“I was hacked”… or “how I was an idiot and forgot Two-Factor Authentication…..”
When I first realised my Instagram had been hacked, my first thought (other than, I really hope no one finds out) was “No, chance not me, I know my security, it’s my job”. Mine was a semi-dormant Instagram account I post to, maybe, once every couple of months. However it was little used enough I was stupid to not have changed the password after, I knew that the password I had used was compromised (the absolutely fantastic https://haveibeenpwned.com/ let me know that, and I’m guessing that lost packet of PII was where he got my details from), because it fell outside my list of things to change, and it slipped through the cracks. I also managed to forget to enable 2Factor Authentication (These two mistakes were ultimately my downfall…).
Now I’m guessing you’re thinking, “what an idiot”, & “how could he be so careless”, and honestly I totally agree with you, I was a moron for not changing the password, or enabling 2factor. However I managed at the time 5 Instagram accounts (now 3), have three Facebook pages, and run various twitter accounts, websites, whilst also working in a busy recruitment company, and managing their cybersecurity, for which I have lists of procedures and spreadsheets of data with dates when passwords were last changed and security checks that have to be done… however, my personal Instagram feed fell by the wayside through my own complacency.
I was in London at a client meeting and I first noticed something odd when my phone buzzed and told me that someone had tried to log in to my email account, which I thought was odd (but I put it down to my other half wanting an Amazon receipt or something, after all, I can’t be getting breached can I‽). When I checked I realised no such thing had gone on, odd but nothing to worry about I thought until I logged on to my Instagram account a short while later…. And saw my personal Instagram had gone… now luckily I follow myself from another account and could look for my name.. it had gone, and instead after some searching, I found it had been replaced by another.. my photo, my pictures, stories etc. just a different name…… “how dare they” I thought.. and immediately sought help, however, it’s damned hard to find on instagram, you need to sign in (a bit hard if they’ve changed your name, and as I soon discovered, my email and phone number!), and then seek help from there. Once I had sought help, Instagram went into action quickly requesting confirmation of who I was and a few other details, and luckily my account was recovered in a few hours… however, it is what leads on from there. I spent a longish night changing passwords and double checking my 2fac on other pages (Facebook, Linkedin etc. etc.). Ultimately more time and frustration from my complacency.
Now the reason I’m putting myself out there, embarrassing myself a bit, and being open is to say, no matter who you are, how careful you are, and good you think you are, there is always one weak point….
Don’t be stupid like me, amongst other things:
>Keep a list of the main sites you put your passwords on (not your passwords though); so you can change passwords and access details quickly and methodically if needed.
>Enable 2-factor authentication, EVERYWHERE you can. No half measures.
>Use non-personal (i.e. no football teams, no mothers names, no pets names or years of birth) long and random passwords (the longer the better for your more secure stuff).
>Make sure you use different passwords everywhere, as the first thing the “hacker” did was to try my email account, and see if the password was the same, luckily it wasn’t and my 2fac bought it to my attention (Instagram, however, does not ask you to confirm password changes if your 2fac isn’t setup…beware!).
>Consider using a password manager as it’ll help loads in remembering all these passwords.
Thomas Paffett; 7th June 2018