On a reasonably regular basis I get pinged with something that looks a bit like this:

I know you do security stuff with computers and my Twitter/Facebook/Instagram/etc has been hacked! It's posting all kinds of strange stuff that isn't from me. What do I do to stop this???

I'll usually ask what the person means by "hacked". The most common answer is wall, comment, or private messenger spam. Occasionally something more severe like account and follower takeover, especially for influencers and people with high follower counts - The bad guys like to use these as sock-puppets for disinformation or influencer scams.

I got a request like this recently from an Instagram user. I'm not as familiar with Instagram as other social platforms, so I asked my cybersecurity buddies on Twitter. This post assembles a collection of the advice I normally give, as well as their recommendations.

The recommendations are obviously Instagram-specific, but the principles are basically the same for any social media platform, and for most platforms for which you might have an account.

Here goes...

Step One: Kick 'em out

Remove all "authorized apps" from your account.

This is the most common way for an attacker to get what security geeks call "persistence". When folks complain that they've changed their password but the bad thing keeps happening, that's persistence, and malicious apps are often the reason why.

More Control Over the Data You Share with Third-Party Apps on Instagram – Instagram
It’s essential that we protect the data people share with us. We also want to give people more control over the data they share with other apps and services. So today, we’re introducing new in-app features to help you better control the data you share with third-parties through Instagram. Third-part…
Here's where you can see Authorized Apps and delete them from your account.

When you've got an active attacker in your account, I recommend nuking everything that's there. This might break things like automated cross-posting tools, but those tools will notice you've broken the connection they have and tell you, and adding them back to your account is almost always very simple.

This is one I always recommend, and shout-out to @n0x00 for making the immediate suggestion when I pinged about this on Twitter.

Remove unknown active sessions (via Login Activity for Instagram).

When you log in to your account through a mobile app or via the web, it creates what is called a "session". The same thing applies for an attacker. Most social media platforms have a list which shows locations that your account has been logged into from. This makes it easy to see logins that stand out, and for you to kill them off.

How to check your Instagram login history IP addresses? And more on what Facebook stores about you.
Recently I had the suspicion of someone logging in one of my Instagram profiles and I was really curious about who is the ‘hacker’. Thankfully the social network provides a history page, with all the…
How to check login location and active session history in Instagram.

Note that the alternate and safer approach here is, as with authorized apps, to nuke everything and just log back in.

Check connected accounts.

Instagram is tightly connected with Facebook, so you might want to do the same things for your Facebook account before proceeding on to Step Two... Thanks @Michael1026H1 for the suggestion there.

Step Two: Keep 'em out

Enable two-factor authentication (2FA).

As the name suggests, 2FA adds a "second factor" to your login - Something additional to your password. This means if someone steals or guesses your password you've got an extra line of defense at work, which is never a bad thing.

Wat is tweestapsverificatie? Hoe gebruik ik deze functie op Instagram? | Instagram-helpcentrum
Als je tweestapsverificatie op Instagram instelt, wordt er aan je gevraagd een speciale aanmeldcode in te voeren of je aanmeldpoging te bevestigen telkens wanneer iemand toegang probeert te krijgen tot Instagram vanaf een onbekend mobiel apparaat.
How to add two-factor authentication to your Instagram account.

There's a lot of debate in security circles about the safety of SMS vs app-based 2FA, but in general I recommend people install and use something like Duo, Authy, or a password manager with 2FA support because a) it's super easy to set up and use, and b) the presence of an app on your phone is a good reminder to set up 2FA on ALL of your accounts, not just the one you are fixing right now. Thanks @yaelwrites for the quick-draw reply with instructions on how to set this up!

Check your recovery phone number and email address

If either of these were changed by the attacker, change it back. Again in the Instagram scenario, go through your Previous Emails and Previous Phone Numbers list and nuke anything which is unfamiliar. Instagram allows account recovery from previous email addresses, so an attacker can add one to use for persistence.

How to Change Phone Number on Instagram - SociallyPro
Instagram allows you to change your phone number with ease. It is one of the best social media apps for business and personal use. We are using it in our daily routine so it’s better to stay safe by adding or updating our contact number there.The IG

Change your password

Most people intuitively change their password this as the first step and sometimes this is all that's needed to kick an attacker out, but if the attacker has persistence in your account in other ways a password reset won't make much difference - They'll either bypass the password, or do a password reset themselves. That's why I tend to leave it until last.

Hoe wijzig ik mijn wachtwoord op Instagram? | Instagram-helpcentrum
Als je bent afgemeld bij je Instagram-account en je je wachtwoord niet meer kunt herinneren, kun je aanvragen het opnieuw in te stellen. Als je je huidige wachtwoord weet, kun je het wijzigen door naar je profiel te gaan.
How to reset your Instagram password.

Start using a password manager like 1Password, Keeper, Lastpass, or Dashlane, and make a point to go through other accounts like your email inbox and reset the password there.

Step Three: Don't let 'em back in

Here are some of the ways attackers get access to social media accounts:

  1. Passwords stolen from another website that you've re-used. Password re-use across accounts is one of the most common ways attackers get control to post from your account, but you shouldn't feel bad about it. Humans are bad at remembering lots of passwords, and everyone reuses to some extent - This is exactly why password managers exist.
  2. Malicious applications delivered via links or spam. This is super common on Facebook - You get or see an interesting link, click it, it asked you to give it access to your account, and BOOM they're in. Double check before you click stuff, and triple check before you "give access" to a website to your account.
  3. Password resets. If I can get access to your email, or an old phone number, I can perform a password reset on your account. This is why email account security is probably THE most important thing to be a bit paranoid about, even more so than the social media account itself... It's the keys to the castle.

So there you go... Hopefully that's helpful, and you or someone you know can get use out of it!

If I've missed things which are obvious, tweet me @caseyjohnellis or drop it in the comments below.

Other advice from the Twitter thought lords:

Not always a great option, but it would solve the problem :P
U2F keys are highly secure and very handy if they are an option.
Checking for malware with a decent anti-virus doesn't hurt.
Good callout re password recovery options covered above.
Connected apps: The grand-daddy of all social media take-overs.