It's Tuesday morning, April 26, 2022. I'm making coffee, easing into what will hopefully be a pretty satisfying day of organizing at the warehouse. Jenny's getting ready in the bedroom. I get a direct message on Instagram. It's a previous customer. And, it's all downhill from there.
The message reads: "Hey. I am contesting for an ambassadorship spot at an online influencers program .........A link will be sent to you all you have to do is screenshot it and send it back to us and we'll send it to your sponsor..."
Both our phones were immediately logged out of all our accounts on Instagram. We tried to log back in but kept getting errors. Then the emails from Instagram started. New login to Instagram. Email has been changed. Password has been changed. Two-factor authentication has been turned on. One each minute. Our hearts sank.
They started by posting a screenshot of a Bitcoin account, it may have even been the one I've seen before. The hacker(s) then worked through our direct messages and followers list, phishing in the same way I got tricked.
Panicking, we both got our laptops out and began Google-ing possible contacts for Instagram and Facebook. There is quite literally no way to contact anyone at Instagram through any customer service type avenue.
FACEBOOK BUSINESS CONCIERGE IS USELESS
We use Facebook Business (now Meta Business Suite) to manage parts of our Instagram, and we thought reaching out to them would at least get the recovery process started. And it started off very promising. We were connected to a representative almost immediately over chat. After summarizing what happened, she said it would probably be better if we talked over the phone in 15 minutes. This was amazing! And she actually called!
How did she help? She didn't. She said because the hackers turned on two-factor authentication, we had to go one of our personal Instagram accounts, go to Settings > Help > Report a Problem, explain our situation with our current contact information, and someone would get back to us in 24-48 hours.
So we did. And we waited. At the time of this post, we have still not received a response from that request.
BAD IDEA #1: A BACKDOOR TO MESSAGES
While in Facebook Business's platform, Jenny saw that we had access to Instagram DMs. She tried sending one, and it worked! And she was off! Messaging as many people as she could, warning them about the hackers.
But they were watching too and weren't going to just stand by. They started posing as us, but as if we had regained control of the account! We went toe-to-toe with them for a solid 15 minutes until they deleted everything from the account - all the posts in our history. Apparently it's very difficult to get back a deleted account, so we stopped sending messages.
They put everything back, minus the bitcoin post, and resumed mining our followers with their scam, now with an added layer that the account was hacked, but is safely back in our control.
At this point too, the identity theft escalated. They went back in message history to see that I sign off each conversation with my name, and generally an emoji or two. They also seemed to get more polite, even thanking people who thought it was too strange to commit to.
VIDEO SELFIE VERIFICATION
By Wednesday morning, about 24 hours in, we couldn't just continue to wait. I found out from a customer who was hacked by our account that she started a Video Selfie Verification process. After some research, I found instructions to navigate through the Login screens to get to it.
- At the main Login screen, tap "Forgot Password"
- Enter your username.
- Tap on "Need More Help" at the bottom.
- If the available digits confirm your phone number, get a code sent via text. Enter the code.
- If it asks for a Second Backup Code, tap "Try Another Way," "Get Support," and choose the "My account was hacked" option.
- You will now record a guided video of different angles of your face.
- Instagram will send you a confirmation email in a few minutes.
The problem is that we haven't posted a lot of selfies. We're a bookstore. We show books, we show customers, and we show customers with books. I did recently take a selfie with Alton Brown (of Good Eats and Iron Chef America fame), so we thought there was a chance.
We waiting all evening, only to wake up on Day 3 to find a denial in our inbox. We tried 4 more times. I even dressed up like the selfie that was on our account - the same hat, the same jacket, and even the smile! Some rejections came within a few minutes. The 5th never did.
So we canceled the Story Sale scheduled for the following day. We had a selfie video pending, but we were pretty much out of ideas.
BAD IDEA #2: PLEADING WITH THE HACKERS
Thursday morning, Day 4 if you're keeping count, we received an e-mail from a customer saying her account got hacked, but that she messaged the hackers from another account, asked them to give the account back, and they did! Simple as that!
So despite Jenny's reservations, I went for it.
So yeah, I stopped after "So little." Pretty creepy. They followed up with "Are you snubbing now?" and "Good Day Chris" before unsending only the blackmail request and blocking me.
We reach out to Jenny's brother, who works at Microsoft, he says he'll reach out to some friends he knows at Facebook and see if there's anything they can do.
HOW IT WAS RESOLVED
Thursday evening we got a response for the Facebook contact! They needed the original hacked account name, the last email associated with the account, the approximate time of the breach, and a new email not associated with any accounts on Facebook or Instagram. A 24-48 hour turnaround time would have been the norm, but apparently Friday was Meta Day, an internal Facebook holiday, so things would likely be delayed.
Meanwhile, a customer forwarded our email warning everyone about the hack to her friend at Instagram. She offered to place a request for us in a similar fashion, which we did, just in case the other one didn't pan out. And she was completely amazing. It's great to have book lovers in tech, she pretty much helped us out of the kindness of her heart and her love of books.
Saturday was somehow more draining. Other hacked accounts seemed to get resolved around us, but nothing on our end. We had requests in with two different employees from two different subsidiaries of the same company, but Meta Day and the weekend proved to be real obstacles.
Sunday morning we received a password reset email from Instagram, but we couldn't determine it's legitimacy. We ran it by our Instagram contact, and she said there hadn't been any notations of emails sent, so it was probably best not to take the risk. So we waited.
By Sunday evening, it seemed like we'd have to wait another few days. But then I received a text from Jenny's brother saying the case was resolved as far as his friend knew. I told him about the email early Sunday morning, we cross-referenced the case resolution timestamp with the password reset email timestamp, and we finally got our account back.
WHAT WE LEARNED
Heed the Warning Signs
From the salutation, to the improper grammar, to the vague circumstances, to the odd calls-to-action - if it feels weird at all, trust your gut and stop yourself before responding in any way. I've seen some customers respond to the hackers by plainly stating "This is a scam." I think that's a really good practice, to almost say it out loud to reassure yourself that something doesn't feel right.
This was my downfall. I wanted to be an easy hero-of-the-day, assumed way too much, ignored blatant red flags and left myself, our company, and our future vulnerable. Jenny also thinks we may be more susceptible to it on social media, where we're scanning and skimming images and text so fast we're not evaluating things in a normal way. Maybe a lot of both.
Turn on Two-Factor Authentication (2FA)
This added layer of security could have prevented the entire fiasco. As soon as the hackers tried to log in, I might have been able to deny their access because of text verification. But I didn't have it turned on. I do now. And we're looking into third-party password managers and authenticators.
Make Contact with a Facebook or Instagram Employee
The Video Selfie Verification process seems to be the only recovery tool accessible to the public. If that fails, the only viable option is to get in touch with an employee at Facebook or Instagram. There is an employee service request thread, specifically designed for employees to submit their friends' hacked accounts. Our contact said she gets 2-3 each week. This is a strange reality, and luckily we knew a few employees through the grapevine.
WHAT WE'LL NEVER KNOW
The classic Five-Ws - who, what, when, where, and why (and how). Who the hell is doing this? Who is paying them to do this? What is the endgame? When will they be caught, punished, or even just stopped? Where is this coming from? Here in LA? Overseas? And God why? Why would anyone do this? How do they make money?
It's enraging to think about. And the questions don't stop with the hackers. Why doesn't Instagram have a better solution, especially for business accounts? Especially if it's as rampant as it seems. It's scary to think about all the unanswered questions there are when it comes to the nature of our relationships with these social media platforms. We've committed so much of our lives to them without knowing what their intentions are for us, and they seem pretty happy with the arrangement.
We don't know much more than we started, and as tense as it was for almost a week, it's over now and I hope to never put us in that type of situation ever again. We are taking security much more seriously, but in the end, it was my poor judgment that made it all possible.
Thank you all for supporting us in all the ways you did - sending notes of encouragement, connecting us with resources, messing with the hackers, spreading the word and buying books from the site. In what was mostly an enraging and frustrating experience, your unwavering support is the silver lining that pushes us to move past it onto the much bigger and brighter things ahead.
Chris Capizzi is co-owner of A Good Used Book. He lives and works with Jenny and their two dumb cats in Los Angeles.