Affiliate disclosure: Some links in this article are affiliate links. If you buy through them, I earn a small commission — at no extra cost to you. I only recommend tools I would genuinely use myself.

If your Instagram has been hacked, your Facebook account compromised, or your WhatsApp taken over — this guide walks you through recovery, platform by platform, starting with the step most people get wrong.

Are you currently locked out of your account?

Answer three questions — we’ll tell you exactly where to start.

Are you completely locked out — you can't log in at all?
Has your email or phone number on the account been changed?
Are you seeing posts, messages, or logins you didn't make?

For the broader context on scams that use compromised accounts to reach new victims, see the scam awareness hub.

Friends are telling you

The most common early signal — you often can't see attacker posts from your own view. Take any report immediately seriously.

You're locked out

Your password no longer works, or your email has been changed to one you don't recognise.

Sent messages you didn't write

Posts, DMs, or emails went out from your account without your knowledge.

Login alerts from unknown devices

A location or device you don't recognise appears in your sign-in activity.

Active sessions you didn't open

Your account shows as logged in somewhere you are not.

2FA codes you didn't request

Someone is actively attempting to log into your account right now.

Do These Three Things Right Now

29%

of adults have been targeted

53%

of all takeovers = social media

48hrs

most recoveries succeed within

1

Secure your email first — not your social media account

Your email controls everything. It receives password reset links. If the attacker also has your email, every action you take on the social platform can be undone in seconds. Go to your email provider now, from a device you trust. Change the password. Check for forwarding rules you did not set up. Log out all unfamiliar devices.

2

Change your social media password from a clean device

Once your email is secured, change the social media account password. Use something completely new — never used on any other service. If you reused your old password anywhere else, those accounts are now at risk too.

3

End all active sessions immediately

Every major platform has a 'where you're logged in' screen. Find it and log out every session except your current one. The attacker may hold an active session even after you change the password if they have a saved session token.

How Attackers Get In — The Three Methods in 2026

Phase 1

Credential stuffing

You reused a password. Attackers bought it from a leaked database and tried it automatically across hundreds of platforms.

Phase 2

Session token theft

A phishing link stole your browser session cookie. The attacker is now inside your account without ever needing your password or 2FA code.

Phase 3

Infostealer malware

A download silently extracted every saved password and session cookie from your browser. 1.8 billion credentials stolen this way in 2025 alone.

Akamai 2024
Why 2FA alone did not protect you: Session token theft bypasses two-factor authentication entirely. The attacker uses your existing authenticated session — they never trigger the login flow that requires a code. 2FA remains essential, but it is not sufficient alone.

Platform Recovery — Facebook

Both
SettingsPassword and SecurityWhere You're Logged In

Log out every session you do not recognise before changing your password

Facebook recovery checklist

Takes under 8 minutes

0/5

Secure your email account first

Change the password on the email linked to your Facebook. Check for forwarding rules. This is step one — without it, the attacker can reset your Facebook password again.

Both

Go to facebook.com/hacked directly

Do not use any link from an email or message. Navigate there manually. This is Facebook's official entry point for compromised accounts.

Both

Log out all unrecognised sessions

Settings → Password and Security → Where You're Logged In. End every session that is not your current one.

Both

Check and restore your recovery contact details

In Accounts Center → Password and Security, verify your primary email and phone number have not been changed. If they have — this is the attacker's persistence mechanism. Restore them immediately.

Both

Remove unfamiliar connected apps

Settings → Security and Login → Apps and Websites. Revoke access for anything you do not recognise.

Both
If Facebook ran ads from your account: go to Ads Manager and pause all campaigns you did not create. Screenshot every unauthorised campaign with timestamps before removing it. Contact your bank if payment methods were used.

Platform Recovery — Instagram

Instagram recovery checklist

Takes under 6 minutes

0/4

Tap 'Forgot password?' then 'Get more help'

On the Instagram login screen — this routes you into the hacked account flow, not the standard password reset. If the attacker changed your email and phone, this triggers manual review and video selfie verification.

Both

Complete identity verification if prompted

Instagram may ask for a video selfie to verify against account photos. Only submit this through the official in-app flow — never send ID or videos to anyone who contacts you claiming to be Instagram support.

Both

End all active sessions after regaining access

Settings → Security → Active Sessions. Log out everything unfamiliar.

Both

Revoke unknown connected apps

Settings → Security → Apps and Websites. Remove anything you did not intentionally authorise.

Both

Platform Recovery — WhatsApp

1

Reinstall WhatsApp and re-verify your number

Uninstall and reinstall WhatsApp on your phone. During setup, verifying your phone number again logs out all other sessions automatically.

2

Enable a six-digit PIN

Settings → Account → Two-Step Verification. This PIN prevents an attacker from re-registering your number on a new device even if they have your SIM.

3

Check linked devices

WhatsApp → Settings → Linked Devices. Remove any device you do not recognise.

If the Attacker Has Your Private Content

If You Are Being Extorted

Do not pay. Payment does not end the threat — it establishes that you will pay.

Attackers running extortion campaigns are simultaneously targeting multiple victims. There is no scenario in which a single payment results in the content being deleted.

1

Do not pay under any circumstances

Payment establishes you as someone who will pay. Demands escalate. The content will not be deleted.

2

Preserve all evidence before reporting

Screenshot the messages, payment demands, and anything showing your content. Note timestamps. Do this before platform reporting — content may be removed during review.

3

Report to the platform using the most specific category available

Instagram, Facebook, and TikTok all have specific pathways for non-consensual intimate image sharing. These receive faster responses than standard account reports.

4

Report to your national cybercrime unit

This is a crime in most jurisdictions. You are the victim. A police report creates a record for platform escalation and establishes legal accountability.

Tell someone you trust. The most effective tool attackers have is your silence. The threat loses significant power the moment you tell a trusted person what is happening.

Warn Your Contacts — The Step Most Articles Skip

1

Post a warning immediately — from a different device or platform

Use a platform the attacker does not control. Even a WhatsApp status or an email to your closest contacts is enough to start.

2

Prioritise your most vulnerable contacts

Elderly relatives, parents, and anyone who might act on an urgent message without questioning deserve a direct message, not just a public post.

3

Contact customers or clients if you use the account for business

A brief direct message preserves more trust than silence followed by reports from customers who were scammed.

Copy and paste this warning message
Important: My [platform] account has been compromised and is under the control of someone else. I am working to recover it. Please do not click any links, respond to any messages, or send any money to anyone contacting you from my account. All messages from it right now are NOT from me. I will let you know when my account is back under my control. Thank you for your patience.
Replace [platform] with Facebook, Instagram, or WhatsApp. Post as a status, story, or send directly to your closest contacts first.

How to Make Sure This Never Happens Again

Use a password manager and unique passwords

Password reuse is the root cause of most account takeovers via credential stuffing. A password manager generates and stores a unique password for every service so you never reuse one. If one service is breached, the damage is contained to that service only.

1Password generates and stores a unique password for every service you use. It works across every device and browser, has a clean interface, and has never had a major breach. It costs around $3 a month — a reasonable price for something that protects every account you own.

Switch from SMS two-factor to an authenticator app

SMS codes can be intercepted through SIM swap attacks — where an attacker convinces your mobile carrier to transfer your number to a SIM card they control. An authenticator app generates codes locally on your device. The codes never pass through your mobile network. Google Authenticator and Authy both work well. Enable one on every account that supports it.

Both
haveibeenpwned.com

Enter your email address — it shows every known breach that included your credentials

Check whether your credentials are already leaked

Go to haveibeenpwned.com and enter your email address. It will tell you which known data breaches include your email. If your current password on any service matches a password from a leaked database, change it today — even if you have not noticed any suspicious activity.

Check for infostealer malware if your device may be involved

If your takeover may have happened through a device compromise — you downloaded something recently, noticed unusual behaviour, or the attacker had access to multiple accounts simultaneously — run a full device scan before re-entering any credentials.

On Android: Malwarebytes — free basic scan, catches the vast majority of known infostealer malware. On iPhone: iOS sandboxing prevents most infostealers from running. If you are concerned about an iPhone compromise, focus on checking which apps have unusual permissions and look for browser extensions you do not recognise.

The Honest Summary

Account takeover is recoverable in most cases. What determines how quickly depends on two things: how quickly you act on your email account first, and whether the attacker changed your recovery contact information before you got there.

If you got to the email account within the first hour and the attacker has not yet changed your Facebook or Instagram recovery contacts, recovery is typically straightforward. If the attacker has changed everything and your account has been used for policy-violating behaviour, recovery is slower but still possible — it requires persistence through the platform's identity verification process.

The one scenario with no guaranteed recovery path is when the primary admin of a Facebook Business account loses all admin access. Build redundancy before you need it: always have at least two admin accounts on any business asset, using different email addresses.

What will not help: paying recovery agents, sharing codes with anyone claiming to be platform support, or installing remote access tools. All three are follow-on scams targeting people who have just been compromised.

What will help: securing your email, ending sessions, documenting everything, and reporting through official channels.

💡
Your next read: WhatsApp Job Scams: How to Identify Them and What to Do (/security/scam-awareness/whatsapp-job-scam) — attackers use compromised social accounts to run WhatsApp job scams on your contact list. Understanding both attacks together closes the loop.