

It happened to me very quickly after I signed up, so I assumed its a common thing. I resolved it just as quickly by contacting instagram support I think - After that I got a 24 random character killer password and have been good.

@fribbledom maybe also have them verify that the associated e-mail account does not have any unknown forwarding or filters set up?

@fribbledom My best guess is a weak password without 2FA (don't know if IG supports 2FA)

@fribbledom well he should investigate if his old email account is hacked. which is probly how the hacker got control of his instagram.

@fribbledom Instagram have a section in the account security details that lists all the emails (e.g. security-related) that they have sent you. A similar thing happened to someone I know. (And in that case the email account was also compromised).

@fribbledom oddly enough, I sort of experienced this in reverse: someone managed to sign up for instagram with my email address, despite my never having confirmed it. later, when I signed up myself and confirmed my email address, it logged me into this other person's pre-existing account.

I had no way to contact them 'cause the only email address on file was my own. I changed the name and and password, deleted all their stuff, and moved on.

@fribbledom (highly unlikely this is the same problem your friend had, but it does suggest there might be problems with their security model.)

@fribbledom I've heard similar stories. I suspect password re-use is a major part of it, given that none of the users affected used password managers.

@fribbledom no idea. Ive had unauthorised logins to my steam account, which prompted a password change. But nothing more than that


No idea how it got hacked, the email account seems fine and no spurious activity to detect otherwise. The Instagram password wasn't super-strong, but it still seems odd to assume a bruteforce password attack.

The hacker eventually posted a bit of spam in Russian and seems to then have deleted the account entirely - unless Instagram did, but obviously we didn't get notified of that anymore.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!