Getting your Instagram account hacked feels personal, but most takeovers are recoverable if you act fast and stick to the right steps. The key is speed and staying calm, because scammers count on panic.
“Hacked” can look a few different ways: you’re locked out, and your password won’t work, your email or phone number has been changed, you spot posts or Stories you didn’t make, or your account starts following random profiles and sending spam DMs.
Sometimes it’s quieter, like unauthorized access shown through unknown login alerts, new devices in your login list, or strange ads running.
This guide walks you through a clear account recovery path, from confirming the takeover to getting back in using Instagram’s official recovery options. Then we’ll lock things down properly, so the same trick doesn’t work twice (stronger login, two-factor authentication, and a quick security check of devices and third-party apps).
One safety note before you do anything else: only use official Instagram or Meta recovery screens in the app or on their verified websites. Don’t pay anyone who claims they can “hack it back”; that’s almost always another scam, and it can make recovery harder and prevent you from being able to secure your account.
Act fast in the first 10 minutes (stop the damage first)
The first 10 minutes matter because most hackers move quickly. They try to lock you out, message your followers, and swap your email address or phone number so you cannot reset anything. Your goal right now is simple: stop the spread, protect your access points, and buy yourself time for the proper recovery steps coming next. These steps apply whether you have a personal account or a business account.
Confirm it is really a hack (common signs on Instagram)
Before you start changing passwords in a panic, check for clear proof that your Instagram has been taken over. Look for one or more of these signs:
- Your password no longer works, even though you are sure it is correct.
- Login alerts about suspicious activity you did not trigger, such as a new device or a new location sign-in.
- Posts, Stories, or Reels you did not make, often promo content, giveaways, or crypto spam.
- DMs sent to people you know, usually with links, “vote for me” requests, or “I need help” money messages.
- Your email address or phone number changed in account settings (or you get told it is “already in use”).
- Sudden following spikes, random accounts you never chose, or lots of new follows happening fast.
Also check your email inbox (and spam folder) for Instagram security emails. These often show exactly what changed, like your email address, password, or phone number. If you see messages like “Your email address was changed” that you did not approve, treat it as a takeover and act immediately.
For Instagram’s official guidance, see: What to do if you think you’ve been hacked.
Secure your email account first (your Instagram lifeline)
If someone controls your email, they control password resets, login links, and recovery codes. Think of your email as the master key to your Instagram account. Lock it down first, even if you are still signed into Instagram.
Do these steps in order:
- Change your email password to a long, unique one (not used anywhere else).
- Turn on two-step verification (2FA) for your email account.
- Check forwarding rules and filters, attackers often auto-forward security emails to themselves.
- Review and update recovery email address and recovery phone number so they point to you, not a stranger.
- Sign out of other sessions (most email providers let you log out other devices).
If you cannot access your email at all, stop here and start recovery for the email account first. Trying to recover Instagram while your email is compromised is like changing the locks while someone still has a copy of the key.
Warn friends quickly to stop scams spreading
Hackers use your account because people trust you. A fast, calm warning can prevent friends from losing money or handing over their own login credentials.
Keep the message short and practical. For example:
- Post a Story from another account (or ask a friend to post): “My Instagram was hacked. Please ignore any DMs or links from me today.”
- Message your close friends: “If you get a link, crypto offer, or ‘vote for me’ DM from me, it isn’t me. Please don’t click.”
Avoid long explanations. The goal is to stop people reacting on impulse.
Stop linked access points (Meta, Facebook, and connected apps)
Many Instagram takeovers happen through a weaker linked account or a shady third-party app. Even if you get Instagram back, the attacker can walk straight back in through the same door. Check your linked accounts such as Facebook or a Meta account, since a compromised one can be used to regain access to Instagram.
In the first few minutes:
- If your Instagram is linked to Facebook or a Meta account, check those logins too.
- Make a note of any connected apps you remember granting access to (analytics tools, “unfollower” apps, giveaway tools). You will want to remove anything you do not fully trust once you regain access.
Instagram also provides a direct recovery route if you are locked out. Keep this handy for the next section: If you think your Instagram account has been hacked.
Recover your hacked Instagram account fast (official methods that work)
When your Instagram account is hacked, speed matters, but so does choosing the right recovery path. The quickest option depends on one thing: do you still control the email address or phone number on the account? If yes, you can often get back in within minutes using a login link. If not, you will need Instagram’s “My account was hacked” flow, and sometimes identity checks like a video selfie.
Stick to official screens in the Instagram mobile app, or Instagram’s own recovery pages. Check the Instagram Help Center if you’re unsure, and start with Instagram’s official hacked page: Hacked Instagram Account.
If your email or phone number is still on the account, use “Forgot password?” and a login link
If the hacker changed your password but your email address or phone number is still linked to the account, the login link is usually your fastest way back in. Think of it like a temporary key that opens the door even if someone swapped the lock.
Follow this step-by-step flow:
- Open the Instagram mobile app and go to the login screen.
- Tap “Forgot password?” (sometimes shown as “Trouble logging in?”).
- Enter your username, email, or phone number (use what you know still belongs to you).
- Choose “Send login link” (or a similar option to send a login link or security code).
- Open your email or SMS, then tap the secure login link or enter the security code from Instagram.
- As soon as you’re back in, reset your password immediately.
Why this works: the login link is designed for account recovery. In many cases it bypasses the hacker’s new password, because it proves you still control the contact method on the account.
Once you’re in, do these quick actions before you even scroll your feed:
- Reset password to a long, unique one (avoid anything you have used elsewhere).
- Check your email and phone in Accounts Centre or account settings, confirm they’re yours.
- Look for suspicious changes (bio link, name, linked accounts), reverse them right away.
If you can log in but you’re seeing strange posts or DMs, Instagram also has guidance on cleaning up after a takeover: What to do if your Instagram account posts unauthorised content.
If the hacker changed your email or phone, use “Need more help?” and report “My account was hacked”
If password reset emails are not arriving, or you discover the hacker replaced your email or phone number, you need to switch tactics. At that point, the standard reset is like sending a spare key to an address you no longer live at.
Use Instagram’s in-app recovery route to report compromised account:
- Go to the Instagram login screen.
- Tap “Forgot password?”
- Enter your username (or the old email/phone, if it accepts it).
- On the next screen, tap “Need more help?”
- Select “My account was hacked”.
- Follow the prompts to give Instagram a safe way to contact you and to prove the account is yours.
Instagram may ask for a mix of checks, depending on your account, such as your original email or phone:
- Confirming details you previously had on the account (old email/phone).
- Answering questions about account access (when you lost access, what changed).
- Confirming a secure email address you control right now, so they can reply.
Set expectations: this recovery process can be fast, but it is not always instant. Some people get access back the same day, others need to complete additional verification steps. Watch your inbox (and spam folder) closely for Instagram’s reply.
If you lost access to the email or phone you used when you signed up, Instagram explains what options you have here: Lost access to email or phone number linked to Instagram.
Video selfie verification (what it is, and how to pass it)
If Instagram can’t confirm you through codes alone, it may ask for video selfie verification. This is an identity verification where you record a short video selfie of your face, following on-screen instructions, so Instagram can compare it with photos and videos already on your account.
In plain terms, it’s Instagram asking: are you the same real person shown on this profile? Instagram describes this identity verification process here: Why you might be asked to upload a video selfie to confirm your identity.
To give yourself the best chance of passing:
- Use bright, even lighting, face a window or a lamp.
- Hold the camera steady, keep your whole face in frame.
- Remove anything that hides your face, no sunglasses, hat, or heavy face coverings.
- Follow directions closely, especially head turns or pauses.
- Use a reliable connection, avoid switching between Wi-Fi and mobile data mid-upload.
- Ensure your profile picture is clear if available.
If your profile does not have clear photos of you, video selfie matching can be harder. In that case, Instagram may rely more on other checks (like previous account details, devices you’ve used before, or confirmation through accounts you have linked). If you do get back in later, it’s worth having at least one clear profile photo so future recovery is less painful.
Use Meta’s Account Recovery Hub when the in-app flow fails
Sometimes the app gets stuck in a loop, emails never arrive, or you keep failing verification steps. When that happens, switch to Meta’s official recovery route in a browser, especially if you can’t access the account from your phone.
Try the official recovery hub when:
- You’re repeatedly sent back to the login screen.
- You can’t access the email or phone tied to Instagram.
- The in-app recovery keeps failing, even after multiple attempts.
- You suspect more than one Meta account is affected (Instagram and Facebook).
Start with Instagram’s official hacked entry point, which routes you into the right recovery flow: https://www.instagram.com/hacked/ (also referenced from If you think your Instagram account has been hacked).
Before you begin, gather a few details so you don’t have to guess under pressure:
- Your Instagram username (and any previous username you remember).
- The old email address and old phone number that used to be on the account.
- The device you commonly used to log in (iPhone/Android model, if known).
- An approximate account creation date (even the year helps).
- Access to a secure email you control right now.
One final rule: only trust official Meta or Instagram domains for recovery. If a site asks for payment, promises a “guaranteed unlock”, or uses a lookalike URL, close it. Recovery should be frustrating sometimes, but it should never require money.
After you get back in, lock down Instagram so it does not happen again
Getting access back is a huge win, but it’s not the finish line. Perform a security checkup to ensure nobody has a way back in, like a weak password, a trusted device session, or a shady third-party app you forgot about.
Use this do-these-in-order checklist. Treat it like changing the locks, checking the windows, then making sure nobody has a spare key.
Change your password properly (strong, unique, and not reused)
Start here, because your password is the front door. If it’s easy to guess, or you used it anywhere else, you’re still at risk.
A strong Instagram password means:
- Long: aim for a passphrase, not a single word. Think 14+ characters.
- Hard to guess: not based on your name, username, birthday, pet, city, or football team.
- Mixed: use a mix of letters (upper and lower case), numbers, and symbols.
- Never reused: if you used it on any other site, assume it’s already out there.
A simple way to picture it: a short password is like a cheap suitcase lock, it slows nobody down. A long passphrase is like a deadbolt, it takes real effort to break.
Try a passphrase style like: three or four random words, plus a number and symbol, for example: River!Cactus7Paper_Sky. Don’t copy that, make your own.
Two quick rules that save people from repeat takeovers:
- Change any other accounts that used the same password, starting with your email address, Facebook/Meta, and bank. Hackers try the same password everywhere, so secure your recovery email address too.
- Use a password manager to generate and store unique passwords. It stops the “I’ll just reuse this one” habit, which is how many hacks spread.
If you want Instagram’s official security guidance, it’s here: https://help.instagram.com/369001149843369
Turn on two-factor authentication (2FA) and save backup codes
Once your password is fixed, add a second lock. Two-factor authentication (2FA) means Instagram asks for a second proof it’s you when someone logs in. So even if a hacker gets your password, they still can’t get in without that extra code.
In plain language: it’s like needing both a key (your password) and a one-time code (your 2FA) to open the door.
Best option for most people: an authenticator app. It makes codes on your phone that refresh every few seconds. It’s usually safer than SMS because text messages to your phone number can sometimes be intercepted or redirected (SIM swap scams happen).
That said, keep it practical:
- If you can use an authenticator app, use it.
- If SMS is the only option you can set up today, turn on SMS 2FA anyway. Some protection is far better than none.
When you enable two-factor authentication, Instagram may give you backup codes. These are one-time codes you can use if you lose your phone or can’t access your authenticator app.
Do this immediately after switching on 2FA:
- Save backup codes somewhere safe (a password manager, or a printed copy stored securely).
- Don’t keep them in a plain note on your phone called “Instagram codes”. That’s like taping a spare key to your front door.
Instagram also explains security features (including 2FA) in their Privacy Centre: https://privacycenter.instagram.com/dialog/keep-your-account-secure/
Check login activity and sign out of devices you do not recognise
Next, make sure the hacker isn’t still logged in. Changing your password helps, but sessions can sometimes stay active on other devices.
Go into Instagram’s account settings and review Login activity (it may show as “Where you’re logged in” or similar). You’re looking for anything that doesn’t match your real life:
- Locations you’ve never been to
- Devices you don’t own
- Logins at weird times you can’t explain
When you see something suspicious, sign out of that device immediately. If there’s an option to log out of all devices, use it.
A strong move if you saw anything strange:
- Log out of suspicious devices (or log out everywhere).
- Reset your password right after.
That second password change is a clean sweep. It helps kick out anyone who was hanging on.
If you need Instagram’s official hacked steps for reference, keep this bookmarked: https://help.instagram.com/149494825257596
Remove suspicious third-party apps and browser extensions
This is the part people skip, then get hacked again. Third-party access is like giving someone a spare key because they promised to “tidy up your feed”.
Be extra cautious with:
- Follower boosters and like sellers
- “Unfollower” trackers and sketchy analytics tools
- Fake “verification helpers”
- Anything that asks you to log in outside the Instagram app
Inside Instagram (or Accounts Centre), review apps and websites connected to your account. Remove access to anything you don’t fully trust or don’t recognise, especially risky third-party apps.
Also check your computer browser:
- Uninstall unknown extensions, especially anything that claims to “enhance Instagram”, auto-DM, auto-like, or scrape followers.
- If you used Instagram on a shared or public computer, log out and clear saved passwords.
A good rule: if an app’s whole business model is “free followers”, you’re not the customer, you’re the product, and your login is often what they want.
After you remove access, keep an eye on your account for a day or two. If you see new spam DMs, surprise follows, or login alerts, repeat the login activity check and change your password again.
Prevent the next hack (phishing tricks, risky apps, and warning habits)
Most Instagram takeovers don’t start with some fancy hack. They start with a message that pushes you to act fast, click first, think later. The good news is that a few simple habits shut down most scams, even when you’re tired or rushing.
Spot phishing messages that steal your Instagram login
Phishing is just someone pretending to be Instagram (or your mate) to get you to hand over your login, or the code that protects it. The messages often look urgent because panic makes people sloppy.
Common bait you’ll see in DMs, email, or comments:
- “Copyright warning”: “Your post violates copyright. Appeal here in 24 hours.”
- “Your account will be deleted”: “Confirm your identity or we’ll deactivate your account.”
- “Check this phishing link”: “Instagram noticed suspicious activity, secure your account now.”
- “Vote for me”: a friend’s account gets hacked, then sends you a link to “help them win”.
- Fake support chats: “Meta Support” messages you first with a support request, then asks for screenshots, codes, or a login.
Use these simple rules every time:
- Don’t log in from random links. If you think you need to sign in, open the Instagram mobile app, or type
instagram.comyourself. - Check the sender, then assume it can be faked. A display name like “Instagram Support” means nothing.
- Never share codes. Not SMS codes, not authenticator codes, not backup codes. Anyone asking for a code is trying to walk into your account.
- Slow down and scan the URL. Look for misspellings, extra words, and odd domains.
If you want examples of how these support-style scams are written, this breakdown is useful: https://www.gendigital.com/blog/insights/research/instagram-2fa-phishing-scam
Avoid “growth” and “verification” services that ask for your password
If a service needs your Instagram password, it’s not a service, it’s a risk. Even “popular” ones can be dangerous because you’re handing over the keys to your account, which grants them full data access.
Here’s what can happen after you share your password:
- Account takeover: they log in, unauthorized access follows, and they change your email to lock you out.
- Spam and scams sent from your profile: your followers get hit with “vote for me” links and crypto rubbish.
- Shadowbans or bans: Instagram can flag suspicious logins and automation, and you pay the price.
- Your password gets reused elsewhere: if you used it on email or other apps, the damage spreads.
A quick gut check: if someone promises verification, follower boosts, or “guaranteed reach”, but their first step is “send your login”, walk away.
Instagram also warns when your account is at risk due to exposed passwords or unauthorised third-party access: https://help.instagram.com/273359857992105
Set up a simple safety routine you can keep
Security only works if you’ll actually do it. Set a routine you can finish in two minutes.
Daily (30 seconds):
- Check for login alerts or emails you didn’t trigger. If something feels off, change your password in the app.
Weekly (2 minutes):
- Do a security checkup: Review where you’re logged in and sign out of anything you don’t recognise.
- If Instagram warns your password may be exposed, update it straight away (don’t wait).
- Secure your email inbox with two-factor authentication, because it’s your reset button.
- Confirm your recovery phone and email are current, so you’re not locked out later.
If you want a straightforward list of what Instagram recommends, keep this bookmarked in the Instagram help center: https://privacycenter.instagram.com/dialog/keep-your-account-secure/
Conclusion
Getting your Instagram account back comes down to doing the right things in the right order. Act fast to limit damage, secure your email first, warn friends so scams don’t spread, then report compromised account using Instagram’s official account recovery options (login link, “Need more help?”, and https://www.instagram.com/hacked/) to regain access. If Instagram asks for extra checks like your email address and phone number, complete them carefully, video selfie and all, because that’s often the quickest route past a locked-out takeover, even if it involves entering a security code.
Once you’re back in, treat it like a break-in, not a one-off glitch. Reset your password to something long and unique, switch on 2FA (preferably with an authenticator app for generating security codes), sign out of unknown devices, and remove any risky third-party apps or extensions. That clean-up is what stops repeat hacks.
The good news is most accounts are recoverable through this recovery process, and most repeat attacks are preventable with a few habits and a tighter setup. Start the recovery flow now to recover hacked Instagram account, then run the lock-down checklist straight away after access returns to secure your account; don’t wait for “later” when it slips.
