How to Get Back a Hacked Instagram Account (2026 Guide)
TL;DR
If your Instagram was hacked, immediately try "Forgot password" to get a login link to your email or phone. If the attacker changed your contact info, use "Need more help?" and complete video selfie verification. If Instagram's own process fails, professional legal recovery achieves a 97% success rate with no password required.
What "Hacked" Means — and Why Acting Fast Matters
A hacked Instagram account means someone else has gained unauthorized access — typically through a phishing link, a reused password, or a compromised third-party app. Once inside, attackers follow a predictable script: change the account password, email address, and phone number, then lock you out permanently.
What makes Instagram hacks so damaging is how quickly the attacker can overwrite your account's ownership signals. Instagram's recovery system relies on matching your identity against the data originally linked to your account. Every hour the hacker remains logged in, they can alter more of that data — directly reducing the chance that Instagram's automated systems will recognize you as the rightful owner.
Acting within the first few hours gives you the best odds of self-recovery. If days or weeks have passed since the hack, don't give up — recovery is still possible, but professional escalation becomes more important.
Step 1 — The First 15 Minutes
Before you open Instagram, do two things:
- Secure your email account. Many Instagram hacks begin with a compromised email. Go to your email provider and change the password immediately, then enable two-factor authentication. If the hacker controls your email, they can intercept any recovery link Instagram sends you.
- Have someone report the account. Ask a friend or family member to visit your Instagram profile, tap the three-dot menu, and report it as hacked. This flags the account to Meta's trust and safety team, which can slow down or freeze the attacker's activity.
These two steps take under five minutes and meaningfully improve your odds. Once done, move on to Instagram's official recovery flow.
Step 2 — Instagram's Official Recovery Flow
If Your Email or Phone Are Still Under Your Control
This is the simplest path. Open the Instagram app (or visit instagram.com), tap "Forgot password?" on the login screen, and enter the username, email, or phone number linked to your account. Instagram will send a secure login link to your registered contact. Use it immediately — these links expire quickly.
Once you're back in, go to Settings → Security → Password and set a new, strong password before doing anything else.
If the Attacker Changed Your Contact Information
This is where most hacked account cases stall. If "Forgot password?" no longer reaches you because the hacker updated your email or phone, follow this path:
- On the login screen, tap "Forgot password?"
- Tap "Need more help?" at the bottom of the screen
- Select "I can't access this email or phone number"
- Choose "My account was hacked" when asked to describe the issue
- Follow the identity verification prompts Instagram presents
At this stage, Instagram will likely request video selfie verification: a short recording in which you turn your head in different directions. Instagram's system compares this footage against photos already on your profile to confirm you're the genuine account owner.
Video Selfie Verification — How to Maximize Your Chances
Instagram's video selfie process was significantly improved in late 2025, and success rates have increased. That said, the system still has real failure modes. Here's how to give yourself the best shot:
- Record in good, natural lighting — avoid strong backlighting or dark rooms
- Remove hats, sunglasses, or anything that obscures your face
- Hold your phone at eye level and move your head slowly and deliberately as instructed
- If the first attempt is rejected, try again — the AI sometimes needs two or three attempts to find a confident match
One important caveat: video selfie verification only works if your own face appears in profile photos. If your account is a business page, a pet account, or a brand account with no personal photos, Instagram's system cannot match your identity through this method.
After submitting, Instagram typically responds within 24–48 hours with either a recovery link or instructions for further steps.
When Instagram's Own Process Isn't Enough
Instagram's self-service recovery works well for straightforward cases, but it wasn't designed for every scenario. You may hit a dead end if:
- Your account contains no personal photos, making selfie verification impossible
- Instagram's automated review rejected your appeal without a clear explanation
- You've submitted multiple requests and received no response
- The account was used for a significant period after the hack, changing its activity patterns
- Instagram's system misidentified the suspicious activity as coming from you
The fundamental problem is that Instagram's first-tier support is predominantly automated. Getting a real person to review your individual case requires escalation — and the standard appeal process wasn't built to get you there.
If you've exhausted the self-service options without success, professional account recovery is a well-established next step. Recover uses legal arguments grounded in GDPR, the Digital Services Act, and Meta's own Terms of Service to escalate cases directly to human reviewers inside the platform. The service carries a 97% success rate, resolving 96% of cases within 30 days — some as fast as 10 days.
For a personal Instagram profile the cost is €290 (a one-time fee, no subscription). If you'd prefer to pay only after a successful result, the pay-after-recovery option requires a €19 verification deposit upfront; the full fee, plus a 30% premium, is charged only if the account is reclaimed. If recovery fails, you owe nothing beyond that deposit.
No password is required at any point in the process.
If your account was disabled rather than hacked, see our guide on recovering a disabled Instagram account.
Legal Rights for EU Users
If you're based in the European Union, two legal frameworks give you rights that go well beyond Instagram's internal process.
Under the Digital Services Act (DSA), Instagram is legally required to provide users with clear explanations for account restrictions and to maintain a functional internal appeal mechanism. If your appeal has been ignored or dismissed without explanation, you can escalate formally:
- File a complaint with your national Digital Services Coordinator (in Czech Republic: Český telekomunikační úřad; in Slovakia: Úrad pre reguláciu elektronických komunikácií a poštových služieb)
- Submit a GDPR Subject Access Request to understand what data Instagram holds about your account and what triggered any automated decisions
- Escalate through an accredited out-of-court dispute settlement body certified under the DSA
These routes don't deliver instant outcomes, but they create a formal compliance record and apply regulatory pressure — which major platforms take seriously, particularly after significant GDPR fines in recent years. This is one reason professional recovery services that argue on legal grounds consistently outperform standard appeals.
Securing Your Account After Recovery
Recovering the account is step one. Keeping it secure is step two. Once you're back in, do all of the following before anything else:
- Change your password to something long, unique, and not reused anywhere else
- Enable two-factor authentication via an authenticator app — not just SMS, which is vulnerable to SIM-swapping attacks
- Review active login sessions at Settings → Security → Login Activity and log out every device you don't recognize
- Audit third-party app access at Settings → Security → Apps and Websites — revoke access to anything unfamiliar
- Update your recovery email and phone number to confirm they're still under your control
- Download a data backup via Settings → Your Activity → Download Your Information
A strong password alone isn't sufficient if the same credentials are used on other platforms. Credential dumps from unrelated data breaches are one of the most common starting points for Instagram hacks — attackers test stolen email and password combinations across many services at once. A password manager and unique passwords per service are essential long-term protection.