How my beloved instagram account, @jordan, which brought joy to millions, was hacked and deleted by some asshole
In 2010, I saw someone (I think it was Jeffrey Zeldman) on twitter mention a brand-new app called Instagram, so I signed up and chose the username @jordan instead of my usual @jordancox. Iād never managed to get that username before! And then, eventually, Instagram got very very large.
At some point around 2012 or ā13, despite almost never posting, my followers started to increase into the thousands. From what I could tell, most of them were teenagers who had just seen someone mistakenly tagged with @jordan and tapped on my name out of curiosity. My photos, when I got around to posting one every three months, werenāt that good to justify any other reason for all the attention.
After a few months of increasingly thirsty username begging from my new followers, I figured Iād change my bio to some kind of greeting, nodding to the obvious reason 99.9% of my visitors were landing there.
For whatever silly reason this @dril tweet was in my head, so I tried in vain to capture that in my bio:
every day i open this log and read about people and teens asking me for my precious username with tears streaming down my face
Over the years this little bit of text brought me a few hundred āur bio is life šššā, āur bio is goals šā, and āare you u saying teens are not peopleā comments, which I really did enjoy.
I also cross-posted to twitter sometimes, so Instagram knew what my twitter username was (jordancox). But they also applied this knowledge to others, meaning that when other people mistakenly tagged me, @jordan, on instagram (which happened dozens of times a day) and then, more rarely, cross-posted to twitter themselves via the Instagram app, Instagram would helpfully pre-modify their tweet, changing the @username they had tagged on Instagram to whatever the equivalent twitter account was. This obscure cross-posting feature led to my greatest achievement as an adult:
I also started to get a lot of password reset requests. I set up some filters in gmail to hide them, but for whatever reason I left some option on, for years, that sent me old-style SMSes with password reset links at all times of the day [EDIT TWO WEEKS LATER: it wasnāt actually possible to turn this off]. I posted on instagram about it recently:
I was lucky to only ever get one death threat; a very long, Call of Duty-addled rant that came after I told some kid to look for my password in his toilet. He said I was to be sniped by the navy, army, and air force all at once, which was nice (I wasn't familiar with the Navy Seal Copypasta at the time).
I tried over the years to respond to comments with a clueless, confused persona who didnāt know how money worked and was terrified of scams. This partially came from the fact that my wife, my friends, and I got countless requests on multiple sites asking to buy the account, or telling me to sell it to Nike, or the country of Jordan. In light of all this, I enjoyed pretending I had stumbled onto this site by mistake and landed some amazing username without understanding how any of it worked.
The kids were generally pretty nice and only occasionally descended into vicious name-calling (this often happened when one would angrily demand my username and another would begin defending my approach to the account by fighting with them, which was sweet, until the racism started). In retrospect, my lack of frequent posting and feigned confusion probably encouraged more people to try and get into my account with greater vigour, but oh well.
The nicest thing about all this was hearing from actual friends of mine whoād mention that they had wandered over to my comments and laughed for a while at the desperate begging and my erratic, confused responses. When I opened the app every few days, Instagram was a source of fun and comedy thanks to some lucky timing 8 years ago.
Anyway. Thatās all very nice and nostalgic, so now on with what actually happened: yesterday I opened the app and got an āincorrect passwordā prompt, something Iād never seen before. When I went to do a password reset, the pop-over said āweāve sent a link to b*********7@gmail.comā ā definitely not my email address.
When I went to look at my account from someone elseās app, I found it replaced entirely:
Eventually I found the email notifications from a few hours prior:
An instagram story showed up on the account (since deleted):
That image shows my accountās username being changed to jordan.lnsurgent, presumably freeing up @jordan for this guy to grab. He left his old bio, name, and instagram link in there after he grabbed my username, which seems sloppy. As I guess is standard in these kind of hacks, my now-changed account was then wiped entirely, so the photos & comments are gone.
Eventually he dropped the Fayadh ALanazi name from the account:
But I still canāt figure out how it happened. I didnāt have two-factor authentication on [EDIT TWO WEEKS LATER: it wouldnāt have made any difference], but my password was 29 characters long, automatically generated, had 3 symbols and random numbers and letters, was unique to instagram, changed only a few months ago, and itself protected inside an encrypted password manager. None of my other accounts showed any suspicious activity or logins or anything of the sort. I donāt think brute forcing this kind of thing is really possible.
The only things I can think of:
- Because instagram shows part of your email address when you request a password reset, people trying to get into the account would see the first and last characters of my email address, plus @gmail.com. My address isnāt that hard to guess and I use my real name everywhere online. Still, no suspicious activity in gmail, so I doubt someone got access that way.
- The SMS password reset could have been the way in. I never followed one of the links, but I presume all you needed to do was follow it (it was a generated token type link), set a new password, and youād be into the account. Of course, all the SMSes were coming directly to me on a phone number Iāve had since 2007, which meant I never really worried about it. Maybe itās not impossible to spoof an Italian cellphone number and intercept a few SMSes? [EDIT 2 WEEKS LATER: this was exactly what happened if this excellent Vice/Motherboard story is anything to go by.]
Unfortunately Instagram has very few ways I can find to report this, and Iāve got a series of boilerplate rejection emails so far. And Iād love to know from Instagram if they log the method by which your password reset link gets sent out/acted upon. If it was done by SMS, I should probably look at changing my phone number.
I had a lot of fun with the username and I do hope I can get it back. In the meantime, my new (hopefully temporary) instagram account is the equally-memorable @jordancox742 or something, I canāt remember exactly. Will it be as successful as my previous one? Only time will tell.
(UPDATED 5 Sep 2018: I got my account back through Instagram support. Was hacked once again, and got it back again. I am pretty convinced that it was plain old social engineering via the account recovery process. Nothing else happened with my phone to indicate I had any kind of SIM spoofing, and the hacker was posting images of account recovery forms in a variety of languages, suggesting he was taking advantage of contractors and convincing them to allow him to reset passwords. The lack of 2FA made this easier. Instagram is rolling out real 2FA and some other protections now as this became a big enough problem for them over the summer, it seems.)
(UPDATED 15 Apr 2022: Back in September 2021 my account got deactivated for āimpersonationā. I presume someone managed to convince an Instagram support rep that I wasnāt me, never mind that itās been me on the account since Instagramās very first day.
I filed several appeals into the void, sending awkward photos of myself holding up my ID and all the rest. For about six months this went on, with usual bot replies from Meta saying their support queue was much higher with COVID-19 and they couldnāt deal with the tickets. Never seemed to get anything from an actual rep.
The other day I went to try again. Up to this point I could still put in my email/password, see that my account was deactivated, and get the link to file a ticket. This time, I found my password & two-factor auth no longer worked.
When I tried to change my password I saw the email associated with @jordan was no longer mine. I have no clear idea what happened, really. Maybe they freed up my account after I didnāt successfully manage to appeal the false deactivation? Or someone further convinced a support rep they were the real me? Anyway, itās a shame.)