392: How Pinch of Yum’s 1.1 Million Follower Instagram Account Got Hacked (and Recovered!)

Bjork Ostrom: This episode is sponsored by Clariti, that’s C-L-A-R-I-T-I.com. And I’m going to give you a really specific example of how you can use Clariti if you sign up today and that is poster page specific tracking of changes that you’re making. And you can use the notes area within Clariti to make a note anytime that you make a change. An example of when you’d want to do this, let’s say that you’re switching over some of your YouTube videos to be AdThrive or Mediavine video players. You want to make sure that you’re tracking to see when you look back three months later, the change or the impact that that had.

And personally, what we’ve noticed as we’ve worked on content is you forget. If you don’t have a system, if you’re not making a note of that somewhere, you’ll forget. And so within Clariti, there’s the ability to leave a note anytime that you’re making a change or improvement on a piece of content to allow you to go back and see how that change impacted things. There’s lots of other ways that you can use Clariti, but I thought it’d be helpful just to give a really specific example. If you want to see what those other ways are, you can go to clarity.com/food to get 50% off your first month. Again, that’s C-L-A-R-I-T-I.com/food to get 50% off of your first month. You can start taking notes on the changes you’re making and explore all the other features. Thanks to Clariti for sponsoring this episode.

Hey there, this is Bjork. You are listening to the Food Blogger Pro podcast. We’ve done this for years and years, and the hope for this podcast is that we are putting out information that’s helpful for you as a creator in the world to go out and create better. To build a stronger business, to have a bigger impact, to connect with more people, to find more joy and satisfaction in what you do. And usually we do that by interviewing experts or other creators or people in a certain field who have a deep area of expertise and knowledge around a certain thing. Occasionally, we’ll do what we call a solo episode, which is just me turning the mic on and talking in an empty room.

And today we’re going to do one of those solo episodes. It’s going to be a little bit shorter, but the reason I want to do it is because I thought it might be helpful because I’m going to be talking about our Facebook account getting hacked. Specifically, it was Lindsay’s personal Facebook account. And for those who aren’t familiar with our story, so my wife Lindsay has a blog called Pinch of Yum. Pinch of Yum is a food and recipe site, and that’s kind of the… When we talk about things on Food Blogger Pro, it’s all through the lens of actually doing it day-to-day. So we have experience doing it, we also talk about what it’s like to do it behind the scenes.

And in a situation like this where it’s really practical and actionable information because it’s something that happened to us, it might happen to you, and so we wanted to have a conversation around some things you can be thinking about and what we learned throughout the process of Lindsay’s Facebook account getting hacked. Now, it was more than just Facebook. What happened was we woke up one morning, Lindsay mentioned getting an email in the middle of the night or a notification around an attempt to log in so we decided to look into it. We didn’t recognize the location. A lot of times it says where the location was. I think it said somewhere in Georgia or something like that and we didn’t recognize it.

And so we’re like… Shoot, it was Georgia and then it was a different country. So there’s two different instances of where people were trying to log in. And so we decided to look into it. We logged into Lindsay’s Facebook and it was like, “Hey, sorry you’ve been suspended.” These aren’t official notifications of what it actually said, but we were like, “Shoot, that’s not good.” And it said something around violating guidelines, like violating the publishing guidelines. What we later came to find out was the account had been hacked and these people had posted content that violated guidelines, it was illicit in some way. And so Facebook said, “You know what? We got to take this down.”

Now, here’s the kicker, the Facebook account and the Pinch of Yum Instagram account were connected. And so what happened was Meta as you know, all of those kind of roll up into Meta, WhatsApp, Facebook, Instagram, they all roll up into Meta. And because it saw those accounts were connected, it also took down Pinch of Yum’s Instagram. So it was like, “Shoot, this isn’t good.” We went through the process of trying to restore it by uploading an ID which validates information and who you are, and we had an email back from Facebook that said, this was maybe a few hours after we submitted it, “Hey, we reviewed your information, we can’t accept it. Your account has been closed, this decision is final.” It was like, “Oh, no. Oh, no. Oh, no. Oh, no, no, no, no, no.”

Days and days and days of us trying to figure this out and sort through it, and my guess is for some people this might be just interesting to hear about, but my hope is that what will happen is inevitably this will happen to somebody else down the line or hopefully it doesn’t happen to you because of some of the things that we’ll talk about, but inevitably it will happen to somebody else and hopefully some of the things that we learned throughout the process will help you. So, I think when we look at it, we think what happened was there was a really old email address connected to the Facebook account, Lindsay’s Facebook account, and I think what they did was they were able to get access to that really old outdated email like 12 years ago email address because we had two-factor authentication turned on.

So for those of you who don’t have two factor on, make sure that you turn on two-factor authentication. Essentially what that means is two factor is anytime that somebody tries to log in to your account, even if they have the username and password, they also need to have the two-factor information, which would be like a text message sent to your phone, maybe it’s using an app like Authy or Google Authenticator where it refreshes a new code every 30 seconds or 60 seconds and then you use that code, but it’s an additional layer of security.

And in this case, I don’t know how they were able to get in with two-factor turned on, it’s a mystery still. But if you don’t have it turned on, make sure that you do turn it on because that’s a really important layer of security that you can add to your account. So, we think that’s what happened. We don’t know for sure, but what we do know is we weren’t able to access Facebook, we weren’t able to access Instagram and the accounts were just down. Now, for a personal Facebook account, that wasn’t a huge deal, but for a business Instagram account, that was a big deal. I think Lindsay on Pinch of Yam it’s 1.1 million followers.

There was an upcoming sponsor content thing that was happening so it was, as you can imagine, kind of stressful to navigate it. And we tried a few different avenues and the one that ended up working, and it sounds crazy, but it’s to find somebody at Meta, so at Facebook, at Instagram. And what we learned is there’s this process that Meta employees can go through. It sounds like there’s maybe somebody from Meta who’s listening to this and is like, “Yeah, I know what it is and that’s not the right way to say it,” but this is my interpretation of it.

It’s like an internal report or an internal submission that somebody can make on your behalf that says, “Hey, I know this person and I can vouch for them and I can say that they are who they say they are, and their account should be unlocked. It wasn’t them hacking, it wasn’t them posting content that violates guidelines. So you can put their account back in good standing and go through the process of setting a new password and things like that.” And that comes from an email. And what we learned is when you’re going through this internal report, use a new email address.

So, they’ll set up a new email address with your account, they’ll send you information to that new email address to go through the process of resetting your account, getting it back in good standing. And after that, it’ll go through kind of their Facebook’s security check and they’ll say, “Hey, within the last three days,” I don’t know what the actual timeline is, “Within the last three days we saw you posted these things. Was that you?” “No.” “Okay. And we saw that you made these comments or messages, was that you?” “No.” “Yes.” And you can go through the process of removing any of the content that had been added.

So, the key takeaway here is if this does happen to you, so this would be kind of reactive response not proactive, which we’re going to talk about or listen a little bit, but reactive response, this happens to you, what do you do? The best thing that we found was finding somebody at Meta to help you through the process. Now, how do you do that? One of the things that we did was Lindsay has a personal Instagram account. She doesn’t post to it a lot, but she just posted a little update there and said, “Hey, this is what’s happening. Is there anybody here who’s from Meta that could help?” So that would be one potential avenue.

If you have another social platform, personal or business related to post there and see if anybody who does follow you works at Meta could help, could reach out and could walk you through this process of submitting an internal report. You could send an email update, you could post a blog update on your blog, whatever it is. If you don’t know somebody who works there personally, I think you go to the next ring out, which would be your followers or maybe friends of friends doing whatever you can to connect with somebody who can hopefully help you through the process of doing this.

Now, we’ve had a few people reach out who have actually been going through the same thing and they’re like, “Can we connect with a person that you connected with?” And that was our friend Brad. I reached out to Brad and I was like, “Can you do this?” And he’s like, “No. It really has to be somebody that you have a connection with, that you know.” And from my understanding, if somebody follows you, that would be enough for them to reach out and say like, “Hey, I have an understanding of who you are, I follow you online.” Potentially could go through that process, but it’s not the kind of thing where somebody could email me and be like, “Hey, can you connect me with the person that helped you and then go through this process?”

Because it sounds like that’s kind of like a step too far out. It has to be something a little bit more personal or somebody a little bit more connected. So if that happens to you, that would be my recommendation. Essentially, just do whatever you can to get ahold of somebody at Meta who could potentially walk you through the process of doing one of these internal reports to say, “This person was locked out, probably programmatically.” Meaning there might not have been this person sitting down and actually reviewing to see if an account should be logged out or not. It was probably an algorithm or a program that runs and says, “Hey, let’s close this account down.”

And so what then they have to do is go through this internal report process, which my guess is somebody then actually does look at it. A person does sit down and say, “Should this account have been closed out?” Yes, no. If not, it will be reinstated, restored, reinstated and restored or combined reinstored. So a couple other actionable takeaways. This would be more preventative, so things that you can be thinking about to keep you safe moving forward. First, two-factor authentication. So think about setting up two-factor authentication or go through the process of setting up two-factor authentication for every account that lets you do it.

And you can do that either through text message or even better is using an app like Authy or Google Authenticator. You can also do this within 1Password where you set it up and connect it to say, “Hey, every 30 seconds, every 60 seconds, there’s a new code that’s generated and we’re going to use that code as your authentication.” And there’s only one place that you can see it and it would be within the app and so then you copy and paste that in. So make sure that where possible that you set up two-factor authentication. The other thing that’s really important that not a lot of us do, and I went through the process of reviewing all my passwords and all of our logins years and years and years ago to get to the point where they’re all unique.

So, every password should be unique that you use to log in. Now that sounds crazy when you have hundreds and hundreds, or in our case it’s thousands of passwords and it’s like, “Oh my gosh, that would take forever.” But once you get into the routine of doing it, it becomes easier to manage. And it’s only really manageable if you’re using a password management solution. The one that we use, all our teams use, we personally use is called 1Password. And the idea with 1Password is you have one really unique password that unlocks your vault that then has all of the individually unique passwords. So you could have, I think in our case, I’ll open this up in real time here on the podcast.

For all of the different businesses and personal and whatnot, I have 1,356 different logins and they all have a unique password. And it sounds crazy, but when you’re using a password management solution, that is the thing that manages it. And the reason that’s important is because if something does get hacked and your information gets leaked, let’s say it’s not encrypted, so people are able to see what it is. So let’s say you have a random website where you get diaper delivery. Speaking from experience here. This didn’t actually happen where I got hacked, but we do have a diaper delivery service.

And so we have this service, let’s say that they get hacked, it’s not encrypted, and you have your email and your password. What could then potentially happen is they could use that password or look at using that password in other places like banks or email or all of these different places where you’d commonly have logins, if you’re not using a unique password, somebody could potentially then use that password in other places based on a hack from an account or a service that you don’t think is really that important, and so maybe don’t have a bunch of security with that specific application.

And that becomes an issue when you’re using the same password. So you secure yourself by using really unique passwords that are unique in terms of their length and using symbols and numbers and letters, but also unique in that they’re not repeated. And I know it’s hard to do on your own, but if you’re using a solution like 1Password, it becomes a lot easier. The other thing that’s important is just making sure that you’re reviewing any of your contact information in your account and making sure that’s up-to-date, specifically email. So in our case, that was the biggest issue. So going through and seeing if there’s other emails listed on your accounts and specifically with your social accounts. Like, is the contact information correct?

If you have a backup email, that would happen in the case of Gmail, that that information is correct and set up well. A lot of these services like social media accounts or Gmail or Google, they’ll have a security checkup service. And what this service does is it walks you through the process of making sure that your account is secure. So for example, with Facebook, you can just Google security checkup Facebook, and it would bring you to a page that walks you through their like security checkup to make sure that your account is tight and that it’s as secure as it can be.

Another, this is a small thing, not really related to what happened to us but just a reminder, there’s this thing called phishing. What phishing is somebody will send you an email that is not from the actual company like your bank account let’s say, and say, “Hey, we need some updated information. Click here to log in and give us that new information.” And when you click there, it goes to a site that looks like what the site would be, but in actuality it’s this phishing site and you enter in your username and your password, and then what happens is then they have that information and then they can log into your account.

Now, they won’t be able to do that if you have two-factor set up, so that would be another case for setting up two-factor. But just a reminder, as you’re getting emails, one of the things that you can do is instead of clicking on the link to enter your information in if you get something like that, just go to the actual site, type in the URL on your own, navigate to the URL on your own versus clicking on that link just to be extra secure. And the last thing, this is standard de facto advice, but make sure that all of your account stuff is updated.

I actually just went through the process with my brother-in-law this weekend. His credit card information had gotten stolen, and I was looking at his computer and noticed that he had these, it was a couple malware barriers type things that we removed, but his software was out of date, so we made sure to update that as well. And that’s just general best practice too. So my hope and the end of the story here is that we were able to get the account back, we were able to get everything back up and running. All the information was still there. It was a huge relief. Thank you to everybody who reached out to offer to help, and those who did actually help.

There’s a few other kind of kinks we’re working out in terms of getting… There was an ad account that was set up, which I think is kind of the main driver for it that we’re looking to shut down and get that cleared out. But for the most part, we’re all in the clear and we’re able to figure that out due to some generous help from people at Facebook and Meta and our friend Brad and somebody named Jessica’s been helping us as well, who’s been really generous with her time. So thank you to everybody who reached out to help.

My hope in doing this short podcast is number one, maybe it’ll just make you feel good that you didn’t have to go through the process of having all of your accounts locked out, so there’s that. So if you haven’t run into that, you’re in a really good place, take a step back and have a little bit of gratitude that you haven’t had to deal with a situation like this. The second part would be if you have gone through this process or you’re in the middle of it, hopefully this will give you some information to think about and some steps to take.

If you need to, feel free to reach out [email protected]. I would love to see if there’s anything I can do to help. And third, I guess would be just a reminder to do some of those proactive things to make sure that you don’t end up in a place like this. And it’s never fun to do, it’s kind of like insurance where it’s like, “This is not the most fun thing to do,” but it will save you a lot of time later on, and if nothing else, provides some peace of mind. So, hopefully that helps and really appreciate everybody and this community and I’ll that you do. We’ll be back here same time, same place next week. See you.

Leslie Jeon: Hello, hello. Leslie here from the Food Blogger Pro team. We really hope that you enjoyed this episode of the podcast. Before we sign off, I wanted to quickly mention our Food Blogger Pro podcast Facebook group, in case you haven’t joined yet. So, our Facebook group for the podcast is one of our favorite places, and it’s a great place to go to just continue the conversation outside of the podcast. So members of our group are the first to know about new episodes. We do open calls for interview ideas, and when we plan our upcoming episodes, we actually ask for questions so you can help shape the future of the podcast and maybe even get your questions answered in upcoming interviews.

So we would love to have you join the group, it’s free to join. If you want to check it out, you can go to foodbloggerpro.com/facebook and then request to join and we’ll go ahead and get that processed for you. But we would just love to see you there, and we so appreciate your support of the podcast. That’s all we’ve got for you today though. Thank you again for tuning in, and until next time, make it a great week.