➡️ The Shortcut Skinny: Insert ‘Hackers’ joke

• 🙋 Users can recover their account by picking two friends to verify their identity

• 🥸 Hackers could game this new feature to lock down accounts

• 🧪 New hacking prevention tools are also being rolled out or tested

After months of testing, Instagram has expanded access to a key new hacked account recovery tool to its entire user base, per The Verge. It sounds super easy, too. Here’s how:

1. Visit Instagram.com/hacked 

2. Identify the reason you’re there (your account was hacked, you forgot your password, etc.)

3. Choose two friends who can confirm your identity to Instagram. 

4. Wait for your friends to verify you are who you say you are within 24 hours.

5. Create a new password

Prior to this, your other means to log in included receiving a login link via email or text message or verifying your identity with a “video selfie” which may or may not be reviewed by a human being (Instagram notes it does not use facial recognition, and the automated process merely confirms you’re a real person). 

This feature is similar to Apple’s trusted contact feature, which lets you add one or more trusted phone numbers to your AppleID, which can then be used to verify your identity if you can’t access your account – although that will no longer work, should you decide to activate the new Apple end-to-end encryption features.

Instagram’s implementation – choosing the trusted accounts after the fact – seems potentially problematic, however. Since many account hacking schemes involve getting control of one account, then phishing for others within that account’s follower pool, it seems possible that a hacker would need only three victims to take advantage of this system. This is speculation on my part, however. I’ve reached out to Instagram representatives for comment, and will update here when I know more.

An ounce of prevention

Instagram says it’s also testing out more ways to stop hackers in the first place, including automated account removal of malicious accounts and sending warnings when accounts suspected of impersonation send follow requests to users. The latter comes in the form of a card asking you to review the request before confirming, and shows the account it believes is being impersonated. 

Instagram has also updated where it shows its verified badging – before, you’d only see the badge if you visited an account that has one, but now it’ll be visible in both DMs and Stories, and the company says it’ll be visible in the Feed soon, as well.

Those are good steps, and if they work as intended, will hopefully drastically cut down on the number of accounts taken over, given that many so-called “hacks” are actually accomplished through social engineering methods designed to trick users into sharing their credentials.