As the COVID-19 pandemic sent people onto social media platforms more than ever before, experts are warning users to be vigilant about the ever-present risk of social media hackers. 

Cybercrime affects hundreds of millions of people worldwide. According to a cybersafety report by antivirus developer NortonLifeLock, 330 million people in 10 countries experienced some form of cybercrime in 2021.

ZeroFox, a cyber security company, reported a 95 per cent increase in threat activity in the first six months of 2020 compared to the last six months of 2019.

Ginny Stammers, 23, a mental health and addictions counsellor from Peterborough, Ont., had her Instagram account hacked in August 2021. Almost immediately afterwards, she said hackers changed her account name, her password, and her profile picture to something that resembled a gaming profile. 

“I looked up the [new] username and they had scammed a bunch of people, because their accounts had been changed to the picture and user name as well,” she said. 

Stammers was unable to regain access to her account following the attack. 

“I tried to email Instagram and went through this whole process to verify my identity, but they never reinstated it or got back to me. My account was officially locked and deleted after the scammer hacked it, because they changed all the passwords and then deactivated it,” she said.

Stammers said the experience was more upsetting than she expected. 

“I was surprised at how sad I was, actually,” she said.

“I think mainly because of all the pictures on it and how I had the account since I was like 14. I was also upset that all the connections I had made on the account would be gone.” 

“I still can’t remember everyone I had on the old account.”

Jack Lawlor, 20, a Carleton University student, had his Instagram hacked in early February. 

“I have sent many messages and have had conversations with hundreds of people through Instagram, which this hacker now has access to.”

Jack Lawlor, Carleton University student

It happened at 3 a.m. one day. Lawlor says he got three notifications saying that someone had logged into his account from a different city, activated two-factor authentication, and then changed his linked email, phone number, and password.

“I attempted to follow the support instructions and tips given by the company’s website, but there was no information for accounts where an email and phone number got changed,” said Lawlor.

After his account was infiltrated, he said it was then used to promote a fake Bitcoin website designed to steal someone’s cryptocurrency or credit card information.

Lawlor said he does not think that he will ever get access to his account again, and while he is not very concerned about losing that part of his social media presence, he is worried about other parts of his private life being accessed by strangers.

“I have sent many messages and have had conversations with hundreds of people through Instagram, which this hacker now has access to. I have typed personal stories, feelings, and even passwords to my closest friends and family, which could now potentially be released to everyone on the internet,” he said.

“This person has control over my entire online personality with the ability to contact my friends and followers. The person has already sent messages to all my contacts attempting to get their personal information, which makes me feel vulnerable and helpless when trying to warn them that this message is not me.”

In 2021, Instagram reported it had more than two billion monthly users, a new milestone for the app. However, as people continue to flock to the platform, it has created the perfect storm for social media hackers.

Jake Adelson is a senior operator of offensive security at EY (formerly Ernst & Young). He’s what is sometimes referred to as a white hat hacker;  he makes a living hacking into various corporate systems.

Adelson said there are four main ways to infiltrate social media accounts. Exploiting a user’s reused passwords is by far the most popular.

“This commonly happens if a different site, let’s say Netflix, could be attacked, and your credentials are leaked. From there, the attackers that broke into Netflix, in this case, will release all those credentials open to the internet and usually try to sell them in batches,” he said.

“People then buy those databases and attempt to use those credentials to log into the top 100 most popular sites, checking to see where those credentials are actually valid.”

Adelson said password theft through untrusted devices, such as public computers or computers infected with malware, is likely the second most common method of social media infiltration.

There are a few ways for users to prevent their accounts from being breached. Instagram provides some defensive strategies for users, such as two-factor authentication. Not logging into untrusted computers and using a wide variety of passwords are other ways to prevent social media hacks.

A mass Instagram security breach is also a possible way for an account to be hacked, such as the incident that occurred this past April, where information from 530 million Facebook users was made publicly available in an unsecured database.

A technique called phishing or social engineering is the fourth most popular method of gaining access to a person’s social media profiles, said Adelson.

“The way people get in, it would just be someone sending you an email pretending to be from Instagram, sending you a link to a site that looks like Instagram, and then having you login and stealing your information,” he said.

This can be an easy method for hackers to make money off of the infiltrated accounts too, as hacked accounts often promote fake websites such as Bitcoin or OnlyFans to trick the victim’s followers into giving their credit card information.

Impersonating others on Instagram is another common trend that can lead to an easy payout for cyber criminals.

“I felt violated and a little out of control.”

Carlie Lorentz, marketing executive

Carlie Lorentz, 22, a marketing executive in Toronto, was a victim of this deceptive tactic. 

On Aug. 27, 2021, Lorentz found out there was a fake account that was impersonating her by using her name and photos. 

“I got a call from a friend saying that someone had created an Instagram account impersonating me. I immediately checked my phone and saw that I had 20 plus messages from people, including those that I worked with, about the account.”

At first, Lorentz said she was slightly flattered by the fake account. However, the situation evolved into something much more alarming when she discovered the account was using photos of Lorentz to advertise an OnlyFans paid subscription account that was pretending to feature sexually explicit content of her.  

She said colleagues from work, as well as people she barely knew, started messaging her asking if she created this account. 

“As more messages came through from people the account tried to follow, I was getting more and more freaked out.”

“It really made me hope that others didn’t actually believe that it was me,” she said.

“I felt violated and a little out of control.”

After discovering the account, Lorentz asked her followers to report the account, and after about four hours Instagram took the account down. 

Adelson said that these types of fake accounts are incredibly easy to create, which is why they are so common.

“[Hackers will] just have a script that goes through a bunch of Instagram accounts and finds accounts meeting a certain criteria. Let’s say it’s a girl’s account, then it would take all of her images, find all the people she follows, all the people who follow her, and then make an account that looks like hers,” he said.

If the impersonating account is believed to be associated with the actual person, then it is more likely to be trusted by their followers. People may be more likely to give money to an OnlyFans or crypto account if they believe they know the person running it.

Other hackers may use this same logic to promote fake news. On March 22, 2021, Meta, Instagram’s parent company, announced it took down 1.3 billion fake accounts on their social media platforms between October and December 2020 to tackle the spread of misinformation. 

“Let’s say some nation state wants to post a bunch of fake news; they could gain access to a large amount of social media accounts and then just have all those accounts repost their fake information that a lot of people would see,” said Adelson.

“If trusted people like friends and family are retweeting or sharing this information, people will be more inclined to believe it.”

Other possible motivations could be ransomware or blackmail-based attacks because of how easily monetizable those methods of extortion are.

“It made me realize that things like ‘likes’ are made up and don’t matter in the real world. It also made me realize that I wasn’t following people on my old Instagram whose content I wanted to see.”

Ginny Stammers, mental health and addictions counsellor

Although having your Instagram hacked or impersonated can be disheartening, Stammers believes if you look hard enough you can find a silver lining. 

“It made me realize that things like ‘likes’ are made up and don’t matter in the real world. It also made me realize that I wasn’t following people on my old Instagram whose content I wanted to see. I follow a lot of fat-positive, Black, and Indigenous creators now, so that has been a really nice change.”

“I am sad for folks when it happens to them, but also hope they realize it’s an opportunity to start fresh on social media like it was for me.”