Actor Pankit Thakker narrates his TRAUMATIC experience of being HACKED. The exclusive to BollywoodPR.in makes a terrific case study, which may help many save themselves from such cyber attacks and also know the process one could go through if hacked. Here’s his story.
In the words of Pankit Thakker:
The moment I discovered that I was hacked, I started to have a mix of feelings — like the five stages of grief. I was in a sort of parallel world, trying to escape reality and hoping the problem was never there in the first place or that it might resolve itself like magic.
15th November 2020, I was up at 4 in the morning, and as a habit I was casually surfing my social media, reading all the Diwali messages my fans and followers had sent me on Instagram. In the pool of messages, I notice something that caught my attention.
It was a message mentioning that my Instagram account will be deactivated in the next 24 hours due to being reported by some users — also giving me an option to fill an appeal form which will be reviewed by Instagram, if I thought it was a mistake. Failing to fill the appeal form would automatically deactivate my account within 24 hours, it said.
A little taken aback, I ran through the account who had sent me the direct message and I thought that it was sent from a VERIFIED INSTAGRAM SUPPORT ACCOUNT (because I saw that it had a blue tick).
After giving it some thought, I decided to click the link that was sent, which would lead me to fill the appeal form mentioned by Instagram.
I pressed the link and to my surprise, my phone blacked out.
Thinking that maybe I must have forgotten to charge the phone so it must have got switched off, I immediately rushed to get my charger. But before I could do that the phone restarted and I was like, okay great.
When the phone restarted, it took me to the setup wizard before I could start using my device. I found that very strange.
It asked me to select a language and enter my Google account details. Just the same process when we buy a new phone.
I did that and when I tried setting up my phone with my Google details it asked me for the password, I typed the password and the message said I had entered a wrong password, I thought I must have made a mistake. I again typed the password carefully, again it said the same thing –PASSWORD INCORRECT.
Also read: Aditya Narayan BLUFFS, media falls for it!
I tried a few more times and all the times it said, password incorrect. I didn’t know what to do, so I thought let me log into my Google account via desktop. Here again the same thing — PASSWORD INCORRECT.
So basically, I couldn’t get into my Gmail account.
I thought to myself, never mind, I have a password recovery account from where I can reset my password. So I tried logging in from that account and when I punched in my password, it again said PASSWORD INCORRECT.
NOW I GOT A LITTLE SCARED
I wondered what else I could do.
I remembered that I could get a password reset link to my phone number as well. I tried doing that, so that I could get into my account.
When I punched in my phone number, to my utter surprise it said — INCORRECT PHONE NUMBER. I punched in my number again a few times and every time I got the same message — INCORRECT PHONE NUMBER.
Now I realized that I had been hacked.
Whistling in the dark (Cyber Cell BKC)
After spending a few moments trying to find a solution and coming to a complete realisation about what had happened, I figured if I concentrated on the here-and-now and dealt with the aftermath later, I might stop more damage.
I quickly opened a new Gmail ID. I setup the phone with my new Gmail ID and when the phone restarted, I was even more AGHAST!
The entire data on my phone was gone, my messages, my pictures, notes and even all the apps I had were all gone. ALL OF MY CONTACTS WERE GONE.
So basically, I had the phone activated, but I had nothing on my phone.
I had to re-download a few important apps like WhatsApp and all from my app store and when I did that and restarted my WhatsApp all the messages and all the contacts from my WhatsApp were also gone.
I felt so helpless as I didn’t know what to do.
I didn’t remember anyone’s number who I could call and speak to. And all my contacts were gone.
I looked at the time and it was around 6 am in the morning and that’s when I realized that it had been two hours I had been dealing with this mess.
I had to digest the hard fact that I had been badly hacked and that I had to take steps to save myself from more trouble.
I Googled Cyber Cell’s number and tried calling, but no one was answering. Their website mentioned ‘open 24/7’, so without wasting any more time, I dashed to the Cyber Cell at Bandra Kurla Complex (BKC).
6:40 am, I was outside the BKC Police Station. I went inside and a lady officer guided me to the Cyber Cell office on the first floor.
Inside, I found just one officer sitting in a very big office. His name was Mr.Desai.
After listening to my entire ordeal very patiently, he made me sit and asked me, “Sir, aap kartey kya ho?” I told him I am a TV actor. He asked me, what show of mine was currently on air. I told him “SCAM” (which is currently creating waves).
With a small smirk on his face, he sarcastically replied, “Aapne Scam kiya; aur ab aapke saath bhi scam ho gaya.”
However, he quickly got into action and literally helped me draft a perfect email of the entire incident that occurred with all the relevant details of all my hacked accounts, their URLs etc and he also took my new email address where I can be contacted and my phone number etc.
He gave me the official email ID for online complaint registration and made me email the same to Cyber Cell ID. In front of me, he sent a mail to Google, Instagram, Facebook, Twitter etc notifying them about my complaint and assured me that all my accounts will be recovered within 15 days time; as is the normal process in such cases.
He then made me call up my bank and helped me shut down my internet banking, UPI, blocked all my credit cards, debit cards and everything… and made me remove all my details from all the payment wallets like Paytm, PayPal etc guiding me all along the way with it.
It took us almost an hour to do everything possible, then he told me to immediately rush to the police station in my jurisdiction and file a written complaint there.
He told me that the ideal process is that first I should have lodged a complaint at the local police station, after which the local police station would have informed the centralized Cyber Cell about the incident.
But since I had directly landed up at the Cyber Cell in person, he said he had helped me, considering the gravity of the situation. But a written complaint at the local police station was a must, he stressed.
While I was leaving, he again patiently assured me that everything will be recovered… but it will take 15 days time as is the process.
It takes two to tango (Malad Police Station)
8:15 am, I left from Bandra BKC Cyber Cell. 9 am I was at Malad Police Station.
I narrated then the entire incident to them and how I went to the Cyber Cell and how they told me to come here and write a written complaint.
The police officer who was attending me, asked me to wait for the PSI to be free as he was busy attending a complaint from another person.
In the meantime, he asked me to message all my contacts that all my accounts were hacked and that no one should communicate to anyone who mails or asks for money from my email, Instagram, Facebook and Twitter.
He helped me draft a message in his supervision.
Since I had lost all contacts, I only had the contacts of the people on the WhatsApp groups where I’d either joined, or the groups that I had formed. (luckily)
So I sent across a message on all the groups.
In the meantime, the PSI was free to attend to me. I had to narrate the entire incident again. He asked me to write the entire incident briefly on a piece of paper and submit it to him and said that he would give me an acknowledged copy. This written complaint will be the base of all the future communications with the local police station as well as the Cyber Cell, he said.
I asked him for a pen and a piece of paper. He said that I will have to manage on my own from the stationery store outside the police station.
Then he said, ‘you are running around since morning, let’s go for a cup of tea and while coming back you can buy paper and pen on the way.’
We went to a local tea stall nearby and we ordered chai and samosa pav.
He told me his name was PSI Phad and gave me his phone number and told me that the hacker may try to get in touch with me and ask for money, but that it could be a trap and I should not fall for it.
He told me that each local police station has their own small Cyber Cell team and they work in close connection with the centralized Cyber team at BKC.
He said that the Cyber team head from the Malad Police Station was quarantined because of Corona, so he would not be able to take this case for the next 12 days. However, he said that I could speak to him over the phone.
Then, he dialled the Cyber Cell head’s number and we decided to order one more chai and samosa pav.
He then made me speak to the Cyber Cell head of Malad Police Station. His name was Mr. Tambe.
Tambe Sir told me that he is quarantined, so he will be able to help me only after he resumes duty. He asked me to open a new temporary social media accounts and tell all my fans on all social media accounts that my primary account is hacked and if they get any inappropriate messages, they should not reply and also not report the account, or else the account may get deactivated. He said that since I am an actor and have a verified account, it will be a big loss for me if it gets deactivated due to reporting by friends.
I was surprised by this amazing information he shared with me and the level of empathy he showed me. I thanked him and thanked my stars that I was being handled by all sensible policemen, be it BKC or at Malad Police Station.
After we disconnected, PSI Phad ji told me that such hacking incidents are very common these days. He also told me that since the Malad Cyber Cell head is quarantined cause of Corona, he will inform the same to BKC Cyber Cell team and will ask them to help me — and that will help me revive my hacked accounts faster, or else I will have to wait for next 12 days for the recovery process to start and that might be mentally stressful. Again such deep level of empathy totally surprised me.
The bill for the samosa pav and chai came.
Four chais – 40 rupees, Four samosa pavs – 60 rupees. Total 100 rupees.
To my surprise, I didn’t even have 100 rupees cash in my wallet, as I had been doing all my money transactions online.
I was lost in my thoughts. PSI Phad ji noticed this, and asked me what the matter was. I told him I didn’t have enough cash for the samosa pav and chai. He smiled and said you are our guest, let this be on me.
On our way back to the police station, I picked up a pen and a full-scape book which cost me 25 bucks and I paid it from around 70 bucks I had in the pocket.
At the police station, I gave a written complaint, took the acknowledgement for the same, thanked PSI Phad ji and came back home.
It’s not over till the fat lady sings
After coming back, it actually sunk in what had happened.
I was very angry and annoyed at the incident, but the only choice I had was to wait it out.
I opened a new social media account and updated all my friends, fans and followers about what had happened.
In the following 15 days, a lot many things happened.
1) The hacker actually called me on WhatsApp, asking for a ransom of 7000 dollars to return all my accounts. I blocked him.
2) My friends messaged me that they had got inappropriate messages from my Instagram account.
3) The hacker kept on calling me from different numbers, asking me for a ransom and texting and WhatsApping me.
4) In front of my eyes, I could see that the hacker changed the user name of my account on Instagram, which bothered me a lot.
5) I was keeping a tab on all my social media accounts through my new account and I saw that there was no activity on my Facebook and Twitter.
6) I figured that the hacker might not have the passwords of those accounts, or else he would have tampered with them as well.
7) I tried remembering my FB and Twitter passwords, but I couldn’t.
8) I remembered that I had those passwords written down somewhere.
9) I searched my entire house looking for that diary and finally found it and got those passwords.
10) On 18th, I could take control of my FB and Twitter.
11) I immediately put up a message on FB and Twitter about what had happened.
12) A lot of my fans contacted me on FB and Twitter via direct messages informing me that they too had received inappropriate messages and they could figure out that my account was hacked.
13) Meanwhile, the hacker kept pushing me for ransom.
14) I used to update each and every communication of the hacker to the local police and the BKC Cyber Cell.
15) All this while, I had literally no money and zero cash with me, as all my bank accounts were blocked and I couldn’t remove any money, nor could I access my own bank accounts. This began getting on to me.
16) On 21st November, I went to the Cyber Cell BKC again and they asked me to wait till the 30th of November. They told me not to try and access my Gmail accounts as they had already mailed Google and that I could try logging into my Gmail account from my desktop on 30th. They said, I would mostly be able to recover it as it will show the same IP address to Google. If that doesn’t work then they would figure out another way for me, they said.
17) They asked me to open a new bank account, so that I could have access to my finances.
18) By the time I came home it was late and it was a Saturday, so I had to wait it out till Monday to inform my bank to help me open a new account.
19) As Monday approached, I called up my Relationship Manager Ashwini Singh from HDFC Bank, but he was on a holiday. I told him, I wanted to open new account, so he gave me the number of one of his associates Ms. Sheetal Dalvi.
20) I called up Ms. Sheetal Dalvi, who called me to the bank and helped me open up a new account. She issued me new debit cards, credit cards, new internet banking passwords.
21) This involved a lot of procedure and a lot of advanced security measures, so that my old account stayed protected in the interim.
22) I had to wait for my new account to be opened as it takes the bank 7 working days, I was told. So basically I would have my new accounts and new set of cards in the month of December I was told.
23) Again a very frustrating wait.
Calling the tune
On 30th, I tried logging into Gmail from my computer and I could recover it as Google had noticed the complaint and helped me with the password reset and recovery option after asking me a few security questions about my Google account.
I was relieved that I had recovered my Gmail account as promised by the Cyber Cell. I informed the local police and Cyber Cell and thanked them.
They were also very happy. However, I had still not retrieved my Instagram. They told me to begin trying to recover the Instagram account. They added that if I knew someone directly at Facebook, it may help.
A lot of friends helped me recover my account through various means and efforts. Like Jyot Agnani; a freelance media reporter, who connected me to Chirag Katara; an IT specialist. He had his wedding lined up in a few days. But inspite of being busy, he really tried his level best to resolve my problem.
My friend Karan V Grover; a popular actor himself, connected me to Gurpreet who had helped him recover his hacked social media account. Gurpreet is a social media strategist and he also tried a lot from his end through various means and efforts.
Inspite of all the help, there was no way we could get through Instagram and Facebook to recover my account.
I had lost all hope of recovering my Instagram as now whenever I entered my user name, it said ‘user not found’. A friend told me that the hacker might have deleted my account since I had ignored his ransom calls.
Music to my ears
One fine day, my friend Shubhangi Atre casually called me. That’s when I told her about my hacked accounts and my harrowing experience. She immediately gave me the number of her acquaintance Diwaker working at Facebook. She told me to get in touch with him and assured me that he will be able to help recover my account. Shubhangi is a very popular TV actress and doesn’t need any introduction.
However, it was late Saturday night and I thought it would be inappropriate to ask for help from someone who I don’t know personally, so I decided to wait until Monday.
On Monday the 7th of December around 12 noon, I called up Diwaker who heard me out and asked me to mail him everything. He said he will loop me to the Facebook partner experience team, who could help me get my account back.
After several mails back and forth and various security protocols involved with the Facebook partner experience team, with the help of Diwaker and the Facebook partner experience team, I was able to recover my Instagram account successfully by the end of the day.
Diwaker explained to me that Instagram and Facebook never calls or messages their users. They would never directly message on any medium, be it direct messenger or WhatsApp or wherever. That is just not their policy.
He said that the only thing Instagram and Facebook does, if someone has flouted some norms, is that they intimate the user by an email linked with that account, and that too, in a very non-threatening way.
He asked me to be careful in future and use the two-factor authentication method for all my accounts, including Gmail etc which will keep my accounts safe in the future.
Two-factor authentication restricts access by forcing to use one-time user code sent by text message or through a key fob. This is the best method to secure your digital life.
A Whistling Dixie (the learning experience)
Yes, I was hacked. This is the kind of situation that you think can only happen to other people. But guess what! You are the other people’s other people and it might happen to you!
Understanding how I was hacked allowed me to harden my digital life. Enabling two-factor authentication allows me to block such an attack. It allows me to add a steel door to my own digital life.
If two-factor authentication was enabled, a one-time password would have been sent to my phone. The hacker would need access to my phone to view my text message. This would have stopped the hack before it would have started.
The Swan Song
I hope my experience can help others not to make the same mistake I did.
And this can happen to anyone. It doesn’t matter how experienced you are.
A small security measure can stop an accident.
My sincere thanks to:
Mumbai Police (PSI Phad ji, Tambe Sir, PSI Waykos Savle)
Mumbai Cyber Cell (Mr Desai, Ms Sharmila Sahasrabudhe)
HDFC Bank (Ashwini Singh, Ms. Sheetal Dalvi, Ramakrishna)
Facebook India Team (Diwaker and Murali Menon)
Their behaviour has been absolutely professional and helpful.
I pay the highest level of respect to them.
A special mention for all my friends like Karan V Grover, Gurpreet, Jyot Agnani and Chirag Katara, who extended their help in one way or the other.
And last but not the least, thank you Shubhangi Atre for connecting me with the wonderful Facebook team.