Your Private Instagram Account Might Not Be as Private as You Think

How wary should you be of third-party applications like IGLookup?

October 18, 2021 8:44 am
A magnifying glass looking at the Instagram icon on a pink and red background with computer code.
Self-proclaimed private Instagram viewer applications allow users access to private Instagram profiles.
Gabriel Serrano

If you ever have the creepy urge to stalk the private account of someone you don’t follow on Instagram, one swift Google search will show you how to do it. There are a number of disconcerting articles circulating the web, detailing step-by-step how you can (easily!) invade someone’s privacy. The first recommendation is typically to try following the account first (duh) or create a fake account and request under the alias. But if all else fails, as these articles suggest, you could try using a third-party application, like IGLookup, to anonymously view a private account. 

If your account is on a private setting, it’s likely because you want to maintain some semblance of confidentiality or to keep particular peepers out — and the knowledge that there are third-party applications out there that could give strangers or mortal enemies access to your account might sound off alarm bells. 

And because some, if not most, of these self-proclaimed “private Instagram viewers” are likely scams trying to compromise their own users’ data, we’re not taking the chance to find out how legitimate they are first-hand. So instead, we spoke with a few cybersecurity experts to find out whether these third-party private Instagram apps are simply scams or something you should be cautious of, along with better security practices you should implement across your social accounts regardless. 

What’s the deal with these third-party apps?

“There are a number of tools readily available to the general public to allow people to search and view a private Instagram account,” says Ondrej Krehel, Founder and CEO of Lifars, a New York City-based cybersecurity company. “Many of these applications bypass the Instagram security protocol, which allows users to remain undetected while using them.”

Krechel notes that he doesn’t want to promote these tools because, on top of being ethically fraught, most of them perpetuate malicious code that can compromise your own data. Professor Brian Gant, an Instructor of Cybersecurity at Maryville University, tells InsideHook he’s vaguely familiar with IGLookup and explains that the app might give you a sneak peek of a private profile before requiring you to download additional apps to go any further.

“I am usually very cautious of services that utilize that kind of marketing ploy,” says Gant. “The vast majority of the sites try to lead you down rabbit holes and to other untrustworthy web pages. Ultimately just trying to collect data on you and possibly make you a phishing victim as an example.”

However, someone might not even need a third-party app to find content hidden behind a private account. 

“One of the simplest tools that is used is Google search,” Krehel adds. “Those who want to peek into an Instagram account history just need a username and Google to search. In its early days, Instagram wasn’t always so private. Older profiles would have had photos indexed and available for Google to display. The danger of private information being displayed on Google searches isn’t new. Google can display new and archived information such as social profiles, personal websites, blog/forum posts and other publicly available data.”

If you haven’t already experienced it, you will be hacked at some point.

We’ve seen it happen to nearly everyone. Whether you’re an NFL coach or a Marvel superhero, no one is safe from getting an anonymous post or privately sent message exposed.

“Nothing in the cyber world is completely private,” stresses Krehel. “Life’s a breach when it comes to the online world we all live in. There are some steps you can take to make it ‘more’ secure, but a good rule of thumb is to assume you will be a victim of a breach at some point.”

Terrifying, of course, but important to keep in mind. Everything you post online is susceptible to a leak regardless of whether it’s a harmless family photo or an offensive remark which, hopefully, you’re not making in the first place. Even previously deleted posts can resurface, as was the case with actor Simu Liu who had his (allegedly) old Reddit account exposed by a GitHub tool, despite the fact that Liu (allegedly) deleted it. And anonymous accounts you assume conceal your identity can always be traced back to you. 

“Focus on always having the mindset of your account being hacked. That will influence what you post, and if something does occur, you are not in a position of discomfort because of what has been leaked,” echoes Gant.

Additionally, the ways in which Facebook and other social media platforms scrap, use and sell their users’ private data has been thoroughly documented, which might influence your decision to sign up for an app or delete it altogether.

“I think the overall position here is that data and information you put on social media is going to be viewed, it’s going to be seen,” says Tom Kelly, cybersecurity expert and CEO of IDX, a leading identity theft and data breach response service provider. “Whether it be by Instagram scraping the information and data or Facebook scraping the information and data and utilizing it for their own algorithm base and business practices, or if it’s third parties that are doing that for either marketing purposes or whatever nefarious design you might come up with, they’re going to be doing that.”

The steps you can take to better protect your privacy 

While it’s impossible to keep yourself and your posts 100% private and protected on the internet, there are still steps you can take to make it more difficult for hackers to look at and/or hack into your Instagram account, or any social media account. Checking the appropriate boxes to ensure your account is private is a good first step.

Don’t use obvious passwords (obviously). “Make [the hackers] work for it. Use a password generator to create difficult to crack passwords,” recommends Krehel. “If you have a hard time remembering your passwords use a password management application such as LastPass to help manage your list. Kelly advises updating your passwords frequently since passwords and data scraped from hacked sites may be harvested on deep web pages and used to penetrate accounts.

Be cautious about location tracking and what sites and services you allow to have access to your current location, adds Kelly. “Every app wants to use your location. You’ll download an app for a specific purpose, and the very first question they always ask is if they can use your location. And every time, I say no. Then after I’ve used that app, depending on its purpose, I usually delete it and scrape it out, get it out of there.”

Enable two-factor authentication for Instagram and all other apps, but most importantly your primary email account, and remember to log out of your Instagram account when not in use. Finally, be mindful of when you allow third-party apps to access your account.

“These apps may make it easier to repost on Instagram for example, but keep in mind if the app is hacked, you are hacked,” adds Krehel. “Do not allow apps access to your Instagram account unless necessary, in most cases, it is not. If there is an app you no longer use, make sure to revoke access to those third-party apps when you do not plan to use it.”

Will implementing all of these steps make you immune to a hack? As all three of our cybersecurity experts have made it rather clear: no.

“It’s like what I tell my cybersecurity students, ‘It’s not if you will fall victim to a data breach, it’s only when,”‘ says Gant. Still, prevention decreases that risk, and remaining cognizant of how social media platforms and bad actors may compromise your privacy is crucial.

“We always think of social media as the way for grandma and granddad to see their grandchildren. And during the pandemic and the lockdowns, there were enormous benefits to social media. No argument, products like Zoom have allowed us to stay connected or conduct business,” says Kelly. “But we have gotten so lackadaisical in not understanding that our privacy now is the cost of us signing into these quote-unquote free products. When it’s a free product, that means you’re the product.”

Now, you don’t have to relinquish all of your social accounts if you don’t want to. Just take the proper precautions.

“Security awareness at all levels, good password practices, home network maintenance, et cetera,” says Gant. “They all play into ensuring your privacy and security remain top notch and not complacent.”

The InsideHook Newsletter.

News, advice and insights for the most interesting person in the room.