On a reasonably regular basis I get pinged with something that looks a bit like this:
I know you do security stuff with computers and my Twitter/Facebook/Instagram/etc has been hacked! It's posting all kinds of strange stuff that isn't from me. What do I do to stop this???
I'll usually ask what the person means by "hacked". The most common answer is wall, comment, or private messenger spam. Occasionally something more severe like account and follower takeover, especially for influencers and people with high follower counts - The bad guys like to use these as sock-puppets for disinformation or influencer scams.
I got a request like this recently from an Instagram user. I'm not as familiar with Instagram as other social platforms, so I asked my cybersecurity buddies on Twitter. This post assembles a collection of the advice I normally give, as well as their recommendations.
The recommendations are obviously Instagram-specific, but the principles are basically the same for any social media platform, and for most platforms for which you might have an account.
Step One: Kick 'em out
Remove all "authorized apps" from your account.
This is the most common way for an attacker to get what security geeks call "persistence". When folks complain that they've changed their password but the bad thing keeps happening, that's persistence, and malicious apps are often the reason why.
When you've got an active attacker in your account, I recommend nuking everything that's there. This might break things like automated cross-posting tools, but those tools will notice you've broken the connection they have and tell you, and adding them back to your account is almost always very simple.
This is one I always recommend, and shout-out to @n0x00 for making the immediate suggestion when I pinged about this on Twitter.
Remove unknown active sessions (via Login Activity for Instagram).
When you log in to your account through a mobile app or via the web, it creates what is called a "session". The same thing applies for an attacker. Most social media platforms have a list which shows locations that your account has been logged into from. This makes it easy to see logins that stand out, and for you to kill them off.
Note that the alternate and safer approach here is, as with authorized apps, to nuke everything and just log back in.
Check connected accounts.
Instagram is tightly connected with Facebook, so you might want to do the same things for your Facebook account before proceeding on to Step Two... Thanks @Michael1026H1 for the suggestion there.
Step Two: Keep 'em out
Enable two-factor authentication (2FA).
As the name suggests, 2FA adds a "second factor" to your login - Something additional to your password. This means if someone steals or guesses your password you've got an extra line of defense at work, which is never a bad thing.
There's a lot of debate in security circles about the safety of SMS vs app-based 2FA, but in general I recommend people install and use something like Duo, Authy, or a password manager with 2FA support because a) it's super easy to set up and use, and b) the presence of an app on your phone is a good reminder to set up 2FA on ALL of your accounts, not just the one you are fixing right now. Thanks @yaelwrites for the quick-draw reply with instructions on how to set this up!
Check your recovery phone number and email address
If either of these were changed by the attacker, change it back. Again in the Instagram scenario, go through your Previous Emails and Previous Phone Numbers list and nuke anything which is unfamiliar. Instagram allows account recovery from previous email addresses, so an attacker can add one to use for persistence.
Change your password
Most people intuitively change their password this as the first step and sometimes this is all that's needed to kick an attacker out, but if the attacker has persistence in your account in other ways a password reset won't make much difference - They'll either bypass the password, or do a password reset themselves. That's why I tend to leave it until last.
Step Three: Don't let 'em back in
Here are some of the ways attackers get access to social media accounts:
- Passwords stolen from another website that you've re-used. Password re-use across accounts is one of the most common ways attackers get control to post from your account, but you shouldn't feel bad about it. Humans are bad at remembering lots of passwords, and everyone reuses to some extent - This is exactly why password managers exist.
- Malicious applications delivered via links or spam. This is super common on Facebook - You get or see an interesting link, click it, it asked you to give it access to your account, and BOOM they're in. Double check before you click stuff, and triple check before you "give access" to a website to your account.
- Password resets. If I can get access to your email, or an old phone number, I can perform a password reset on your account. This is why email account security is probably THE most important thing to be a bit paranoid about, even more so than the social media account itself... It's the keys to the castle.
So there you go... Hopefully that's helpful, and you or someone you know can get use out of it!
If I've missed things which are obvious, tweet me @caseyjohnellis or drop it in the comments below.