Help! My Social Media has been hacked!

On a reasonably regular basis I get pinged with something that looks a bit like this:

I know you do security stuff with computers and my Twitter/Facebook/Instagram/etc has been hacked! It's posting all kinds of strange stuff that isn't from me. What do I do to stop this???

I'll usually ask what the person means by "hacked". The most common answer is wall, comment, or private messenger spam. Occasionally something more severe like account and follower takeover, especially for influencers and people with high follower counts - The bad guys like to use these as sock-puppets for disinformation or influencer scams.

I got a request like this recently from an Instagram user. I'm not as familiar with Instagram as other social platforms, so I asked my cybersecurity buddies on Twitter. This post assembles a collection of the advice I normally give, as well as their recommendations.

 looking for tips to help someone who’s Instagram keeps “getting hacked” and posting content that isn’t theirs.

i’ve suggested the normal stuff (connected apps and passwords) but am not super familiar w/ anything that might be IG specific.

helps are appreciated ❤️— cje (@caseyjohnellis) January 11, 2021 

The recommendations are obviously Instagram-specific, but the principles are basically the same for any social media platform, and for most platforms for which you might have an account.

Here goes...

Step One: Kick 'em out

Remove all "authorized apps" from your account.

This is the most common way for an attacker to get what security geeks call "persistence". When folks complain that they've changed their password but the bad thing keeps happening, that's persistence, and malicious apps are often the reason why.

Here's where you can see Authorized Apps and delete them from your account.

When you've got an active attacker in your account, I recommend nuking everything that's there. This might break things like automated cross-posting tools, but those tools will notice you've broken the connection they have and tell you, and adding them back to your account is almost always very simple.

This is one I always recommend, and shout-out to @n0x00 for making the immediate suggestion when I pinged about this on Twitter.

Remove unknown active sessions (via Login Activity for Instagram).

When you log in to your account through a mobile app or via the web, it creates what is called a "session". The same thing applies for an attacker. Most social media platforms have a list which shows locations that your account has been logged into from. This makes it easy to see logins that stand out, and for you to kill them off.

How to check login location and active session history in Instagram.

Note that the alternate and safer approach here is, as with authorized apps, to nuke everything and just log back in.

Check connected accounts.

Instagram is tightly connected with Facebook, so you might want to do the same things for your Facebook account before proceeding on to Step Two... Thanks @Michael1026H1 for the suggestion there.

 I think your Instagram is often directly linked to your Facebook account. So I'd make sure that's secure too, if they have one.— Michael Blake (@Michael1026H1) January 11, 2021 

Step Two: Keep 'em out

Enable two-factor authentication (2FA).

As the name suggests, 2FA adds a "second factor" to your login - Something additional to your password. This means if someone steals or guesses your password you've got an extra line of defense at work, which is never a bad thing.

There's a lot of debate in security circles about the safety of SMS vs app-based 2FA, but in general I recommend people install and use something like Duo, Authy, or a password manager with 2FA support because a) it's super easy to set up and use, and b) the presence of an app on your phone is a good reminder to set up 2FA on ALL of your accounts, not just the one you are fixing right now. Thanks @yaelwrites for the quick-draw reply with instructions on how to set this up!

Check your recovery phone number and email address

If either of these were changed by the attacker, change it back. Again in the Instagram scenario, go through your Previous Emails and Previous Phone Numbers list and nuke anything which is unfamiliar. Instagram allows account recovery from previous email addresses, so an attacker can add one to use for persistence.

Change your password

Most people intuitively change their password this as the first step and sometimes this is all that's needed to kick an attacker out, but if the attacker has persistence in your account in other ways a password reset won't make much difference - They'll either bypass the password, or do a password reset themselves. That's why I tend to leave it until last.

Start using a password manager like 1Password, Keeper, Lastpass, or Dashlane, and make a point to go through other accounts like your email inbox and reset the password there.

Step Three: Don't let 'em back in

Here are some of the ways attackers get access to social media accounts:

  1. Passwords stolen from another website that you've re-used. Password re-use across accounts is one of the most common ways attackers get control to post from your account, but you shouldn't feel bad about it. Humans are bad at remembering lots of passwords, and everyone reuses to some extent - This is exactly why password managers exist.

  2. Malicious applications delivered via links or spam. This is super common on Facebook - You get or see an interesting link, click it, it asked you to give it access to your account, and BOOM they're in. Double check before you click stuff, and triple check before you "give access" to a website to your account.

  3. Password resets. If I can get access to your email, or an old phone number, I can perform a password reset on your account. This is why email account security is probably THE most important thing to be a bit paranoid about, even more so than the social media account itself... It's the keys to the castle.

So there you go... Hopefully that's helpful, and you or someone you know can get use out of it!

If I've missed things which are obvious, tweet me @caseyjohnellis or drop it in the comments below.

Other advice from the Twitter thought lords:

 Delete it— pry // Ben Bidmead (@pry0cc) January 11, 2021 

 In not sure on this but maybe see if Instagram supports U2F keys? Not always a conventional approach but may be valuable depending on the profile— Rami (@drunkrhin0) January 11, 2021 

 Don't neglect host-level considerations as well. If you have a nasty keylogger running on your computer or phone, or even just something that can pull creds / sessions via DPAPI, all the app based stuff sort of goes out the window. 1/2— Gabriel Ryan (@s0lst1c3) January 11, 2021 

 Have they check their password recovery settings (recovery email, number, questions etc.)? Is two-factor authentication turned on?— spygmi (@spygmi) January 11, 2021 

 Flush those 3rd party integrations and walk back slowly— Yo Signals (@YoSignals) January 11, 2021