Cambridge Imprint: ‘Instagram ransomware attack was terrifying’
Cambridge Imprint, the paper-making business, saw sales halve during a six-week Instagram ransomware ordeal – a nightmare which only ended when Cambridge MP Daniel Zeichner intervened to secure a settlement with Facebook, Instagram’s owner.
The drama started on March 30, says co-founder Ali Murphy, one of the trio of sisters who run the company, whose patterned paper designs are on sale in Heffers.
“We were phished inside Instagram,” she says. A phishing attack is a fraudulent message designed to trick an account holder into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure.
“We received an internal message on our Instagram account. I’m normally very cautious about emails but I never thought an internal message on Instagram would be hazardous, and the message said the sender was Instagram so I assumed it was authentic – massive mistake.”
The message said they should sign in for a verification update, which Ali did. Things happened pretty fast after that.
“Within four minutes the account was taken over – they’d changed the login details twice by the time I clicked in after receiving an email, I was two stages back, so I couldn’t change the password or anything, or log in, and I couldn’t say I’d forgotten the password as the email was different.
“So at that stage we were locked out of the account.”
With 15,000 followers, Instagram is an important shop window for the business the sisters started in 2013. Posts receive between 400 and 1,700 likes – “it goes up and down, I don’t know why” – and keep fans up to date on new ranges and offers, which they then buy from the website. After the hack, and now with zero control over their own account, the brazen cybercriminals were free to begin their cross-platform blackmail demands.
“I got an email saying they’d taken over the account,” says Ali, “plus a whole series of WhatsApp messages saying they had control and how much was the account worth to us. No amount was specified, so I gave them a very small amount, although it is worth an incredible amount to us because we’ve had an Instagram account since 2015, and – especially during Covid – it’s a way of keeping going, it keeps people up to date.
“I emailed Instagram’s help desk, and then their phishing help desk, I emailed about 40 times, but got no reply. There’s only one phone number and that’s in the US.
“I called our insurance company, they said there was no way to get the account back unless we knew someone at Facebook. At that point we were really worried because we depend on our Instagram, so we asked the hacker what they wanted.
“They wanted a payment in bitcoin. At that point I didn’t know what bitcoin was, but we couldn’t see any way round it, he was threatening to delete the account that day, so we paid them £300 in bitcoin.”
“We switched on double verification, but as soon we thought it was back under our control he WhatsApp’d us to say ‘the account isn’t safe’. It turned out the hacker was still in the account, we hadn’t logged him out. We changed the details all over again, with two-factor authentication – how could he get through that? We posted to the account a few times and then, four or five days later, he took over the account again.
“I’d change all the log-in details numerous times but when I got the account back I hadn’t made sure all the accounts were logged out. Everybody has to be logged out of the account when you reset the password.”
Like some alt-horror movie, it turned out the hacker was still in the account – he’d never signed out.
“This time I thought ‘we’re done with you’ and I didn’t reply,” notes Ali. “We set up a temporary account and emailed our MP, Daniel Zeichner. He was the person who got our account back for us. He very kindly wrote to Facebook.”
Daniel Zeichner said: “I’m pleased that after my intervention Cambridge Imprint have full access to their account.
“As a company that makes patterned paper, stationery and homeware showing off their colourful products online is vital! It’s like pulling down the shutters on their shop window.
“It is very hard when people get locked out of Facebook and Instagram accounts. It really shouldn’t take an MP to intervene. There is a distinct lack of contact details for these firms, or much possibility for people who have been hacked to speak to a representative from the company.
“We live in a world where the tech giants have huge power, but all too often, it seems they take no responsibility. It is unbalanced and it’s time it changed.”
Throughout the ordeal the trio had very little idea of who was behind the attack, says Ali.
“The first email ended up in Turkey, it was in Turkish. I knew he was not English speaking because he said he was using Google translate, and there was a different time zone involved because he was not active in the morning, only later in the day. I knew he was doing it to other people because he said of other people he’d hacked: ‘They got their account back’. You have to take your internet security seriously – because Instagram is such a lovely community for the decorative arts, you forget you have to be as secure there as other parts of your business like your bank account.
“It’s sophisticated – lists of passwords appear on the dark web, so we spent days changing our passwords because we didn’t know how they’d done it – that meant email, Facebook, Dropbox, the bank, the website... it took days.
“You have to report all online fraud to Action Fraud. Our overall sense is that Facebook is such a huge organisation, you’re not the customer, the advertisers are the customer. You are the product, and there is literally no customer service, no one will reply. The realisation we had was that they are massive an you are totally and utterly insignificant to them, it was like banging our head against a brick wall. We are incredibly grateful to our MP, to have someone ready to take up your case made all the difference, there are so many phishing attacks, and some of them involve really large payments.”
A Facebook spokesperson said: “We take account security seriously and we restored access to this account.
“Businesses are an important part of our community, and we encourage everyone to create a strong password, enable two-factor authentication and to be suspicious of emails or messages asking for personal details. Anyone who is concerned they may have been hacked should visit our help centre.”
“We were phished on March 30, it was a Tuesday,” concludes Ali. “We got the account back on the Saturday and then the following Thursday we were hacked again. We eventually got our account back on May 10, an in that time our sales had halved. We’re all artists, we’re basically pattern makers using traditional methods. We could keep supplying shops during that time. But you don’t really think of Facebook and Instagram as that important, but when it does go wrong it’s terrifying.
“If we had switched on double verification in the first place we could never have been phished and none of this would have happened. Double verification really is vital.”
The Cambridge Imprint Instagram account continues to operate from its original account @cambridgeimprint. The @cambridgeimprintofficial account defaults to @cambridgeimprint.