Alex Stevenson-PriceSo I've been secretly in a cold war with some weird crypto bros for like 6 months now, and worryingly in the last couple days it's looking like they've won. They wanted my Instagram handle, and somehow they've now got it. Without my consent. And it's kinda scary. Strap in for a toot storm (is that what we call it?) [1/16]
So it started around 6 months ago with a DM on that other place, it was from someone who claimed to be a "brand influencer" or whatever, with NFT profile pictures abound. They wanted to buy my Instagram handle for some stupid amount of money. I ignored it, because that's against the Insta ToS, and I didn't trust them anyway so what was the point in engaging. [2/16]
Over the following 6 months I proceeded to get more messages, in different venues, from different users offering the same thing. It got to the point where they found my husbands blog, found the contact form, and messaged him! Kinda desperate. [3/16]
I continued to ignore the messages, and started to find it kinda funny. The idea they wanted it so much and just couldn't understand why I wasn't replying to them was just... really funny to me? Satisfying. I don't owe them anything, right? [4/16]
So things changed last weekend. I opened Instagram on a whim and found I was signed out. Weird. I try to sign in and find the password and email on my account has changed. That's not good. At this point you're probably thinking "he had a weak password" or something, so let's briefly talk about the security on my account. [5/16]
It had a strong, unique, @1password generated password. It had 2FA enabled (with 1Password). It was also connected to my Facebook account, which also had a strong, unique password and 2FA. The email address is my Fastmail account at my own domain, protect with a st... you get the idea. [6/16]
So, back to last weekend. When they compromised the account they made one mistake: they didn't disconnect my Facebook account. I was able to sign in with Facebook, get the email changed back, change my password, replace the 2FA with a new one, disable password reset emails. [7/16]
At this point I was kinda worried, because I didn't know how they got in. I tried to contact Instagram but of course there's no way to do that. I took every step I could, audited my Facebook access logs in case they got in that way. But it didn't feel like I actually succeeded in plugging any holes because I didn't find any. 🤷🏻♂️ [8/16]
Now it gets interesting: Instagram say if the email on your account is changed you will receive an email from [email protected] where you can reverse the change. I didn't receive that. I've checked the Fastmail logs and am absolutely certain that account has not been compromised. Not only that but Instagram have a complete log of emails they've sent you in the account settings and when I got back in to the account there was no record there of them sending me that email. [9/16]
What else can I do? I forget about it and move on with my life. Fast forward to last night, I open Instagram and I'm signed out. They got in again. And this time they've disconnected Facebook, changed my handle, and created a new account that's claimed my old handle. This is interesting because Instagram say you can't claim a handle from an account that's recently changed their handle (I've heard 30 days floated, but can't find official confirmation of that) [10/16]
Once again: no email, no sign my email has been compromised. The only theory I have right now is that they had someone inside Instagram do it. Maybe they paid that person what they offered me? [11/16]
So you're maybe thinking "Instagram must have a process for this, something you can do when your account is hacked?" and the answer is... kinda, but also it's completely useless. You follow the account hacked form on the website and it just endlessly redirects you to the "I need help logging in" page. If I follow the "I can't login" process for the handle they stole Instagram wants me to enter a previous password for the account, which I can't do because it's brand new (I tried). [12/16]
If I follow that for what they changed my handle to (which I guess is now my account) then they accept my password but want to send a login code to the email they changed my account to. How does that help?! I can find no way to contact a human, there is no other process to follow. I'm out of options. Stuck unable to get into the account that stole my handle or my original account. Totally locked out. [13/16]
The stupid part is I don't even care about my Instagram handle. I barely use Instagram these days, and the handle alexprice isn't one I use anywhere else; it reflects my pre-married name, so doesn't feel much like me anymore... but it's the fucking principle of the matter. It's my account and I don't want these asshole thieves to win... and right now, it looks like they have. [14/16]
To be fair to the weird crypto bros, I have no proof they are connected to whoever has compromised my account... but it's hardly a big leap is it?
If you're curious, here's my account with the bullshit handle I didn't pick: https://www.instagram.com/alexprimediallc/
And here's the account with my stolen handle: https://www.instagram.com/alexprice/ [15/16]
That's all I got. I'm stuck, and it seems like they've won. If you have any theories on how they did this, or you know anyone at Meta who could help; please get in touch with me! Hope you enjoyed reading this mess. ¯\_(ツ)_/¯ Please boost the first post in this thread in case someone out there can help me! [16/16]
One thing I did try is filling out the "Report an account impersonating you" form, which is clearly not intended for the purpose I used it for, but was the only approach I could find that seemed to let me write text in a box that presumably a human at Instagram will see. So far I've only received some generic form responses, but fingers crossed that'll yield some results. 🤞
Apparently I’m on the front page of Hacker News now 😆 https://news.ycombinator.com/item?id=34547773
I’ve had a couple of Meta folks reach out, so I’m cautiously optimistic I might get somewhere? Fingers crossed the thieves won’t win in the end! 🤞
Amusingly, this thread has seemingly caused people to start following me on Instagram, on an account I cannot access, and yet I’m still getting push notifications for! ¯\_(ツ)_/¯
Two quick updates on my Instagram drama:
I'm not back in my account just yet, but it appears my account is back in its rightful place at https://www.instagram.com/alexprice/ so it looks like wheels are turning.
The second update I actually think is more interesting, and raises some more questions / mystery...
Remember I said I seemed to be gaining Insta followers from this and I could tell because I was still getting the push notifications? My Instagram account has gained over 500 followers in the last 12 hours. And they all have a pretty suss bot kinda vibe. Did the attackers also pay for a bunch of followers that are now just blindly following my account since it went back to its original handle? Are they trying some weird spam to make my old account useless? I don't understand!
Someone pointed me to this website where there are various “services” that claim they can get you pretty much any Instagram handle for $10k-$50k. “For individuals who have high budgets and want a premium service”. Not gonna link it because it’s dodgy AF but wild this kinda stuff is out there.
Also, holy shit my Instagram account (I still don’t have access to) now has 2600 followers, something very strange is going on over there! Fascinating to watch whatever the hell this is unfolding.
An update on my Instagram situation! Start here if you didn't read the original thread: https://mastodon.social/@alexjsp/109760277713815857
So I'm now back into my Instagram account, I think with a lot of thanks to Facebook people who reached out to me. Over the week following the hack it gained over 10k followers(!) and I do not know why; best theory I have is the hackers bought a bunch of follows but it's bizarre.
Amusingly, hitting that follower count has triggered a few messages and special UI for people with lots of followers. Am I an “influencer” now? 😝
Since two people have asked already: I have gained absolutely zero more information on how they got into my account and if there was any way I could have prevented it. I’d love to know one day, but I’m getting the sense I never will.
John Clayton@alexjsp we’re you able to get any explanation of how they got in, how to protect it?
@johnclayton Sadly: nope, and not a clue! 🙃
Adam Pike 
George Hammerton 
@alexjsp thanks for keeping us updated, this is a wild ride! 🎢
akash@alexjsp Instagram has some serious security flaws. Do keep the updates coming!
OutOnTheMoors@alexjsp It's unlikely to be a direct hack of your account. More likely to be either a "tame" IG employee working with those who sell "desirable" handles, or some social engineering - and involving SIM swaps - that gains them access to admin privileges such as changing email and passwords.
(I did a long-term investigation of influencers and platform manipulation, particularly on Twitter but also Insta, and spoke to a lot of people about their methods.)
(I did a long-term investigation of influencers and platform manipulation, particularly on Twitter but also Insta, and spoke to a lot of people about their methods.)
Philipp@alexjsp no worries. You also got some followers on mastadon out of it. (At least me… 😂)
Charles T@alexjsp Check again? It seems now that alexprice has photos of you and alexprimediallc no longer exists.
@CharlesMicah Oh that’s a very recent change! Interesting!
Jeff Atwood@alexjsp it honestly sounds like a bit of an inside job, as if they had contacts inside Meta who.. "did things". And knowing the historical morality of Meta, that doesn't surprise me a whole lot. It does suck though.
@codinghorror Yeah, that’s my assessment too. Assuming it’s the same people who tried to contact me to buy the handle, I can well believe the money they offered could bribe someone on the inside into editing some fields they shouldn’t.
Richard Stelling@alexjsp has anyone reached out for the screenplay rights? 😂
@rjstelling My agent is talking to Netflix about a miniseries. 😛
honk honk I'm a truck *brrrrr*@alexjsp @rjstelling Remember The Net from the 90s? See if they can get Sandra Bullock to back the remake...
jordancox@alexjsp I had the account @ jordan for about 10 years. Signed up on first day. Got endless requests for it. Was hacked similarly twice but had a contact at meta that helped. Year and a half ago my account got reported for “impersonation” and meta contact wasn’t reachable anymore. Eventually account seemed to go to someone else. Endless traps in that reporting interface that’s impossible once you properly lose it. https://medium.com/@jordancox/how-my-beloved-instagram-account-jordan-which-brought-joy-to-millions-was-hacked-and-deleted-by-8d881466b933
How my beloved instagram account, @jordan, which brought joy to millions, was hacked and deleted by some asshole
(UPDATED 15 Apr 2022: Back in September 2021 my account got deactivated for ‘impersonation’. I presume someone managed to convince an Instagram support rep that I wasn’t me, never mind that it’s been…
@jordancox Euch, that sucks. 😔 I’ve heard a bunch of similar stories since sharing mine!
travis@alexjsp I had a similar issue on the bird site about a year ago, I had the handle @travis since 2007 and last year my account was hacked, not exactly sure how, but I think it was related to the SMS 'STOP' issue, handle was immediately transferred to a different account and now both accounts are suspended, I never got any replies from support just emails that the tickets were closed
Jonathan Lang@alexjsp seems instagram fixed it? The new account doesn’t exist anymore… do you have your access back?
Steve Riggins@alexjsp good luck. Insider activity scares me to the bones with so much of our lives tied up in the digital realm and the trust we have in these systems. I would like to move to a system where an insider cannot do something like change account ownership without a encrypted approval. But in the end every system will have a back door for support purposes
aardvark@steveriggins @alexjsp precisely why no investment of anything you care about should be entrusted to Elon (for example), Zuckerberg, or any VC-funded social media.
tetherpoint@tetherpoint @steveriggins @alexjsp one reason why it matters whether a sw vendor claims to ship the same image to all customer devices. It allows for discovery of any altered images. Also why back doors are a no-go.
@aardvark @steveriggins @alexjsp I assume that automobiles, which should be classified as "safety-critical" devices, would be required to have signed firmware updates, so with that method a unique firmware update per user can work (but does not protect inside jobs, as you pointed out). Governments are requiring signed updates for consumer products, so...
@tetherpoint my point was about the value of the claim that all customers get the same firmware. It allows introspection that is valuable to all customers, and enables detection of tampered images. Signed, of course. Any OEM shipping unsigned updates should be put out of business. Individualized, however, would not be a virtue.
@aardvark Totally got it and agree except for custom firmware. I can see the merit in custom firmware (at least per feature set) with restricted firmware storage devices. As long as there are common sets and not individualized, which meets your stated requirement.
@tetherpoint if you don’t trust the OEM, how can you trust custom firmware? If you mean separate packages for bundling features, maybe. But crafted for an individual? That’s what Elon appears to be doing invisibly as he weaponizes Twitter to suit his desires. Claims of sameness provide an opportunity to test a company’s veracity. There’s no way to do that with Elon and Twitter and we sure don’t want to deal with it in safety-critical systems.
afwaller@alexjsp something is very very rotten within instagram because I’ve heard of similar stories happening to multiple people with desirable account names. There is a significant problem in their process or there are compromised people within the org.
Leszek Ciesielski
Mike Malcangio@afwaller @alexjsp I don't understand the appeal of usernames on Instagram (no character limits like old-school twitter, etc.). Is it just because some names are easier to memorize?
I have mm2 on there and have received strange offers similar to @alexjsp. At one point last year I received thousands of password reset emails over the course of a month. I reached out to support to no avail (who's shocked?)
Daniel Thomas
Ángel Domínguez 🎹 
@alexjsp Damn, I’m really sorry about that, and also newly worried about my account. I have one of those 3-letter handles, and I get constant attempts at stealing it. I felt a bit more at ease once they _finally_ implemented 2FA, but now not so much.
I hope you get help from an actual human and you recover your account.
@ahe Ooft, yeah I mean if “alexprice” is a target you have to imagine anything with 3 letters is danger zone! 🙃
Pyrex, nightsworn alchemisthey, when i click on `alexprice` i now see what looks like you, and the bullshit account appears to be gone. what do you see?