We've seen a number of hacking attempts on high profile brand and celebrity Instagram accounts over the years, including regular attempts on our own @candid handle. Many of these episodes were pre-2017, before Instagram rolled out 2-factor authentication, and all were evenutally resolved but it's never pleasant and can drag on for days.
Just this weekend Mesut Ozil, the Arsenal star who has amassed some 13M followers, had his account compromised:
My Instagram account has been hacked - my team and I are working on it ...— Mesut Özil (@MesutOzil1088) July 2, 2017
For larger brands and advertisers who have access to a Facebook rep, you can always escalate security issues through them and they'll likely be handled more efficiently than the public forms. For everyone else, the tips below will save you.
As of July 2017, here is the ironclad 5-bullet recipe social media managers can follow to ensure their Instagram account remains safe and accessible at all times:
- Ensure you have 2-factor authentication enabled across the board. Your Instagram account is only as secure as your email and Facebook accounts, so you need to make sure those are locked down first. This step is not optional in 2017. Keep backup codes in a safe place should you lose access to SMS delivery. If you haven't linked your Instagram account to a Facebook business profile, be sure to do that as it will allow you to reset your password through Facebook verification.
- Use a password manager like 1Password and auto-generate random passwords for every service you use, including Instagram.
- Call your cell phone provider and put a “do not port under any circumstances” hold on your phone number. It is way too easy to port a phone number and once a hacker has your number, they have access to two factor codes coming via SMS. Hat tip to Fred Wilson for this one. NOTE: In Canada and other countries, this option may not be available but you can setup alerts and recover your number fairly quickly.
- If there are password reset emails coming through your inbox that you didn't request, you should see an option at the bottom that reads: Didn't request this email? Click it and it wil provide you with an option to 'Limit Login Help Emails to devices you've used in the last 60 days. This takes at least one attack vector out of the equation and provides the peace of mind of not having to see these emails in your inbox every morning.
- Finally, avoid logging in through the Instagram API's web interface (and triggering the oAuth flow) in foreign countries or locations that are not typical for your account. This is particularly important for logging into marketing or analytics platforms with your Instagram credentials as it can lock the account and require you to have to re-connect to all the platforms or apps you use. All of these platforms should offer a companion email/password based login that can be used as an authentication, authorization replacement while you're on the road.
Security is always a moving target and while avoiding these headaches is pretty simple it does require some vigilance to stay on top of updates to ensure your settings are still the 'gold standard'.