Local Tech Fix (626) 655-0020
All articles

Facebook or Instagram Account Hacked? How to Get It Back — and Lock It Down

July 12, 2026

Your friends are getting crypto pitches "from you," or your password just stopped working. Getting back in is only half the job — a hijacker leaves back doors so they keep their foothold. Here's the order that actually recovers a Facebook or Instagram account and shuts the intruder out for good.

person holding black samsung android smartphone
Photo by Solen Feyissa on Unsplash

It usually starts with a message from a friend: "Hey, is this really you posting about crypto?" or "Did you mean to send me this link?" Maybe you can still get in and you're watching posts and messages appear that you didn't write. Maybe your password suddenly stopped working, or an email landed saying the address on your account was just changed — and it wasn't by you. Whatever the tip-off, a hijacked Facebook or Instagram account is a fast-moving problem, because while the attacker has it, they're using your name and your friends' trust to do damage. The good news: Meta has real recovery routes for exactly this, and there's a clear order to work through.

A quick note on what this guide is and isn't. This is about your social media account — Facebook or Instagram — being taken over. If it's your email that was hacked, start there first (we have a separate guide for that), because your email is the master key that resets everything else, including your social logins. And this is different from simply forgetting your password or getting stuck in a two-factor loop, which is its own thing. This is the case where someone else got in, and you need to evict them and change the locks. Here's how we walk people through it across Southern California and the Coachella Valley.

Move fast — a hijacked account is more than an annoyance

The reason to treat this as urgent isn't vanity, it's the people in your friends list. A taken-over account is almost never the end goal; it's a tool to scam the people who trust you. Attackers use it to post or message fake investment and crypto "I made so much money, ask me how" pitches, to send the "is this you in this video?" links that hijack whoever clicks them next (which is how the takeover spreads friend to friend), to run Marketplace scams under your good name, and to send believable "I'm stuck and need money" notes to your closest contacts. The longer they hold it, the more people get hurt in your name.

There can be a money angle for you directly, too. If your Facebook is tied to a Page with a payment method on file, a hijacker can rack up ad spend on your card. If your account is your small business's storefront, losing it can mean losing years of posts, reviews, and customer messages. That's why the goal isn't just "get back in" — it's get back in, kick them out of every session, and close the doors they propped open.

How did they even get in — and why didn't two-factor stop it?

Understanding the "how" tells you what to clean up. The most common way these accounts fall is a phishing message — often a DM or comment claiming your account has a "copyright violation," is about to be "disabled," or has qualified for a verification badge, with a link to "appeal" or "confirm." The link goes to a pixel-perfect copy of the Facebook or Instagram login page. Here's the part that catches even careful people: the fake page relays what you type straight to the real site in real time, so when the real site sends your two-factor code prompt, the fake page passes it along too — and the moment you approve it, the attacker grabs the resulting "logged-in" token. That's why your two-factor didn't save you: they didn't steal your password so much as steal the finished, already-verified session.

The other common path is malware. An "infostealer" hidden in a downloaded file — a fake sponsorship contract, a cracked app, a bogus installer — quietly scoops up the passwords and login sessions saved in your browser and hands them to the attacker. Both routes lead to the same two lessons that shape the cleanup below: because a stolen session can keep working even after you change your password, changing the password alone isn't enough — you have to sign out everywhere. And because the theft may have come through malware on your device, you should scan that device before you type a single new password into it.

Start on a device you trust — and scan it first

This is the step almost every quick guide skips, and it matters. If the computer or phone you're about to use is infected with a password-stealer, the brand-new password you set gets captured the instant you type it, and you hand the attacker the new key while you're trying to change the lock. So work from a device you trust — ideally one you've used to log into that account before, since Meta trusts familiar devices during recovery — and if there's any chance the takeover came through your computer, run a full malware scan on it first (our guide to scanning for viruses walks through the free, built-in way, and our antivirus piece explains why you usually don't need to buy anything). If in doubt about the computer, do the recovery from a phone you know is clean instead.

If you can still get in: change the password, then sign out everywhere

If you still have access, act before that changes. Set a new password that's strong and unique — not a tweak of the old one, and not a password you use on any other site (reused passwords are exactly how one leak becomes five accounts). A passphrase of a few unrelated words is both stronger and easier to remember than a short jumble.

Then do the step that actually kicks the intruder off, because — as above — an existing session can keep running after a password change. In your settings, find "Where you're logged in" (on today's Meta layout it's under Accounts Center > Password and security; on the older layout it's Settings > Security and login). You'll see a list of sessions by device, browser, and location. Log out anything you don't recognize, and if there's a "Log out of all sessions" option, use it — then log back in fresh yourself. Instagram has the same "Where you're logged in" list. This is the move that drops the attacker's live session, not just the password behind it.

If you're locked out: the recovery routes that work

If the attacker already changed your password — or swapped the email and phone so you're shut out — you go through Meta's compromised-account flow instead of a normal password reset. For Facebook, go to facebook.com/hacked and choose the option that your account was compromised (you can also start at facebook.com/login/identify to find your account by name, email, or phone). If only the password was changed, the ordinary "Forgot password" flow sends a code to your still-attached email or phone and you're back in within minutes.

The situation people panic about most — "they changed my email, I got a notification about it" — is often the most recoverable, because Meta emails your old address a heads-up with a link along the lines of "If you didn't make this change, secure your account here." That link lets you reverse the email change and take the account back, but it's time-limited, so act the moment you see it — check your inbox and spam. For Instagram, the equivalent notice comes from security@mail.instagram.com and contains a "revert this change" / "secure my account" link; recognizing that real sender address also helps you tell the genuine notice from a fake one.

If no attached email or phone still works, use the identity-verification route: on Facebook, the compromised-account flow can ask you to confirm your identity, including with a photo of a government ID. On Instagram, tap "Get help logging in" (or "Forgot password?") on the login screen, then "Need more help?", and for accounts that have photos of you it may ask for a short video selfie — turning your head in different directions — to prove you're the real owner. These reviews can take anywhere from a few minutes to a couple of days, so start them early and be patient; doing it from a device and location you've used before makes approval far more likely.

Close the back doors most people never check

Getting back in is only half the job, because a smart attacker leaves ways to return. Work through each of these once you have control. First, the one almost nobody checks: with Meta's Accounts Center, an attacker can link their own account or profile to yours so they keep access even after you reset the password — the social-media version of the hidden forwarding rule email hijackers leave behind. Open Accounts Center and remove any account, profile, or login you don't recognize. Second, fix your recovery info: confirm the email address and phone number on the account are yours and only yours, and remove anything the attacker added, or they can just trigger another "forgot password" and take it straight back.

Third, review connected apps and logged-in devices and revoke anything unfamiliar — third-party apps you "logged in with Facebook" years ago are a common foothold. Fourth, check what they changed while inside: your name or username, your profile email, and — if you run a Facebook Page or business — the Page's admins/roles and the ad account's payment method and billing history, since adding a rogue admin or spending your ad budget is a favorite move. Undo anything you didn't do. Only once all of this is clean is the account really yours again.

Turn on two-factor — the sturdy kind

Now lock the door behind you. Turn on two-factor authentication so your password alone can't get anyone in. An authenticator app or a passkey is sturdier than text-message codes, which can be intercepted, and either is far better than nothing. Save the backup codes it gives you somewhere safe and offline so a future hiccup doesn't lock you out of your own account.

One honest caveat, given how these accounts actually get taken: two-factor stops password guessing and stuffing, but it does not stop the session-stealing phishing pages described earlier — those capture the login after two-factor. So pair it with the habits that do close that gap: never log in through a link someone sent you (open the app or type the address yourself), be suspicious of any "your account will be disabled" or "copyright violation" message, and keep each account on its own unique password. Two-factor plus those habits is what keeps a recovered account recovered.

Tell your friends right away

Give your contacts a quick heads-up — by text, a call, or from a different account — that your account was hijacked and that any odd post, link, or money request "from you" over the last little while should be ignored. This isn't just courtesy: the whole point of taking your account was to use your name against the people who trust it, often with the "is this you in this video?" links that hijack the next person who clicks. A thirty-second warning can stop the takeover from spreading to someone you care about. It's the same playbook as the scam texts and AI voice-clone calls we've written about — the trust attached to a familiar name is the entire scam.

How we can help

Most of this you can do yourself, and most people can. But if you're fully locked out and the recovery form keeps failing, if the account keeps getting re-taken (a sign your device may still be infected, or that a back door is still open), if money or ad spend has already moved, or if this is a business account you can't afford to lose, that's exactly the kind of call we like. We'll check the computer or phone for the malware that may have caused it, work through Meta's recovery with you, hunt down every foothold the attacker left — the linked account in your Accounts Center, the swapped recovery info, the rogue app or Page admin — and set up two-factor that protects you without locking you out.

We help homes and small businesses across Southern California and the Coachella Valley, in person or by remote support, and we don't rush or talk over you — especially helpful if this happened to a parent or grandparent who feels overwhelmed and embarrassed. The goal is simple: get the intruder out, keep them out, and leave your account set up so it's far less likely to happen again.

Keep reading

Free calculators

Service areas we cover

Want a second opinion before you buy?

We don't sell hardware or warranties — call and we'll tell you what's worth buying and upgrading.

Call (626) 655-0020

Gear we recommend

All gear →

Need help with your website?

For web-side work — site builds, speed fixes, hacks, broken plugins, hosting issues — head to our sister site.

Visit HelpWithWeb.com →