We Got Her Account Back, Here’s What the Forensics Revealed

It didn't end with the hack. Two days later they tried to ransom her account.

Last week, my teen’s Instagram account was hacked. If you haven’t read that story yet, now’s a good time to pause and catch up! Because now that we’ve regained access, I’m unpacking the forensics of what actually happened.

Through a friend who works at Meta, we were able to get my daughter’s account back a week after it was hacked. She already created a new account when we thought this account was lost forever, so we plan to delete this one.

Before that, the security expert in me wanted to see exactly what happened and what the blast radius of this hack was.

How many kids did the hacker reach out to?

How many other kids were hacked?

So let’s dig in.

The Hack Timeline

3:02 - 3:05 pm

The hacker reached out to my daughter at 3:02 pm, and she responded immediately. She thinks the messages are coming from a close friend.

Screenshots of the actual conversation between my daughter and the hacker, whom she thought was a good friend of hers.

Notice how the hacker is leaving a heart on each message she sends?! They went the extra mile to convince my child that this was her friend. Interestingly, they didn’t do this when reaching out to her friends once her account was hacked.

3:05 pm

The hacker has control of her account and presumably changes the phone number associated with her account immediately. Our attempts to recover her account using her phone number failed.

3:14-3:17 pm

The hacker goes through her message list and sends her top 29 contacts the following message.

Screenshot of one of the messages going out to my daughter’s friends, orchestrated by the hacker from my daughter’s account.

3:14 - 3:29 pm

Ten teens reply and agree to help.

Screenshots of the teens’ replies

The hacker sends them all the “Request Help From Friends” image seen below with the message “Can you please.”

A message from the hacker is trying to trick teens into sending them authentication codes.

At this point, two teens ghost the hacker. Good for them!

The hacker then asks for their phone number.

The hacker asking for the victim’s phone number.

Of the eight who stayed engaged, five figured out something was off and never sent their phone numbers or authentication codes to the hacker.

Three responded with their phone numbers. The hacker replied, asking them for the authentication code that they will need to gain access to their account using the “My account was hacked” functionality on Instagram.

One teen figured out the hacker’s game after they sent the hacker their phone number, and instead of sending the hacker the real authentication code sent them an old TikTok code!!! I laughed when they told me! Smart kid.

Two teens sent the hacker real authentication codes, the first at 3:26 pm and the second at 3:29 pm.

Only the teen who sent their code at 3:26 pm lost their account.

Why didn’t both of the teens who sent real codes lose their accounts? I needed to do some more digging to figure that out.

3:30 pm

At 3:30 pm the hacker went silent.

No more messages were sent from my daughter’s Instagram account after the initial wave. At first, I found this odd.

In my previous article, I mentioned using Instagram’s Family Center to reduce my daughter’s daily screen time to just 15 minutes to limit the hacker’s ability to message her friends, but I didn’t get home to make that change until after 4 p.m.

Looking back, I realized something else must have kicked in earlier. A few months ago, I had set a one-hour daily limit on her Instagram use, right when the hacker’s messages suddenly stopped.

My best guess? The hacker got locked out by parental controls. The existing time limit automatically cut off their access.

So, back to the question of why only one out of the two teens who sent real authentication codes actually lost their accounts.

Remember the teen who sent the fake code to the attacker?

The hacker texted “Check a new code” at 3:29. The hacker was busy trying to hack this teen’s account, but the teen kept the hacker busy.

When the other teen sent their real authentication code to the hacker at 3:29, the hacker was busy with the previous teen. Then they got locked out of the account at 3:30.

Screenshot of the teen that sent a real authentication code, but kept their account because the hacker was booted out of the account at 3pm.

That teen got lucky and never lost their account. Even if the hacker came back to my daughter’s account the next day after the daily limit reset, the code would have expired! Parental controls for the win!

After 3:30, another four teens responded to the hacker that they would be willing to help, but since the attacker was locked out, nothing happened.

In total, the hacker sent 29 messages to my daughter’s friends and successfully compromised one account. That’s a 4% success rate. I suspect it would have been higher if we hadn’t had parental controls in place. All things considered, that’s a disturbingly effective attack.

Here is all the data if you are interested

The data I compiled on the attack.

Two Days Later

Two days later, my daughter gets a text message from an unknown number.

Screenshot of the hackers texting my daughter.

The were hackers texting my daughter to see if she wanted her account back!!! They had saved her phone number from her Instagram account when they hacked it.

Don’t be fooled, this is the opening line to getting her to pay a ransom for her account.

My daughter laughed at this, and we blocked the number.

It was funny to her because she had nothing to lose. Yes, there were messages with her friends on her account, but there was nothing there to blackmail her with. It’s annoying that she lost her account, but that is all.

This is not the case for all teens, and there have been far too many instances of teens committing suicide for fear of explicit pictures they have sent via Instagram DM becoming public.

If you want to know more about this topic, I highly recommend below podcast by Jamie Barlett of the BBC. It’s not only about teen ransom, but also the effect of social media on teens. It’s a great and scary listen.

Talk to Your Kids

Talk to your kids. Tell them about this Instagram hack. Show them the pictures from this article so they know how to spot it.

Tell them if they do get hack that you won’t be mad.

Tell them to tell you immediately if they get hacked so you can help them.

Tell them there is no picture so bad that if it becomes public, they should kill themselves.

Seriously. Do it!

I just had the conversation again with my daughter. To be sure.

Tell them you love them no matter what, and no matter how embarrassing the photo is, you will deal with it together.

And please, suggest they never send or take explicit photos online, even in private messages. Since my daughter was 10, I’ve told her: If you wouldn’t want it printed on a poster in your school hallway, don’t send it. Because you never really know where it could end up.

Have the conversation today, before the hackers do.

---

Comments

[Neela 🌶️]

This is such an important story.

Thank you for pulling back the curtain Dinah. So many of these scams feel like “someone else’s problem” until it happens to your kid.

Thank you for turning a nightmare into a teachable momentfor all of us.

[Jocelyn Millis]

You did great work as a Mom to track what the hackers have done. I’m impressed.🌹