A lesson in where to turn for help when your account is being held at ransom.
Abbots & Kinney and the case of the stolen Instagram account
On the Thursday before the Adelaide Cup long weekend, Abbots & Kinney founder Jonny Pisanelli was in a meeting discussing his pastry range.
He wanted to show some products he’d posted to the Abbots & Kinney Instagram account, and so took his phone out and pulled up the app. A notification flashed on screen telling him he’d been logged out.
He tried logging in again, but he got another error message: incorrect password.
Jonny remembered dismissing a notification on his watch earlier in the meeting telling him the email for his Instagram account had been changed.
This didn’t strike him as unusual at the time; a few people within the business have access to the account, so maybe someone had trouble signing in and inadvertently changed the email in the process.
He tried again, this time using the Abbots & Kinney username, but the app told him the username did not exist. He searched for the account by name and couldn’t find it.
Confused, but in the middle of a meeting, Jonny found the image he wanted via Googled and moved on.
Coming out of the meeting, he texted his second-in-command, Dani Najm, to ask if she’d changed the password on the account. She hadn’t. He asked if she could find the Abbots & Kinney account on Instagram. She couldn’t.
“That’s when I’m like, ok, this is really, really strange,” Jonny tells CityMag.
Within minutes of that thought, Jonny received a message from an unknown number via WhatsApp, telling him his account had been hacked and was being held at ransom.
“Obviously I’m like, ‘Is this a joke?’” Jonny recalls.
‘No,’ came the hacker’s reply.
“Why have you done this to me for?” Jonny asked.
“This is my job to hack an account and sell it back to its owner,” the unnamed entity replied.
“Cmon mate,” Jonny said.
“I appreciate this is your job
“But why don’t you choose [a] big company that [has] lots of moneys? We are a small [family] business.”
The pleading didn’t help. Over the course of the next few hours, the hacker named their price: $300 USD, to be paid in Bitcoin.
Once the hacker had the money, the account would be returned.
For Jonny, Instagram is more than a repository of memories and photos of past pastries. The app is a vital communication tool for his small business.
With the Adelaide Cup Day public holiday coming up, Jonny wanted to let his 16,000+ followers know the business would be trading on Monday. He also had new products he planned to launch that weekend, with the aid of the Instagram hype machine.
“Instagram is bigger than Twitter for us, it’s bigger than sending emails out to people to let them know what’s happening, and it’s instant for us,” Jonny says.
“[If] there’s a new product, that’s how we let people know. It’s a big sales tool for us, because if there is a new product, you can post it on Instagram, and it’s generally the first product that people will come knocking on the door for.”
He took screenshots of the conversation between himself and the hacker, and the Abbots & Kinney Instagram page (which had been given a new username: @prbngorkem16k2, and a new bio blurb: “this instagram account is held to be sold back to its owner”) and reported the incident to Instagram.
The expected wait time for a response was up to 48 hours.
View this post on Instagram
For several reasons, Jonny didn’t want to send the hacker $300 USD in Bitcoin.
Firstly, converting cash to Bitcoin is inconvenient and incurs fees, worsening the financial pain of the ordeal.
There was also an understandable lack of trust between Jonny and his hacker, who could easily take the money, refuse to give back the account, and then ask for additional funds.
Jonny raised this point, and the hacker responded by sending through screenshots of conversations with other victims, in English, Italian and Arabic, where they had handed back the stolen accounts. This did little to allay Jonny’s fears.
The conversation continued over Thursday and Friday as Jonny tried to reason with the hacker.
“Part of you thinks, if you can not be an arsehole to them, maybe they’ll be a little bit more lenient with how much money they’re asking for,” Jonny says.
Meanwhile, he and his business partner in Melbourne, whose other business interests involve a tech team, tried to find out more about the scam.
“We figured out the guy was from Turkey and he’d obviously done this before, just through whatever forms of information they [found],” Jonny says.
They noticed the usernames and passwords that were given back to previous victims of the scam were all the same, so they tried to log back in using those details, but to no avail.
By Sunday, the hacker had fallen silent.
“The messages weren’t being checked, and I thought maybe he’s sold the account,” Jonny says.
“But the account was still the same, he hasn’t responded and I thought maybe he or she has been caught by someone or gotten into trouble and that’s why they’re not online.”
Instagram had also not yet responded, leaving Jonny to feel he had only two options: take a chance and front up the Bitcoin, or start a new account from scratch.
“A part of me was thinking, Look, it’s not the be all and end all. We can rebuild it. We can be smarter about it. Maybe we won’t be able to go from zero to our current following overnight, but we’ll get back their eventually,” Jonny says.
“[But] you’re looking at the history of all your photos and it sort of tells a story of where you started and where you’ve come from and what direction you’re heading. So that was probably the sad bit.
“But they’re photos, they’re in your iPad, you can upload them again.”
Sadder and more frustrating was the silence from Instagram.
“I’m disappointed. A hundred percent disappointed,” Jonny says.
“Because yeah, we [should have had] two-factor authentication, but literally it wasn’t like it was hearsay… How much more information [do they need]?
“We spend money with them [but] they know that it’s not like a food supplier that didn’t deliver my ingredients and it cost the business. If that happened over and over again, I would use a different food supplier and they would lose out.
“Instagram’s big enough to say, ‘Alright, we didn’t get back to you. So what? What are you going to do?’ They know that we need Instagram more than Instagram needs us.
“It makes you think about your business, and have we given that impression to our customers, that [they] need Abbots & Kinney more [than we need them]?
“It makes you aware that we need to make the people that are spending $2.50 feel just as important as the people spending $500, $600, $700 for a function. Because that just shits you. You’re rendered helpless.”
As the Monday public holiday drew closer, Abbots & Kinney’s customers began to notice the business’ absence on Instagram. They had searched for the account to see if the café would open on Monday, and asked in-store about what had happened.
Jonny explained the situation, and word slowly spread throughout his network.
On Monday morning, a fortuitous conversation occurred over the coffee machine.
“Luckily for us, one of our customers had a friend of a friend, spends millions of dollars a year on advertising through Instagram,” he says.
“Having a chat on Monday morning to our customer, [by] Monday afternoon it was all fixed.”
Jonny was appreciative of the help, but this only furthered his frustration with Instagram.
“The fact that they have the power to do what they did for someone who spends money, it’s like, what about the little people?” he says.
Jonny isn’t sure how the hacker got into the Abbots & Kinney account.
When he regained access, he saw a message in his inbox from someone falsely claiming to be Instagram, asking him to apply for a verification tick, but he says the first time he saw this was after the fact.
He also says his business partner’s tech team saw the email linked to the Abbots & Kinney Instagram account was available through the Oxfam data breach, but Jonny can’t recall any dealings he’s had with that organisation.
Regardless, the experience taught him a couple of valuable lessons.
Firstly: turn on two-factor authentication.
Jonny hopes his story might prompt other businesses who use Instagram as a source of income or communication to take this necessary precaution and switch the function on.
“The sad thing was, the same day we got it all back online, I was able to see that another bakery, a friend of mine on the other side of the world, his friend got hacked, the same thing,” Jonny says.
“They refused to pay the money, but they’ve also just had to start their account all over again.”
The second valuable insight: If you’re a small business, don’t expect Instagram to have your back.
“I still haven’t heard back from them.”