How to Recover a Hacked Instagram Account (2026)

Waking up to find you've been locked out of your Instagram is a gut-punch. Maybe you got an email saying your account's email address was changed — and you didn't do it. Maybe your followers are messaging you on other platforms asking why you're posting crypto scam links. If your Instagram account has been hacked, knowing how to recover it quickly is probably the only thing on your mind right now — and you're in the right place.

Instagram accounts are prime targets in 2026. According to StationX research, Instagram leads all social media platforms with 31% of all social media hacks, and phishing attacks targeting Instagram users increased by 47% in the past year. The good news: most hacked accounts are recoverable if you act quickly and follow the correct steps.

Signs Your Instagram Account Has Been Hacked

Before diving into recovery, confirm that your account was actually compromised. Here are the telltale signs:

• You received an email from security@mail.instagram.com saying your email address or phone number was changed — and you didn't make that change
• You can't log in — your password no longer works
• Unfamiliar posts or Stories appearing on your profile — spam links, crypto promotions, or "investment opportunity" posts
• DMs sent from your account that you didn't write — hackers often message your followers with phishing links
• Your profile info changed — new bio, profile picture, display name, or website link
• Followers disappearing — hackers sometimes mass-unfollow or block your real followers
• New accounts being followed — your account is suddenly following hundreds of spam or bot accounts
• Login activity from unknown locations — check Settings > Security > Login Activity if you still have access

If you notice any of these, act immediately. The longer a hacker has control, the harder recovery becomes.

Step-by-Step: How to Recover Your Hacked Instagram Account

Step 1: Check Your Email for Instagram's Security Alert

When someone changes your email address on Instagram, the platform sends a notification to your original email from security@mail.instagram.com. This email contains a crucial link:

1. Open your email inbox and search for messages from security@mail.instagram.com
2. Look for a message saying "Your email address was changed"
3. Click the "Revert this change" link in that email
4. This will immediately restore your original email on the account

This is the fastest recovery method — but it only works if you act before the hacker takes additional steps. If you can't find this email or the link has expired, move to Step 2.

Step 2: Use Instagram's "Get Help Logging In" Flow

If you still have access to your phone number or original email:

1. Open the Instagram app and tap "Forgot password?" on the login screen
2. Enter your username, email, or phone number
3. Choose how to receive the login link — via email or SMS
4. Tap the login link Instagram sends you
5. Immediately change your password once you're in

If you're on Android, you can also tap "Get help logging in" below the login button, which offers the same recovery options.

Step 3: Request a Login Link via Instagram Support

If the hacker changed your email AND phone number, the standard reset won't work. Here's what to do:

1. Go to instagram.com/hacked on a browser or tap "Get help logging in" in the app
2. Select "My account was hacked"
3. Follow the on-screen prompts — Instagram will ask for your username and the email or phone number previously associated with your account
4. Instagram will attempt to send a recovery code to your original contact information

If Instagram can verify your identity through your previous contact info, you'll receive a 6-digit security code to regain access.

Step 4: Complete Video Selfie Verification

If the hacker changed all your contact details and you can't receive a code, Instagram will ask you to verify your identity with a video selfie:

1. Instagram will prompt you to record a short video of yourself turning your head in different directions
2. Hold your phone at eye level with good, natural lighting
3. Turn your head left, right, up, and down as instructed on screen
4. Instagram's AI compares your face against photos on your account's profile

Important tips for video selfie verification:

• Remove hats, sunglasses, and face coverings
• Use natural lighting — dim rooms cause rejections
• If the verification fails, try again immediately — it sometimes takes 3-4 attempts
• The AI typically processes your video within 24-48 hours, though it can be faster
• This method only works if your account has photos of your face — business accounts, pet accounts, or anonymous profiles may not be able to use selfie verification

Step 5: Submit a Support Request Form

If video selfie verification isn't available or doesn't work for your account type:

1. Go to the Instagram Help Center hacked account page
2. Follow the links to report a compromised account
3. Provide as much information as possible:
   • Your original username
   • The email address you used to sign up
   • The phone number linked to your account
   • The device you originally used to create the account
   • A description of what happened and when
4. Instagram may ask for a government-issued ID to verify ownership

Response times vary significantly. Business and Creator accounts with Meta Verified status typically get responses within 24-72 hours, while standard accounts may wait 1-3 weeks.

What If the Hacker Changed Your Email AND Phone Number?

This is the worst-case scenario, but it's still recoverable. Here's your path:

1. Start at instagram.com/hacked — this is Instagram's dedicated recovery portal
2. Don't create a new account — this can complicate recovery of your original account
3. Use the video selfie method if your account has photos of you
4. If selfie verification isn't an option, submit an identity verification request through the Help Center with your government ID
5. Check your email regularly — Instagram's support team communicates via email, and missing their message can restart the process
6. Be patient but persistent — if you don't hear back within two weeks, submit the request again

Critical warning: Instagram will never ask you to pay to recover your account, send verification codes via DM, or contact you first offering help. If someone reaches out claiming to be Instagram support, it's a scam. All legitimate recovery happens through the official Help Center and Instagram's in-app flows. If you believe you're a victim of cybercrime, you can also file a report with the FBI's Internet Crime Complaint Center (IC3) or report identity theft at IdentityTheft.gov.

How to Secure Your Account After Recovery

Getting back in is only half the battle. You need to lock your account down immediately to prevent the hacker from getting back in. Instagram's official Secure Your Account page is a good starting point, and the steps below cover everything in detail.

Change Your Password

• Set a strong, unique password — at least 12 characters with uppercase, lowercase, numbers, and symbols
• Don't reuse a password from any other account — credential stuffing (using leaked passwords from other breaches) accounts for 31% of Instagram hacks
• Use a password manager like 1Password, Bitwarden, or Apple Passwords to generate and store it

Enable Two-Factor Authentication (2FA)

This is the single most important step. Go to Settings > Security > Two-Factor Authentication and enable it:

1. Authentication app (recommended) — use Google Authenticator, Authy, or your password manager's built-in TOTP feature. Instagram's 2FA setup guide walks you through the process
2. WhatsApp — Instagram can send codes to your WhatsApp number
3. SMS (least secure) — better than nothing, but vulnerable to SIM-swap attacks, which have surged over 1,000% since 2023

Save your backup codes — Instagram gives you recovery codes when you set up 2FA. Store them somewhere safe (password manager, printed copy in a secure location). These are your lifeline if you lose access to your authenticator app.

Revoke Third-Party App Access

Hackers often connect malicious apps to maintain access even after you change your password:

1. Go to Settings > Security > Apps and Websites (or Settings > Website Permissions on newer versions)
2. Review the list of Active connected apps
3. Remove access for any app you don't recognize or trust
4. Only reconnect apps you actually use — and only those that authenticate through Meta's official OAuth, not by asking for your password

Review Login Activity

1. Go to Settings > Security > Login Activity
2. Check for logins from unfamiliar locations or devices
3. Tap any suspicious session and select "Log Out"
4. Note the dates and locations — this helps you understand the timeline and scope of the hack

Check and Restore Your Profile

The hacker may have changed more than you realize:

• Verify your bio, profile picture, display name, and website link
• Check your email and phone number in account settings
• Review your privacy settings — hackers sometimes switch private accounts to public
• Look through recent posts, Stories, and Reels — delete anything the hacker posted

Common Instagram Hacking Methods in 2026

Understanding how accounts get hacked is the first step to making sure it doesn't happen again.

Phishing DMs and Emails

The most common method. Attackers send messages impersonating Instagram, often claiming:

• "Your account will be deleted for copyright violation — verify here"
• "You've been selected for verification — confirm your identity"
• "Suspicious login detected — secure your account now"

These messages link to convincing fake login pages that steal your credentials. In 2026, AI-generated phishing messages achieve a 60% higher click rate than traditional ones because they look nearly identical to real Instagram communications.

How to spot them: Real Instagram emails come from @mail.instagram.com. Instagram will never DM you about account security. Always go to the app directly instead of clicking links. Instagram's official guide on how to protect yourself from phishing has more examples of common scams.

Fake "Verification" Scams

A particularly effective attack where scammers promise to get you the blue verification badge. They ask you to fill out a "verification form" (which is actually a phishing page) or to share your login credentials so they can "submit the application on your behalf."

The truth: Instagram's verification process happens entirely within the app under Settings > Account > Request Verification. No third party can verify your account for you.

Third-Party App Breaches

Apps that ask for your Instagram password (rather than using Meta's official OAuth login) are a major risk vector. When these services get breached, every account credential they stored gets leaked. This is different from legitimate tools that use the official Instagram API — those never see your password.

Credential Stuffing

Hackers take leaked username-password combinations from breaches of other services and try them on Instagram. With 94% of passwords being reused across accounts, this method is devastatingly effective.

Check if your credentials were leaked at haveibeenpwned.com — it's free and maintained by security researcher Troy Hunt.

SIM-Swap Attacks

Attackers convince your mobile carrier to transfer your phone number to their SIM card. Once they have your number, they intercept SMS-based 2FA codes and take over your account. This is why authenticator apps are far more secure than SMS for two-factor authentication.

How to Prevent Your Instagram From Getting Hacked

Prevention is far easier than recovery. The Cybersecurity and Infrastructure Security Agency (CISA) recommends the same core practices below for all online accounts. Follow this checklist:

Use Strong, Unique Passwords

Your Instagram password should be completely unique — not used on any other service. Make it at least 12 characters long with a mix of character types. A password manager makes this painless.

Enable Two-Factor Authentication

If you only do one thing from this article, make it this. Use an authenticator app, not SMS — see the 2FA setup guide linked above.

Be Skeptical of Every DM and Email

Instagram will never ask for your password via DM or email. Any message asking you to click a link to "verify" or "secure" your account is almost certainly a phishing attempt. When in doubt, open the Instagram app directly and check your notifications there.

Audit Connected Apps Regularly

Go to Settings > Security > Apps and Websites every month and remove apps you no longer use. Only authorize apps that use Meta's official login — never give your password to a third-party service. Check Instagram's Terms of Use for what's allowed.

Don't Fall for "Free Followers" Services

Services promising free followers, likes, or engagement boosts almost always require your login credentials. They violate Instagram's terms and put your account at direct risk of being hacked — or getting shadowbanned.

Keep Your Email Secure

Your email account is the key to your Instagram account. If a hacker compromises your email, they can reset your Instagram password without your knowledge. Enable 2FA on your email, use a strong unique password, and monitor it for unauthorized access.

What Happens to Your Followers When You're Hacked

Hacked accounts don't just affect you — they affect your entire audience. Here's what typically happens:

• The hacker mass-follows spam accounts from your profile, inflating those accounts' numbers
• Your real followers unfollow you when they see spam, scam links, or crypto promotions posted from your account
• The hacker may block your closest followers to prevent them from alerting you
• Your engagement tanks because the algorithm suppresses content from accounts exhibiting suspicious behavior

After recovery, it's important to audit the damage. Check who unfollowed you, which spam accounts were followed from your profile, and whether your follower count has changed. Our guide on who unfollowed you on Instagram explains how to track these changes.

Unfollr helps you monitor your Instagram account and detect suspicious follower changes. You can take snapshots of your follower and following lists, compare them over time, and quickly identify the damage a hacker caused — all without risking your account security with shady third-party apps.

FAQ

How long does Instagram account recovery take?

If you can reset your password via email or phone, recovery takes minutes. If you need video selfie verification, expect 24-48 hours. If you have to go through Instagram's support form with identity verification, it can take anywhere from 3 days to 3 weeks depending on your account type and how much information you can provide.

Can I recover my Instagram if the hacker changed my email, phone, and enabled their own 2FA?

Yes, but it requires patience. Go to instagram.com/hacked and use the video selfie verification if your account has photos of your face. If not, submit an identity verification request with your government ID through the Help Center. This is the slowest recovery path but it works.

Will I lose my followers if my account gets hacked?

Your follower list is preserved during a hack — Instagram doesn't delete followers when an account is compromised. However, you'll likely lose some followers organically because they see spam posted from your account and unfollow. Use Unfollr after recovery to track who left and monitor your follower count as you rebuild.

Are Instagram "account recovery" services legitimate?

Almost never. The vast majority of services claiming they can recover your Instagram account for a fee are scams — and many are run by the same people who hack accounts in the first place. Stick to Instagram's official recovery channels: instagram.com/hacked and the Help Center.

How do I know if an email from Instagram is real?

Legitimate Instagram security emails come from @mail.instagram.com. You can also verify which emails Instagram has sent you by going to Settings > Security > Emails from Instagram — this shows every official email from the past 14 days. If an email isn't listed there, it's fake.

Can hackers read my Instagram DMs?

Yes. If a hacker gains access to your account, they have full access to all your direct messages, including photos, videos, and vanish mode conversations. This is why speed matters — the sooner you recover your account, the less of your private data is exposed.

Related Guides

• Who Unfollowed Me on Instagram? How to Track It in 2026
• Am I Shadowbanned on Instagram? How to Check and Fix It
• How to Delete Your Instagram Account Permanently
• Best Instagram Unfollow Tracker Apps in 2026
• How to Recover a Hacked Twitter/X Account (2026)