Main content


Watchdog revealed how some small business owners in the UK had been targeted by hackers on the social media platform Instagram, which is owned by Facebook. After taking over the businesses’ accounts, the hackers emailed the business owners to demand a response. If they were ignored, they threatened to delete the content and followers.

This is what Instagram’s owner Facebook told us:

“Businesses are an important part of our community and we take their safety and security seriously. We have technology in place to help stop accounts from being hacked and notify people if we see any unauthorised changes. We encourage everyone to create a strong password, enable two factor authentication and avoid using third party apps to help keep their account secure.”

How to keep your account safe

We asked cyber security expert Ken Munro for more information on how to keep your account safe. This is what he told us:

  1. Create a strong password - For the safest passwords, use a password manager app that makes a one-off password based on long, random strings of characters. These are often free for limited use, and can be found by searching the app store on your device. When you use a password manager, the app recognises the website you’re trying to access, and logs in for you. Don’t use the same password that you use somewhere else across multiple sites – if a password is breached by a security issue in one place, hackers can use that password to target you somewhere else. Length of password is the most effective thing to prevent it being hacked.

  2. Two-factor authentication – Instagram offers the option of using login codes from an authenticator app, or text message codes from your mobile phone. An authenticator app is very easy to use, and prompts you to use a second means of proving your identity when you log in. Some, for example, can use your phone camera. Two-step verification using an SMS text message is slightly less secure but is much better than nothing at all. For information on how to set this up, visit Instagram’s help page on two-factor authentication

  3. Avoid using third-party apps – A third party app is an app that asks for access to your Instagram account to perform certain functions – for example, there may be an app that wants access so that it can print photos from your account. But if there’s a vulnerability in that app, it will have access to your Instagram account, which could be exploited. Generally it’s not a good idea to allow lots of third-party apps, and it’s best to be careful when deciding whether to allow access. You can review and revoke access to third party apps by following the process outlined on Instagram’s support pages.

What to do if your account has been hacked

If you believe someone else has access to your account, you can’t access it or you receive a message like those received by the business owners in our film, tell Instagram straight away, following the process outlined on its support pages.

Initially, you should receive an automated response, but Instagram says part of the account recovery process involves its security team asking you for a photo holding up a piece of paper including a code it has provided. This allows Instagram to verify your identity, and you will then receive specific instructions for account recovery sent to your secure email address.

If an Instagram or Facebook account is deleted, the content is usually only permanently removed after 30 days. This means that recovery of some or all of your data should be possible within the first 30 days after an account is hacked.

If you are being blackmailed, Instagram advises this should be reported the police or other law enforcement body.

You can review and revoke access to third party apps by following the process outlined on Instagram’s support pages. (