I'm back - and it feels great, but what a journey it's been.
Last week my Instagram account was hijacked by a hacker who deleted four years of photos. It looked dire. I was almost certain my photos and 11,000 followers were lost for good.
I had watched, powerless to do anything to stop them, as the thief made off with their loot. But I wasn't prepared to sit idly lamenting the loss.
I posted this story across the social media accounts still under my control:
How they did it
The hacker cracked my password and locked me out by changing the password and email address associated with my account.
So, I emailed them.
"Hi there,
"I'm not really sure what to say… you've taken over my Instagram account and I guess I'm just really scared I’m going to lose those years of memories.
"Do you want the followers - is that why you're doing this?"
The email continued, I appealed to them to stop, but I was asking the wrong person - an American on holiday in England:
"Hey Samantha,
"I'm not entirely sure what's going on? I've got emails from Instagram asking me to Verify my account although I don't have one, is this what you're referring to? I believe if my Email is being used I can recover this Instagram account talked about correct?
"Please respond ASAP!"
I kept the American in the loop about what was happening, which paid off down the track when they connected me with my hacker.
Meanwhile, my excessive emails to Instagram's support team were going unanswered.
It was time for a multi-pronged counter attack.
I spoke to social media expert Cate Owen. She took my case to the New Zealand Facebook team. (Facebook bought Instagram for US$1 billion in 2012.)
I wrote an article and not long after it went live I got a call from Gavin, who looks after Instagram's PR here. He took my case to Facebook Singapore and crucially, verified that I was indeed who I said I was.
Kind words from my Facebook community assured me there was a way to fix this.
What my Instagram hacker had to say when I tracked them down
Then I got an email that made my skin crawl:
"i was told you wanted to talk?"
The hacker had revealed themselves to the helpful American when they changed my account's email address a second time.
Apparently they had good reason to want my account and were open to talking. They felt sure I would understand.
"I can give you back the username @samanthahayes, i can also post to follow the real samanthahayes @samanthahayes on Instagram, you will need to inform your facebook aswell. [sic]
"i will help you get all the followers you lost back, i am sorry for whats happened and i'm sure you can verify your account like how you did the first time, i seen it was Verified and i wanted it to help me grow as a whole, i'm sure you can understand this. [sic]
"i believe i have saved a few pictures that i thought would have meant alot to you incase you have gotten in contact with me, i would need to find them though sadly. [sic]
"sorry this has happened, but if its okay with you i would just like to keep the account for the verification status as it will help me in the long run. [sic]
"if there's anything i can do, anything at all please let me know. [sic]
"respond to this email as soon as you can, thank you. [sic]"
I never responded.
An hour or two later Instagram moved to re-take the account. By the next morning all my photos had been restored.
I've lost a few hundred followers but that's ok. The hacker's friends aren't so happy. They've been posting under my photos, apparently furious I was able to undo their handiwork. I'm systematically blocking them and I'm scared they'll target me again.
A word of caution
Martin Cocker, executive director of Netsafe, said it's best not to engage over email.
"As a rule, we don't recommend communicating with the hacker. Further communication does not provide any benefit for you, but creates opportunities for them," he says.
"We encourage users of online services including social media to establish any verification or second factor security features that are available. This will make a big difference if something does go wrong. The best thing to do when an account gets hacked is to report it to the site as soon as possible."
Instagram says it's beginning to roll out two-step verification but didn't provide any advice on what people who have already been hacked should do.
My advice is set up two-step verification. Do it now. Right now. Sure it's annoying to have to enter a password and then a code but I can assure you having your account hijacked is far more annoying. It's scary. I've learned my lesson.
Do you need help?
Contact Netsafe at queries@netsafe.org.nz
Newshub.
