My Instagram got hacked, now what?

Gilbert Wat (屈振鵬) · March 8, 2020

This morning when I woke up and did my daily routine of checking email, two very suspicious emails showed up in my inbox.

The first email that showed someone has logged into my Instagram account in ...New Delhi

The second email was even weirder, someone has logged into my Instagram account in ... Palestine

Of course first thing first I check if it is a scam or not. It seems not be the case:

  • email is legit
  • Reset password link SSL cert is legit

I immediately check if the hackers has posted something on my behalf. After all, all I care is my reputation. Luckily there is none. What a relief. :relieved:

Of course the next move I take is to reset my password. Twice. I admit it was irrational but it made me feel … cleaner. This password cracker have violated me.

After this irrational move, it may have tended my own emotion. And my rational self came back. I was very concerned about the blast radius. How many of my personal information has been exposed? How many accounts are linked to this Instagram account and I need to take care of? Can people use those information to do harm? I went through a thorough exercise, and I concluded my personal photos, phone numbers, 2 email addresses and Facebook accounts has been compromised. Luckily I have published those information somewhere and there was nothing I was too concerned about.

It is very lucky that I always practice a good security hygience to prevent an all-out leakage of my personal information. My principles are simple:

  1. Use a password manager. My recommendation is 1Password or iCloud KeyChain. Before I subscribed to password manager, I have been reusing password since I had my first online accounts. That didn’t give me the peace of mind. So I have added a trick. I have separated different services into 3 tiers. I reused password for the same tier and I won’t put sensitive information into services in lower tier. And for banks, I have had the longest password.
  2. Everything I uploaded to facebook is considered public. This company cannot be trusted.
  3. Use a long password. For example, %4FHcdh is less secured than this-is-a-good-pwd or hack-shanghai-xijingping-winnie. Just checkout your password strength in this tool

Hope you won’t have to go through what I had this morning!

Twitter, Facebook