I was an early Instagram user and got my nickname as my handle and I keep getting either locked out of my account or compromised altogether.<p>Over the years, hackers have tried a number of things to steal my handle and I can usually tell how they get in. These days, I have no idea. I've been SIM swapped a handful of times. One time a hacker faxed a fake ID to Godaddy to try and swap out my domain to gain control of my email (they were successful).<p>Now, I will try to log in to my account and will just be locked out. The email I created specifically for Instagram is not recognized, and there is no way to reset my password.<p>I have two-factor auth on, I don't use the same password anywhere else, I change it regularly, etc.<p>My current theory is there is some employee at Meta that's ultimately stealing the account. Does anybody have any idea how they're hacking me?<p>PS: the worst part about all this is in order to get the handle back, I have to pull strings with folks I know at Meta, for a normal user, they would have absolutely no way of regaining access...<p>[Update] Just got the account back and still have no idea how my email was removed from the account...<p>[Update 2] Reviewing the security section I see a password reset email was sent to [username]@instagramz.com. No clue how or who changed the account email to that though.
Your situation is apparently common nowadays with OG usernames and can get very dangerous. I had no idea this was a thing until I listened to an episode on Darknet Diaries [0] recently.<p>In the old days, I remember people going after short domains in the same manner. ICANN ended up adding locking (auth codes) - perhaps IG and other social sites can learn from it.<p>Be safe!<p>[0]<a href="https://darknetdiaries.com/episode/106/" rel="nofollow">https://darknetdiaries.com/episode/106/</a>
I'd auction and sell it and be done with the headache personally. It's likely one day your meta well will dry up and that will be it, years of back and forth to see the handle gone and promoting crypto eventually or some crap.
Have you tried reporting this to Meta’s security team and copying your state’s attorney general? Sounds like the CFAA would apply. You may not win, but making noise may help, and if it’s an insider they might be fired if Meta knows the legal apparatus is notified.<p><a href="https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act" rel="nofollow">https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act</a>
My account seems to have gotten hijacked too. Someone has (apparently) posted something that's against community standards in my profile, as a consequence of which FB has disabled my account and says if I don't appeal in 30 days, the account will be disabled.<p>The strange thing is when I try to appeal I get this page.<p>"Security check
To confirm your identity, we will text a confirmation code to your phone."<p>I select my phone number, and receive the right SMS, but it says<p>"Error Sending SMS
Could not send confirmation SMS. Please check the phone number and try again."<p>So I cannot actually enter the code.<p>I also have 2FA enabled and this doesn't seem to have been breached.<p>On deviced that are still logged in I see them telling me I have posted something that is in typical photos grid format, but they don't show me what the photos were. When I press the button to request review, it does nothing.<p><<a href="https://savolai.net/uncategorized-en/banned-from-facebook-and-instagram-screenshots/" rel="nofollow">https://savolai.net/uncategorized-en/banned-from-facebook-an...</a>>
I would look at your email forwarding filters. It's common to see compromises with this pattern where the email for your account was compromised and all the email is being forwarded to an attacker.
Meta just seems to be superhackable with the company not giving a shit these days.<p>There was another user here the other day who had their heavymetal community page hacked, and facebook's advice page was to "politely ask the new owner to let them back in" [1].<p>Absolutely ridiculous.<p>[1] <a href="https://news.ycombinator.com/item?id=29706571" rel="nofollow">https://news.ycombinator.com/item?id=29706571</a>
If you are using the nickname china and have registered it a lot of places, even if you are completely non political and in no way associated with the country China, I can imagine the existence of these accounts outside of the governments control is a risk the government will be willing to spend millions trying to get rid of.
I'm not sure you can fight that, at least not by yourself.
> My current theory is there is some employee at Meta that's ultimately stealing the account<p>This happens all the time, there is no recourse. Instagram employees are constantly taking usernames for themselves.
If your IG handle is the same as your HN handle, could it be some very motivated people from that country's bureaucracy looking to take that handle for the state?
> My current theory is there is some employee at Meta that's ultimately stealing the account.<p>This was my first thought given the e-mail address change. Someone e.g. bribing a support person.<p>My (uninformed) guess would be that given that you got the account back, this probably got escalated, someone looked at it, fixed it, and hopefully got the criminal support person's access disabled, until the next one gets bribed...
>China<p>You will be forever fucked, as big as Meta/Facebook/Instagram's exploit attack surface is. Microsoft/Office/Xbox is in a similar position as well.<p>early lucky adopters not employees will always have their accounts poached constantly on every common platform. eventually those who have the names paid for the 'rights,' or defend it communally.<p>yes, communally - it is a literal racket of cybergangters on every platform leveraging anything from social engineering your doxxed naive grandma into reading a private key to 0-daying your teamviewer to install a common keylogger.<p>bribing csr's is extremely common, as is sim-swapping (bribing att/verizon csr's), and there are a myriad of attack vectors in between<p>but of course 94% are just script kiddies using a "turbo"/api-spammer to take the username between other 3rd party transactions. it's a parasitic economy of bottom-feeders and iGangsters.
My insta account keeps getting reset password requests every week for years. I’ve had multiple people ask to buy it, then threaten to sue, etc<p>I’ve tried to contact meta/Instagram about 50 times and not once has anyone emailed me back<p>How is it this hard to get support? It’s a personal account and I still have it so I don’t really care that much but there must be a way to get a hold of someone isn’t there!?
<a href="https://www.nytimes.com/2021/12/13/technology/instagram-handle-metaverse.html" rel="nofollow">https://www.nytimes.com/2021/12/13/technology/instagram-hand...</a><p>Her Instagram Handle Was ‘Metaverse.’ Last Month, It Vanished.
Ok, so I had a similar situation. What it was is that I signed up for insta pre Facebook merger. Then I connected my Facebook account to insta. So my old username password combo were compromised because I re used them when I was a moron when I was younger. So someone gained access via the original Instagram password and username, changes my email. Then I would login via Facebook and have access at the same time. The different geo locations and unusual activity caused my account to be locked periodically. When they unlocked it I logged in quick, changed the email address and password on the account on the Instagram side and enabled 2 factor and haven't had an issue since.
What devices are you using the account on? If it's on a desktop browser, my assumption would be that you've got malware. That allows them to trivially steal the session cookies, steal the passwords the next time you log in, steal any device identification cookies that are used to control not using 2FA on logins from trusted devices / sending new device notifcations, and also hijack your recovery and notification email address.<p>If you're only using this via the app from a mobile device, then malware is an unlikely explanation though.<p>(Why are you regularly changing the password anyway? What's the threat model you're trying to guard against?)
Instagram is severly broken. I have never had an account on there and it has repeatedly happened that I was logged into some random stranger's account as I clicked on some Instagram weblink. I could read all their private conversations, message people in their name, mess with their settings. Their security is so badly broken, I wonder if they can be held criminally liable for it.
I had a two letter name which got hacked. I called in a favor from a friend of a friend at instagram/FB and got it back.. then it happened again and I didn't want to ask the favor again. IIRC they did not yet have 2FA even though I asked for it ( I was assuming it would happen again and it did. )
On top of all security measures, Meta, Google and other big tech that offer Auth-as-a-service need to offer paid service to reclaim an account. I am sure people would be happy to pay to talk to a real human and take back their account.
>@instagramz.com<p>ha....someone stole this domain or hijacked/spoofed an email chain in the password reset api. you should be honored.<p>>Last updated from Registry RDAP DB: 2021-12-28 06:35:41 UTC<p>it of course still resolves to instagram.
Someone at Facebook stealing your domain is quite an accusation. Assuming your domain was similar to your username/IG handle, wouldn't it be more likely to be people wanting your "china" domain for spam/malware/propaganda/etc?