Skip to content
Naked Security Naked Security

How my Instagram account got hacked

After years of embarrassment, I'm finally ready to admit how and why my Instagram account got hacked.

Every so often I receive an unsolicited friend request on social media from an attractive woman doing a suggestive pose in her profile picture.

I’m not just showing off that I get the occasional friend request from an attractive lady. The person in the profile picture of these accounts probably looks nothing like the person requesting to follow or befriend me.

Quite often these are hijacked accounts used by a cybercriminal to exploit your sexual desires.

I’m going to share a deep dark secret with you

Today it’s Data Privacy Day, and to celebrate I’m going to tell you the story of how my leaked data was used against me by hackers to login to my Instagram account.

In April 2012, Instagram was launched on Android devices. When the popularity of the Android app grew, I signed up to an account and uploaded a single picture to see what the fuss was about. I then removed the app and didn’t sign into the app again until 2015.

When I signed in, I could see that my account had been following thousands of people unknown to me.

Yes, that’s right ladies and gentlemen, I may have once been an attractive woman doing a suggestive pose to lure people into following me back or click on a link.  Well, perhaps my hacked Instagram account could have been.

I had a million and one questions running through my head as to how this could happen.  In 2015 my career in IT Security was budding, and to save myself the embarrassment of having a hacked account, I immediately changed my password and unfollowed all unknown accounts.

4 years on, I think I know what happened

In the news every so often, we see a company suffering a data breach. These data breaches may include things like passwords and email addresses.  Between 2012 when Instagram was launched and 2015 when I logged back into my account there were a number of breaches of note, including Yahoo, Adobe, eBay, JP Morgan, LinkedIn and Target.

It’s very likely that whoever logged into my dormant Instagram account was using a method that is referred to as credential stuffing.

Credential stuffing is when a hacker takes passwords from the data breach of Company A to login to a web app of Company B.  This relies on the victim (me) having reused my password.

Now, I know what you’re thinking, “But Matt, don’t you have a different password for every account?”  Well now I do, yes.  Unfortunately, the Matt of 2012 wasn’t as well versed in the field of IT Security as the Matt of present.

Security advice

How do you know that your Instagram or other social media account has been compromised?

If you find that your Instagram is starting to follow people you wouldn’t expect, your profile picture has changed without your knowledge and your bio suddenly reads “click here for a private chat 😉” or something equally flirtatious, then you may have been compromised.

Instagram advises you to change your password immediately and revoke access to any suspicious third-party apps.

Whether or not your account has been compromised here’s what you can do to strengthen the security of your social media presence:

  • Don’t reuse passwords for different services! This is a great chance to set up and use a password manager. It’ll generate and store a unique password for every website you sign up to.
  • Setup 2FA! Instagram along with lots of other social media platforms now supports the use of two-factor authentication so that you don’t have to solely rely on your password.
  • Delete the account, not just the app! If you’ve decided you’re finished with an app, don’t just remove it like I did.  Find out how you can delete your account and do that as well!


Every week or so I get an email from Instagram about me having trouble logging into my account. Not sure why someone wants to get into my account so much, I think I’ve posted a grand total of 1 picture and I look at the app maybe 1-2 times a month.


I wouldn’t be surprised if 2012 Matt’s abandoning his account was precisely why it was compromised. Sure it’s great to pwn a well-known account–we’ve seen the stories here to confirm they can be briefly lucrative (similar to when NotElonMusk promotes a BitCoin refund scheme). Then again an unused-but-still-open account can network and network and network.

Your account may look just neglected enough to fit that purpose, so they keep trying. …irrespective of whether “they” is one dude or consist of a horde of unrelated attackers.


I don’t know how long Instagram has been doing this but if I don’t log in on a regular basis it would send me an email to say here we made it easy for you to login again just click this link.

Anyone who received that please login email could just go right ahead and log into my Instagram account and take it over if they wanted to.

I really don’t have much concerned about Instagram. However since I bothered to create my accountit would be nice if they let me secure it for and kept that password active until I had a reason to change it.

I’m not passing out my email address. At least not the one connected Instagram.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!