My Teen's Instagram Account was Hacked
What happened, how it happened, and how to protect your kid from the same fate.
My poor teen got hacked on Instagram today.
Her account’s gone, just like that.
The Hack
They started by hacking her friend’s Instagram account. In this case, it was a good friend of hers, someone she trusted. They began by messaging my daugther on Instagram.
Hacker posing as friend: “Hey. Could you do me a favor, please?”
My daughter: “Sure, how can I help?
The hacker then sent my daughter a screenshot that looked a lot like the old Request Help From Friends feature on Instagram. The screenshot said, “Verify your account with a code from your friend.”
Hacker posing as friend: “Can I get your phone number to help verify my account?”
My daughter: “Yep here it is (xxx)-xxx-xxxx”
The hacker then used the account recovery feature using my daughter’s phone number, which then triggered a login code to be sent directly to her phone.
Hacker posing as friend: “You should get a code. Can you send it to me?”
My daughter got the code on her phone.
My daughter: “Here is the code XXX-XXX.”
My daughter immediately felt off about the interaction and came and told us about it.
Before we had a chance to log in and reset the password ourselves, the hackers beat us to it, changing it first and locking her out of her account.
We tried the account recovery feature first with her email, and then with her phone number when that failed. Unfortunately, neither method worked, and we still couldn’t get back in.
Using her username to recover the account showed us that they had successfully changed the email and phone number associated with her account.
With that, she was fully locked out.
Then the hackers went after her friends. Starting with her Dad!
We tried following the steps on Instagram’s “Hacked Account” help page. Unfortunately, it’s basically just the same as the account recovery process. Meaning it only works if you still have access to the email or phone number linked to the account. So, not helpful at all in our case.
Stop The Spread
Once we knew the account was compromised, we wanted to stop the hackers from gaining access to the rest of her friends.
Parental Control
When Instagram introduced parental controls through the Family Center last year, we set them up for my daughter. It allows us to limit the amount of time she can spend on Instagram every day.
At first, I went into the Family Center to see if the parental controls offered any way to recover her account.
No dice.
Instead, I thought that maybe I could limit their ability to use her account.
BINGO!
Now the hackers are stuck with just 15 minutes a day to carry out whatever shady plans they had in mind! All thanks to parental control time limits!
Contacting Her Friends
As soon as we knew her account was hacked, my daughter messaged her friends and warned them. To make sure no one else fell for the same scam, she also asked a few of her friends to post on Instagram that her account was hacked.
I immediately messaged family members to warn them. It turned out they also went after my Mom, but thankfully, she had ignored the message.
I also posted on my Instagram and Facebook accounts to spread the message.
Once we knew we couldn’t recover the account, we also asked everyone to stop following her account.
Secure Your Account
The best way to secure your account is with a strong password and to have two-factor authentication set up. I highly recommend using a password manager. It saves you from having to remember that impossible, but very secure 20-character password.
For two-factor authentication, I recommend using an authenticator app because it’s harder to hack and offers stronger protection than text or email. You can try a free app like Google Authenticator or use a password manager that supports it. I use 1Password, a password manager that also generates authentication codes alongside your stored passwords, making everything easy and seamless to use.
I have set up 1Password as the authenticator for both my account and my daughter’s new account. Instead of enabling text as a backup method (because then it can be used to bypass the authenticator), I have copied a set of 6 one-time passwords into the password keeper in case something goes wrong with the authenticator.
Talk to Your Teens
I am a cybersecurity professional. I worked in cybersecurity for over 20 years. I know all about phishing scams!
I have explained phishing scams to my daughter multiple times. She uses a password keeper, and she had two-factor authentication set up via text message.
But it wasn’t enough; she got tricked.
This can happen to anyone. I mean, if Troy Hunt, who runs “Have I Been Pwned,” can get phished, anyone can.
The more we share about these hacks, the more they stay top of mind, and the better chance we have of avoiding them altogether.
So talk to your teens about this exact Instagram hack. It is currently running rampant.
Sorry to hear that your daughter's account got hacked. Not a pleasant experience.
Your experience in cybersecurity came handy and you were able to minimize the damage well. Thanks for sharing the steps!
Ugh, I'm so sorry your daughter went through this.
You both handled it with incredible speed and clarity, especially using the Family Center time limit as a way to disrupt the hackers. Smart thinking!
Thank you for walking through the steps so clearly. It's alarming how convincing these social engineering scams have become, and even more worrying how limited the recovery options are once the hackers switch out contact info.
Appreciate you turning a rough situation into a teachable moment for all of us 🙏