A hacked Instagram account is one of the fastest-moving emergencies a creator or business can face. Within minutes, an attacker can change your email, phone number, and password, turn on their own two-factor authentication, and lock you out completely — often while your followers receive scam or crypto messages sent in your name.
This 2026 guide walks through exactly how to recover a hacked Instagram account, including the hardest case: when the hacker has already changed the email and phone tied to your login. Speed and order matter more than anything else — the first hour decides most outcomes.
1. First, confirm you were actually hacked
Before starting recovery, make sure this is a real compromise and not a temporary logout or a checkpoint. Clear signs of a hack include:
- Login or email-change alerts: Instagram or Meta emailed you about a new login, or a change to your email or password that you did not make.
- You are logged out everywhere: your password no longer works on any device.
- Profile changes: your username, photo, bio, or linked email suddenly changed.
- Outgoing scams: friends report DMs or Stories from you promoting crypto, giveaways, or investment schemes.
If you received a “We noticed a new login” email, open it and use its “secure your account” or “this wasn’t me” link immediately. That link is the single fastest recovery path, and it expires.
2. The first 15 minutes: act before the attacker settles in
Your goal in the first minutes is to interrupt the attacker before they finish locking you out.
- Reset your password: from the login screen tap Forgot password and try your username, email, and phone. If any still reaches you, reset instantly.
- Revert the email change: check your inbox for a “your email was changed” message — it usually contains a one-tap reverse this change link that works even after the change.
- Secure your email first: if your email password was reused or also stolen, change it and enable 2FA there before anything else. Instagram recovery is worthless if the attacker still controls your inbox.
- Report the account from a friend’s app: have someone open your profile, tap the menu, and choose Report → hacked/pretending to be someone.
3. Recovering when the email and phone were already changed
This is the case most people get stuck on. When the attacker controls your email and phone, standard password resets fail — but Instagram has a dedicated flow for it.
- Use “Need more help?”: on the login screen go to Forgot password → Need more help? and follow the hacked account path.
- Request a login link / security code to an email or phone you still control, even if it is no longer the primary one on the account.
- Submit a support request at Instagram’s official My account was hacked form and provide the original email, phone, and username you used when signing up.
Recovery is still possible after the email and phone are changed — but it now depends almost entirely on proving you are the real owner. That is what the next step is for.
4. Passing Instagram’s identity verification (the video selfie)
In 2026, most serious hack recoveries end at one screen: identity verification. Instagram asks for a short video selfie that turns your head in different directions, and it matches it against photos of you on the account.
- Use good lighting and no filters: face clearly visible, no hats or sunglasses.
- Match the account: verification is easiest on accounts that already show your face in posts.
- For brand or logo accounts: you may instead be asked for the email or phone used at sign-up, or a business document — provide the original ones, not the attacker’s.
The video selfie is not stored as a public photo and is only used to confirm you are a real person tied to the account. Completing it accurately is often the difference between recovery and a dead end.
5. When you had two-factor authentication turned on
If you had 2FA enabled, you are in a strong position — the attacker usually cannot fully take over. If the attacker enabled their own 2FA after getting in, you will need Instagram’s help to bypass it.
- Your own 2FA: use your authenticator app or saved backup codes to log straight back in.
- Attacker’s 2FA: choose Try another way and then Get more help; identity verification overrides the attacker’s 2FA once you prove ownership.
6. What to do when Meta’s recovery keeps looping or failing
Many owners get trapped in a loop: the form asks for a code sent to an email the hacker controls, or the request is auto-rejected within seconds with no explanation. When that happens:
- Stop spamming requests: repeated identical submissions can auto-reject each other. Wait, then submit one clean, complete request.
- Vary the recovery entry point: try username, then email, then phone, and both the app and a browser.
- Document everything: keep the original sign-up email, receipts of past logins, and any old verification emails — they help prove ownership.
When self-recovery stalls for days, some owners turn to a professional recovery service such as Unbanly to escalate the case correctly, prepare the right documentation, and avoid the mistakes that get requests auto-rejected. It is not magic — but structured, patient handling recovers accounts that random resubmissions never will.
7. Lock the account down the moment you regain access
- Change the password to a new, unique one you have never used elsewhere.
- Reset the email and phone back to yours and remove anything the attacker added.
- Enable 2FA with an authenticator app and save the backup codes offline.
- Revoke sessions and apps: in Security, log out all unknown devices and remove unfamiliar connected apps.
- Review linked accounts: check the linked Facebook / Meta account, which attackers often use as a back door.
8. Preventing the next hack
- Unique passwords: never reuse your email password on Instagram.
- App-based 2FA: prefer an authenticator app over SMS, which can be SIM-swapped.
- Beware “copyright” and “verification” DMs: most takeovers start with a fake Meta message linking to a phishing login page.
- Keep recovery contacts current: an up-to-date backup email and phone make future recovery far easier.
A hacked account is recoverable in 2026 — but every hour the attacker holds it, the harder it gets. Move fast, verify your identity cleanly, and once you are back in, protect access as seriously as you protect your content. If you would rather not fight the recovery flow alone, services like Unbanly can handle the escalation for you and help keep the account secure afterward.
No comments yet. Be the first to share something useful for other creators.