Hackers Stole My Instagram Username and Facebook Doesn’t Care

On July 20th, my username got stolen from me on Instagram. Since then, I exchanged a number of emails with Facebook Advertiser Support, talking to a real person, but that has lead nowhere so far.

Here’s the long story:

I’m one of the old users on Instagram. When I was creating an account in 2010 I managed to score a 3 character username, @mxl, to match my online nickname at that time, and I used that username ever since.

I received requests from random people from time to time over the years requesting my username — requests that I declined. Last year, I started to receive regular password reset emails, sometimes several of them in a single day. I enabled two-factor authentication and changed my password.

Two-factor didn’t work for me in the long run as it ended up being inconvenient when you have multiple devices and Instagram accounts for different businesses — especially when you travel and your main phone does not have reception in the country you are in. Also, you can only two-factor auth on one account per phone number.

Emails kept coming over 2017 and 2018. I kind of got used to receiving them. Sometimes Instagram would offer an option of only allowing password reset emails from devices I logged in from before, which I used a couple of times. But this limitation only lasts for about a month.

On July 20th, 2018, the hackers finally succeeded.

I found out about it about an hour later when I wanted to check something on my phone and found myself logged out from Instagram. My password didn’t work. I opened Instagram from my laptop to see what was going on and saw this:

I was scared that my whole account had just been wiped out.

It was as if the hackers just knew my password, logged in from a new location, changed my username few times, and took over my original username. There was no hack of my email, as Gmail usually notifies me every time there was a login from new locations or devices.

I managed to find a chain on emails in my spam folder notifying me about username change. There was about 4 of them, but this was the first one:

Clicking on the “revert this change” link didn’t work, it just reverted me back to the one above, since the @mxl username was taken by this time.

What was more annoying is that the hacker also went to tease me in comments under my photos and his account stories bragging about the hack. At least I knew who was responsible.

I was angry, but I thought no big deal — I’ll just get in touch with support and get my username back.

How naive…

The first problem is that, as most of you probably know, it is very hard to find any help or real human contact for services like Facebook, Instagram, or YouTube. All you’ll find are FAQs and automated replies, which don’t really work well for these cases.

There is a guide online on how to get help within Instagram. You request support and Instagram sends you an email with a code to confirm your identity. Then you wait… and then they tell you they are not dealing with this kind of issue at all.

A friend of mine who used to work for Facebook suggested that I try the company’s Advertiser Support, which is hidden away. If you’ve bought ads on Facebook at least once, then you’re eligible for this kind of support. This was the first time I managed to speak to a real human.

A lady named Teresa was very helpful, listened to my issue, confirmed my identity, business registration and proceeded to escalate the matter to the technical team. I sent her screenshots of password reset emails, username change emails, the hackers comments, and Instagram story bragging. I thought all that would contribute to my case being resolved — a real human was involved, after all.

The first thing Instagram’s internal team “found out” was that there was no hack. Of course it can’t be them at fault, only the user. But, I might agree with them on this. It might have been free Wi-Fi at the airport in Doha where I spent 8 hours prior to the hack on 13th July. This is the only explanation I’ve come up with regarding the hacker’s easy access to my account. However, the latest password reset emails are dated 18th July, so they still kept trying.

And then I get the final response that…

“The internal team reverted and advised that due to some recent policy updates, unfortunately we will no longer be able to assign username requests that are less than 3 characters.”

To which I tried to reason that I’m not asking them to give me some random username just because I’d like to have it. I was asking for help retrieving a username that I had used for 8 years and spent money with on their service. Plus it was not less than 3 characters.

I waited for another week before reopening chat via Advertiser Support on Facebook. This time I spoke to Chase. We found my support case number and he again recited the new policy to me:

“…since the new Policy on the Naming convention it can’t be returned and used anymore as the IG Team has suggested. Those users who have theirs set as less than 3 characters are still fine and can continue to use. However, any further request to claim or to change is not possible.”

I objected that it was still okay for hackers to grab my username and use it about 2 weeks ago — the “new policy” didn’t stop them from doing so. How come it stops me from getting it back via a legitimate channel of support?

I saw stories on YouTube of how people managed to get their 3 letter usernames with someone from Instagram coming to rescue and resolving the problem, but it seems like unless you are famous it takes a lot of effort to get the help you need.

So far I received excuse after excuse and mentions of a new policy, but no actual help. It would be fair to say that people I talk to were very helpful (thank you Teresa and Chase), but sadly they are not the one making decisions or capable of helping in any way to resolve this.

While initially talking to Teresa and everything seemed like it was going to be resolved, I also put in a simultaneous request regarding claiming a 9-character username to use with my business account, after we get the original 3 letter one back. The username matches my website and twitter account and is not used by anyone, but for some reason is not available for taking on Instagram. I was planning to switch my three letter one to a personal account and dedicate the second one to business.

Once it started to become clear that I wouldn’t get my 3 character username back, I asked if I could have that 9 character username instead… and thus began a new circle of hell. First it was denied for the reason that I wasn’t planning to use it for business and they only process business requests, even though I said that I was planning to use it for business. Then I got asked to send my business registration again and after a couple more emails, my request got rejected. Again.

And the follow-up…

I guess I hit a dead end. After a month of trying, I don’t even care about the old username as much — now I’m just pissed at how Instagram handled this situation. No solution, no other options, just plain rejection.

The final interaction happened today.

There you go people: Facebook officially doesn’t care if you get hacked. Not that it’s a surprise to anyone, but I honestly hoped it wouldn’t be this bad. But it what it is…


About the author: Max Lemesh is a commercial photographer based in Auckland, New Zealand. The opinions expressed in this article are solely those of the author. Lemesh specializes in high-end event, party and live music photography, but also enjoy photographing portraits, fashion and food. You can find his work on his website, Facebook, and Twitter.


Image credits: Header illustration based on photo by B_A / 32 images

Discussion