How to Recover a Hacked Instagram Account in 2026

1. Signs Your Instagram Account Has Been Hacked

Not every unusual account behavior means you have been hacked, but certain signs are strong indicators that someone with unauthorized access has taken control of or infiltrated your account. Recognizing these signs early gives you the best chance of recovery before the attacker locks you out permanently.

The most obvious sign is being unable to log in with credentials you know are correct. If your password suddenly stops working, it is very likely that someone has changed it after gaining access. Related to this, receiving an email from Instagram notifying you of a password change, email address change, phone number change, or login from an unfamiliar device or location that you did not initiate is a clear indicator of unauthorized access.

Less immediately obvious signs include posts, Stories, or DMs appearing on your account that you did not create; followers being unfollowed or accounts being followed without your action; your profile photo, bio, or username being changed; and your account appearing to be logged in on devices or from locations you do not recognize. You can check active sessions under Settings and Privacy, then Security, then Login Activity to see exactly where and when your account has been accessed.

If you notice any of these signs, treat it as a confirmed security incident and act immediately. The window between an attacker gaining access and changing your recovery credentials — effectively locking you out — can be very short.

2. If You Still Have Access to the Account

If you discover a breach while you are still logged in, you have a significant advantage — use it immediately. The first priority is to change your password before the attacker does. Navigate to Settings and Privacy, then Account, then Password and Security, and set a new strong password that you have never used before on any other service. A strong password is at least 12 characters long and combines uppercase letters, lowercase letters, numbers, and symbols in a pattern that is not based on dictionary words or personal information.

After changing your password, revoke access for all third-party apps that are connected to your Instagram account. Compromised third-party apps are one of the most common vectors through which attackers gain access to Instagram accounts, and revoking permissions cuts off any back-door route they may have established. Go to Settings, then Security, then Apps and Websites to review and remove all connected applications, particularly any you do not recognize or no longer actively use.

Enable two-factor authentication immediately if it is not already active. Go to Settings, then Security, then Two-Factor Authentication and choose either an authentication app (such as Google Authenticator or Authy) or SMS verification. An authentication app is more secure than SMS because it cannot be intercepted through SIM-swapping attacks. With two-factor authentication enabled, future login attempts from unrecognized devices will require a time-sensitive code in addition to your password, making unauthorized access dramatically more difficult.

Finally, log out of all other active sessions from the Login Activity screen. This terminates any sessions the attacker may currently have open and forces them to go through the login process again — at which point your new password and two-factor authentication will stop them.

3. If You Are Locked Out — Password Reset

If the attacker has already changed your password before you could intervene, the first recovery step is to attempt a standard password reset. On the Instagram login screen, tap "Forgot password?" and then enter the username, email address, or phone number associated with your account. Instagram will send a password reset link to your registered email or an SMS code to your phone number.

If you still have access to the email address or phone number on your account, this process is straightforward. Check your inbox for an email from Instagram — it may arrive in your spam or promotions folder — click the password reset link, set a new strong password, and log back in. Once inside, follow the same immediate security steps described in the previous section: revoke third-party apps, enable two-factor authentication, and terminate all other sessions.

If the password reset email or SMS is not arriving, verify that you are checking the correct email account and that it is not being filtered as spam. Also check whether Instagram may have the email address stored with a different capitalization or with a common typo — trying slight variations can sometimes resolve delivery issues. On the "Get help logging in" screen, Instagram also offers the option to request a login link via email or to receive the code via an associated Facebook account if your accounts are linked.

If none of the automated reset options work — which is common when the attacker has already changed the account's email and phone number — you will need to move to the identity verification process described in the following sections.

4. If Your Email or Phone Number Was Changed

When an attacker changes the email address or phone number on an Instagram account, Instagram automatically sends a security notification to the original email address. This notification contains a critical link: "Revert this change." If you act within a short window — typically a few hours — clicking this link will reverse the email change and restore your original credentials without requiring any further support interaction.

Check your original email inbox — including spam and all folders — for a message from [email protected] with the subject line indicating that your account information was changed. This email is sent immediately when account details are modified, so it should be present even if the hack occurred recently. If you find this email and the "Revert this change" link is still active, click it, follow the on-screen instructions, and then immediately change your password and enable two-factor authentication once your credentials are restored.

If the reversal window has passed or you cannot locate the security email, you will need to proceed through Instagram's identity verification flow. On the login screen, tap "Get more help" beneath the "Forgot password?" option. Instagram will present several recovery pathways including entering your previously associated email or phone number even if it has since been changed, which triggers a more manual review process by Instagram's support team.

One important thing to understand during this process: Instagram will not ask for your password at any point during the official recovery flow. Any message, email, or page that asks for your existing or previous password as part of the recovery process is a phishing attempt, not Instagram's legitimate system.

5. Instagram's Identity Verification Process

When automated recovery methods are exhausted — meaning you cannot access the account via password reset and the email reversal window has passed — Instagram's identity verification process is the primary remaining path to recovery. This process is more involved but is designed specifically for situations where account ownership needs to be proven without existing login credentials.

To initiate the process, open Instagram on your mobile device and attempt to log in. On the login screen, tap "Forgot password?" and then "Get more help." Follow the prompts and select the option indicating that you no longer have access to the email or phone number on the account. Instagram will present you with the option to verify your identity using your previously registered email address or phone number — even if these have since been changed by the attacker — by routing a verification message to those original credentials.

In cases where this is not possible, Instagram may request additional information to establish ownership. This can include the username of the account, the email address used to create it originally, the device from which the account was primarily used, the approximate date the account was created, and information about the content typically posted. The more historical context you can provide accurately, the stronger your ownership case.

For accounts that contained a real person's face — as opposed to brand accounts or accounts using only graphics — Instagram's video selfie verification is one of the most effective tools available and is discussed in the next section. For brand or business accounts, Meta's Business Help Center offers an escalation path through Meta Business Support that can reach a human reviewer more reliably than the standard consumer support flow.

6. The Video Selfie Verification Method

Instagram's video selfie verification is one of the most reliable recovery tools available for personal accounts that contain photos or videos of the account holder's face. When prompted during the recovery flow, Instagram will ask you to record a short video selfie — typically a few seconds of turning your face at different angles — which it then compares against the faces appearing in the account's existing photos using automated facial recognition technology.

To access this option, follow the same path as the identity verification process: on the login screen, tap "Forgot password?" then "Get more help," and proceed through the steps until the video selfie option appears. Not all accounts will be presented with this option — it is most reliably offered to accounts where Instagram's systems can identify a consistent human face across multiple historical photos.

When recording the video selfie, ensure you are in good lighting, face the camera directly, and move your head slowly as directed. A blurry or poorly lit selfie can cause the match to fail and extend the recovery timeline. Instagram states that video selfies submitted for verification are deleted within 30 days of submission and are not used for any purpose other than the identity verification check.

If the video selfie match is successful, Instagram will send an email to your original registered address with a link to regain access. If the match fails or the option is not available, the standard path is to continue the support request flow and wait for a human review of your case, which can take several business days during periods of high support volume.

7. How to Report a Hacked Account to Instagram

Formally reporting the hack to Instagram serves two purposes: it flags the account as compromised in Instagram's systems, which can trigger additional protective measures, and it initiates a support case that you can follow up on if the automated recovery methods are insufficient.

To report a hacked account directly, go to instagram.com on a web browser and navigate to the Help Center. Under "Privacy and Safety Center," select "Report Something" and then "Hacked Accounts." This will guide you through a form specifically designed for compromised account reports, separate from the general support queue. Providing a clear, factual description of what happened — when you first noticed the issue, what changes were made to the account, and what recovery steps you have already attempted — helps Instagram's team triage your case more efficiently.

You can also report a hacked account from the login screen without being logged in. Tap "Get more help" on the login page and follow the prompts to report that your account has been compromised. Instagram will log the report and initiate the appropriate support pathway based on the information you provide.

If you have a linked Facebook account, you may be able to access Instagram support through the Facebook Help Center as well, which sometimes offers faster routing to human reviewers for complex account recovery cases.

Be patient but persistent. Instagram's support volume is enormous, and response times on manual review cases can be lengthy. If you do not receive a response within five to seven business days, resubmit the support request with updated information. Repeated, polite follow-ups demonstrate that the request is urgent without being flagged as spam.

8. What to Do Immediately After Recovering Access

Regaining access to your account is only the first step. Once you are back in, a specific set of security actions must be taken immediately to prevent the same attacker — or a different one — from regaining control.

Begin by changing your password to something entirely new and strong. Do not reuse any previous password, and do not use a password you currently use on any other website or service. Password reuse is one of the most common reasons accounts are compromised repeatedly — a database leak from an unrelated service exposes your credentials, which attackers then try on Instagram through a method called credential stuffing.

Enable two-factor authentication immediately using an authenticator app rather than SMS. An authenticator app generates time-sensitive codes locally on your device that cannot be intercepted in transit, unlike SMS codes which are vulnerable to SIM-swap attacks where an attacker convinces your mobile carrier to transfer your phone number to a SIM they control.

Review and revoke all connected third-party apps. Go through the list carefully and remove anything you do not recognize or no longer use. Connected applications with excessive permissions can reintroduce a security vulnerability even after you have changed your password. Many third-party Instagram tools — particularly older growth automation services, scheduling apps, and analytics tools — have had security incidents that exposed user credentials.

Check your account thoroughly for any changes the attacker may have made: profile photo, bio, website link, email address, phone number, and username. Restore anything that was altered. Also review your followed accounts, followers, and any content posted, DMs sent, or purchases made during the period of unauthorized access. If the attacker sent spam DMs from your account, proactively inform your followers so they can disregard those messages and avoid any scam links they may contain.

Change the passwords on any other accounts that share the same email and password combination as your Instagram account. A hacked Instagram account frequently indicates that your credentials have been exposed more broadly, and other accounts using the same email-password pair are at immediate risk.

9. How to Prevent Your Account from Being Hacked Again

Understanding how your account was compromised in the first place is essential to preventing a recurrence. The most common attack vectors for Instagram account hacks are phishing, credential stuffing from data breaches, weak or reused passwords, compromised third-party apps, and SIM-swap attacks targeting SMS-based two-factor authentication.

Using a unique, strong password for Instagram — one used on no other service — eliminates the credential stuffing risk entirely. A password manager such as 1Password, Bitwarden, or Apple's built-in iCloud Keychain can generate and store a unique complex password for every account you hold, removing the cognitive burden of remembering them. There is no reasonable security argument for reusing passwords in 2026.

Two-factor authentication with an authenticator app is the single most impactful security measure available to Instagram users. Even if an attacker obtains your password through a phishing attack or data breach, they cannot log in without the time-sensitive code generated by your authenticator app, which exists only on your physical device. Enable this and do not share the backup codes with anyone.

Be extremely skeptical of any message — whether arriving via DM, email, or SMS — that claims to be from Instagram and asks you to click a link, verify your account, confirm your credentials, or take urgent action to prevent your account from being deleted. Instagram does not contact users via DM. Official Instagram communications arrive via email from addresses ending in @mail.instagram.com or @instagram.com. Phishing messages frequently spoof the appearance of official Instagram communications with near-perfect visual accuracy.

Regularly audit the third-party apps connected to your account and remove any that are no longer necessary. Only grant Instagram permissions to apps you trust and actively use, and always research an app's reputation before connecting it to your account. Avoid any service that asks for your Instagram username and password directly — legitimate third-party apps authenticate through Instagram's official OAuth flow and should never require your raw credentials.

Keeping your registered email address secure is equally important. If the email account associated with your Instagram is compromised, an attacker can use it to reset your Instagram password without needing your current one. Protect your email account with the same rigor — unique strong password plus authenticator app two-factor authentication — that you apply to Instagram itself.

10. Common Instagram Hacking Scams to Know

Awareness of the most common tactics used to compromise Instagram accounts is one of the most effective forms of prevention. The following scams are responsible for the majority of Instagram account compromises and have evolved in sophistication alongside Instagram's growing user base.

The phishing DM scam is perhaps the most prevalent. An attacker sends a direct message — often appearing to come from a brand account, a verification service, a talent agency, or a known mutual — claiming that you have won a collaboration opportunity, that your account is at risk of suspension, or that you need to verify your account to avoid action. The message contains a link to a convincing fake Instagram login page that captures your username and password when entered. Always navigate to Instagram directly rather than through links in DMs, and never enter your credentials on a page you reached by clicking a link.

The verification badge scam targets creators and small businesses who aspire to be verified. An attacker posing as an Instagram employee or a "verification service" offers to obtain the blue verification badge for a fee or in exchange for account credentials. Instagram does not sell verification badges. The only way to apply for verification is through the official in-app request form under Settings and Privacy, then Account, then Verification Request.

The collaboration scam involves a fake brand account reaching out to offer a paid partnership and directing the creator to click a link, fill in a form requiring their Instagram login, or download a file. Legitimate brands never request your login credentials as part of a collaboration agreement. Any collaboration discussion that eventually requires you to log into an unfamiliar page or provide credentials should be treated as a phishing attempt regardless of how convincing the initial outreach appears.

The account recovery scam targets people who have already been hacked and are desperate to get their accounts back. Fake recovery services — often advertised on Twitter/X or through other social media — claim they can recover any Instagram account for a fee. In reality, these services either take payment and disappear, or use the account recovery process to further compromise the victim. The only legitimate path to Instagram account recovery is through Instagram's own official channels described in this article.

11. Frequently Asked Questions

What should I do immediately if my Instagram account is hacked?

If you can still access the account, change your password immediately, revoke all third-party app permissions, enable two-factor authentication with an authenticator app, and log out all other active sessions. If you are locked out, go to the Instagram login screen, tap "Forgot password?" and then "Get more help" to begin the official recovery process. Do not attempt to use any third-party recovery service — use only Instagram's official support channels.

Can Instagram recover a hacked account if the email was changed?

Yes, in most cases. When account details are changed, Instagram sends a notification to the original email address containing a "Revert this change" link. Check your original email inbox immediately — including spam folders — for a message from [email protected]. If the reversal window has passed, use the "Get more help" recovery flow on the login screen, which allows you to initiate a manual identity verification case even when the account's current credentials have been changed.

How long does Instagram account recovery take?

Automated methods such as password reset via email or SMS work within minutes when your original credentials are intact. Identity verification cases reviewed manually by Instagram's support team can take anywhere from 24 hours to several weeks, depending on support volume and the complexity of the verification required. Submitting complete, accurate information on the first attempt reduces delays significantly.

Will Instagram delete my hacked account while I am trying to recover it?

Instagram does not proactively delete accounts that are under active recovery review. Once you have filed a support request or reported the account as hacked, the account is flagged in Instagram's systems. However, if the attacker uses the account to violate Instagram's Community Guidelines — posting spam, nudity, or harassing content — Instagram may suspend or restrict it independently of the recovery case. This does not permanently delete it, and suspension does not prevent a recovery request from being processed.

Can I recover an Instagram account without access to the email or phone number?

Yes, though it requires more steps. Instagram's identity verification flow allows you to submit ownership claims using historical account information — original email address, device used, creation date — even when you cannot currently access those credentials. The video selfie verification method is particularly effective for personal accounts containing photos of the account holder's face. For business accounts, Meta Business Support offers an additional escalation pathway.

Is there a phone number or live chat to contact Instagram support directly?

Instagram does not offer a public customer support phone number or real-time live chat for standard account issues. All support interactions occur through the in-app Help Center, the Instagram Help Center website at help.instagram.com, or — for business accounts — through Meta Business Support. Any phone number or chat service claiming to represent Instagram support is almost certainly a scam. Official Instagram communications arrive only via email from @mail.instagram.com or @instagram.com domains.