You are here

Boyd Cycling targeted in Instagram hack

Published November 4, 2022

GREENVILLE, S.C. (BRAIN) — Boyd Cycling suffered a data breach Tuesday with the wheelset manufacturer locked out of its Instagram page and losing control of its advertising account.

Owner Boyd Johnson told BRAIN on Friday that he received a notification early Wednesday morning that someone logged into the account using a similar company email address. Then the hacker received a confirmation code to access the account, locking out Johnson.

After assuming control of the ad account, an objectionable Instagram post violating community guidelines was created, causing the personal account to be banned. After realizing what happened, Johnson said he immediately canceled the credit card tied to the business account.

Johnson said no customer data has been compromised, and the website remains secure with the Google Authenticator in place.

"Once they have access to the ad account and our credit card is tied to that, they will basically make a bunch of ads," Johnson said. "What I've been hearing is people are getting bills for $2,500 or more because they're posting ads. I've gotten emails that say your ad was approved, but you can't go and see what the ads are."

He said his Instagram account is tied to Facebook as part of the Meta Business Suite. 

Adding to turmoil, Johnson can't reach a human Facebook representative. "Facebook has no human customer service anymore. Everything is done via their AI. The only way to do it is to go through their help center, but you have to be logged on to do anything. So, if your account is disabled, you can't be logged in. And you go through this endless circle of nothingness."

Johnson filed a data security breach report with the California attorney general. Facebook is based in Menlo Park. Boyd Cycling had just over 10,000 Instagram followers and some posts and videos would get more than 100,000 views, said Johnson, who added the brand anticipated running Black Friday ads before the breach.

BRAIN was made aware of a similar hack involving Allo Vélo's 9,000-follower account that became a crypto mining platform in June. The Montreal shop had used its Instagram account to promote urban cycling.

Johnson's advice to retailers?

"Don't save any browsers on Facebook. And download the Google Authenticator app on your phone, and make it require a six-digit code every time you log in. The way they got in was they added an email address and then sent themselves a confirmation code. They got around the two-factor authentication."