Everything started in the middle of the summer holidays, on a Thursday morning of august, when we received a mail from Instagram mentioning that one of our posts had been reported because of a Copyright issue. We clicked on the link, and then the chaos began!
We will tell you the whole story with total transparency, as if it was a case study, with the will to help other brands that may face the same scenario. According to our experience, it is fundamental to know every step in detail in case of a similar situation, to act in the smartest way possible. We are all vulnerable in the digital world, and the more information we have, the safer we will be.
Once again, thanks to each of you, the involvement of our community was key in solving the hack. It is an honor to have you close as ambassadors of change.
Here we will explain everything that happened in detail:
Beginning of the scam:
1. We received an email that seemed to be an official mail sent from Instagram, mentioning that one of our pictures had been reported because of a Copyright issue. This is the mail:
Because of the high level of daily workflow and of the enormous amount of mails we have to deal with every day, we did not suspect it at first.
The sender, message and design of the message seemed coherent, so nothing seemed suspicious.
After what we have been through, we can confirm that checking that the sender is the official contact, is VITAL. Below you will find the list of the official mails Instagram uses to get in touch with the users.
The thing is, the mail looked like a real one. The content seemed pretty solid: somebody reported one of the posts because of a Copyright issue.
So, we proceeded to click on the button ‘’Appeal as closcadesign’’. This is how it all started.
2. The button took us to a landing page, where it showed a page very similar to the Instagram log-in webpage. We had three different forms to fill in: user, password, and a blank space for our comment on the issue. At this moment, we still thought this was a real page.
3. After this, we received a notification that a device located in Turkey logged in inside our account:
4. We clicked on the notification and reported that this was not one of our devices. We tried to change the password as we were still logged in, but at this exact moment, the device of our Community Manager logged out. And so did the other internal devices that were already connected.
5. The cybercriminal was now in total control of our Instagram account. He changed the email address, the password and phone number.
6. We tried logging in in different ways: from Facebook Business Manager, other apps linked to Instagram, from every device that once had access to the account. But there was no way to do it.
7. The cybercriminal uploaded an Instagram Story saying ‘’This account is for sale. Contact dm.’’, and it also added it to our bio:
8. We started to panic. We officially got hacked.
How we managed it internally:
1. We wrote to Instagram through the form we found in their webpage, and we also got in touch with Facebook via the chatbot of Facebook Business Manager. We got asked for documents proving the identity of the firm, as well as screenshots of what happened. We sent all of it.
2. We then started an e-mail exchange with Facebook/Instagram with an ID number. The process was very long and slow and every time a different person was replying to the mail.
We had the feeling we were talking to robots that did not care about the emergency of the situation at all:
3. We DM’d our own Instagram account, @closcadesign, to see if somebody would reply.
4. The cyber criminal got in touch with a colleague through his personal account:
5. He tried to blackmail us and asked for money in exchange for the account. He wanted 500$: 250 dollars now and 250$ in Bitcoins after receiving access to the account.
6. He tried to put pressure on us, by contacting some of our followers by DM and offering them to buy the profile.
7. We then searched for information about it on the Internet and asked for help: everyone was telling us not to pay, not just for ethics, but also because the probability of not getting the account back was very high.
8. Afterwards, we made an official report to the police.
9. We kept interchanging e-mails with Facebook and Instagram to recover the profile, or to have it blocked/frozen to avoid the criminal posting on our account again.
10. What we did next was taking screenshots of the whole feed and of the number of followers, because we did not have any backup copy.
11. We decided to wait for 2-3 days for somebody to take action (FB, IG, the police). Nobody did it.
12. Nobody took immediate action to solve the problem.
How it was managed externally:
1. On Monday, 5 days after the attack we decided to make it public through all of our channels: Newsletter, Blog, Twitter, Facebook, our corporate Linked In, the CEO’s Linked In. We knew we couldn’t just sit and watch, so we decided to be proactive and make a move.
2. We opened a new Instagram account in which we could mention the profile that was hacked, we declared it as official as we tried to solve the issue.
3. While communicating the fact, we also asked for the help of our community, to share the posts and to report the account to Instagram as hacked. We had two objectives:
a. To see if the friend of a friend knew somebody working for Facebook or Instagram that could help us, in a fast and effective way.
b. The other was to put pressure on Instagram and Facebook so that they could finally do something and prevent the cybercriminal from posting anything.
4. We received many messages of support, possible solutions and commitment. The truth is, the love and appreciation we received from our community made us believe that this nightmare could end soon.
5. Later, we got in touch with some companies specialized in this exact field and checked their price and services. These companies told us that it was important to get the ID number of our profile, in case the cybercriminal changed the user name, because otherwise it would have been more difficult to track. If you google you will find information on how to do it.
How we solved it:
1. 24 hours after making the attack public, we received an email in Turkish:
We suddenly contacted the Facebook team from our Facebook Ads account and replied to the e-mail exchange we had the days before with them. They said it was 100% real.
2. We clicked on the link and got redirected to a page where we had to put in a new password.
3. And finally, we got inside! We finally managed to enter our stolen account!
4. What we did next was activating the two-factor authentication by putting an easy-to-access corporate phone number.
5. The two-factor authentication was verified.
6. Bingo! We got it, the nightmare was over, we finally had our profile back.
What helped us solve this problem?
The truth is, it was a matter of multiple factors.
On one hand, we spent 6 long days chatting with Instagram/Facebook to have the account blocked or restored.
On the other hand, we actively took action using the resources we had when we realized we could just not stare and watch waiting for the slow reaction of Facebook, Instagram, and of the police. We chose to be proactive and take action. For us, the action consisted of making our voice heard and telling what was happening to us.
Many times, brands decide to go through this process internally, as if it was our fault. We take full responsibility for not taking the necessary measures to prevent the attack, but the truth is, everyone, companies, people, we are all vulnerable in front of these attacks and we believe that telling it, might be part of the solution.
In the public communication we posted on our Social Media, webpage, and mail, we mentioned Facebook and Instagram to put pressure on them.
Creating a new email address to be linked to the Instagram account was key: we tried getting our account restored through 5 different email addresses, but they were all linked to our social media. What made it so slow is that Facebook was only replying to our messages once a day, so we had to wait 24 hours every time.
In any case, the support offered by our community was vital: we got offered help, advice, solutions and heartwarming messages. The commitment of our team was crucial, as well as the coordination between departments and providers.
They have not stolen the product nor have they logged in the bank accounts, but the consequences of the cyberattack were severe for us, although they were not irreversible. We were very lucky because the cybercriminal did not delete any post, so we recovered our profile as it was before. Many times we thought about what would have happened if the feed was erased as well as in all of the resources we would need to re-establish it.
We have worked on some data about the quantitative consequences of the hacking that we share here:
(The data compares information from 19/08 - 25/08 2021 and the same period last year):
Impact on website visits (Instagram is the social media that leads more traffic to the website):
Impact on social media:
New followers: 554
Why are we explaining this?
Because it is a reality that all companies and social media users have to face. We believe that by sharing our experience we can help other people to let them know this is a common practice.
We also think that our experience can help other brands that might be in a similar situation, so they know what to face or what options they have. In fact, this was one of the first things that we did: to look for information from other accounts that had been through similar situations.
After what we’ve been through, we suggest you to:
- Act quick. Time is crucial when we’re talking about a cyber attack, you have to think fast in taking the opportune actions.
- Check the email address and phone numbers linked to the account periodically. In companies, it is usual for employees to rotate and sometimes this leads to old emails and phone numbers.
- Avoid having generic email addresses linked to every social network
- Use a different email address and password for every social media account.
- Change the passwords every six months at least, creating random passwords with more than 8 characters, using letters, numbers, capital letters, and symbols. An example of a low-security password could be FBClosca_2021. There are many random password generators that you can find online.
- Save the login information in safe documents and check every profile that has access to it.
- Check every mobile device, user, and app connected to your social media.
- Also, check the official email address the social media companies use to get in touch with users. For example, the official email addresses used by Instagram are email@example.com and firstname.lastname@example.org. Instagram has a section where you can have a look at the official mails they sent you: Settings/ Security/ Emails.
- Train your staff on cyber security.
- Protect the published content by making backup copies periodically. You can do it directly through Instagram, there are many tutorials online.
- In the case of having your account hacked, send Facebook/Instagram a brand new email address, so that they can recover the account, link it to the new mail address that is not linked with any other Facebook or Instagram account. Instagram doesn’t do it, but they should suggest from the start to create an address account to recover the account. So, create one before getting in touch with them.
Internally, we learned a lot with this experience, such as:
- Do not stand still waiting for Facebook, Instagram, or the police to take action. You have to make a move, the sooner the better. Every hour counts.
- Have a ready-to-use contingency plan, so that the team could have assigned roles, can coordinate the actions, and know who to appeal to.
- It is important to invest in cybersecurity resources.
- Incorporating back up copies of social media in the media plan.
- Do not take for granted that this is something that only could happen to others, remember that we all are vulnerable in front of a cyber attack.
- It is surreal that in situations like this, Facebook or Instagram do not offer a direct phone number to call and solve the issue in a fast and effective way. It is vital to have a contact working inside in this kind of situation. Could be through an agency, the Ads manager, networking, etc.
- Look for information and professional help.
If you have any doubt or need advice on a situation in particular, do not hesitate to get in touch with us and we will be happy to help you, sharing is caring :)