How to Recover a Hacked Facebook or Instagram Account: A Step-by-Step Guide (2026)

Getting locked out of your Facebook or Instagram account is one of the most stressful things that can happen online — especially if you run a business, sell from your page, or have years of photos and messages tied to it. The good news: Meta has working recovery paths for almost every situation, including the worst-case scenario where the hacker has already changed your email, phone number, and password.

This guide is the exact recovery playbook our Cybrvault incident response team uses when clients call us in a panic. We'll cover what to do in the first 60 minutes, how to recover Facebook, how to recover Instagram, what to do if Meta's automated flows fail, and how to lock the account down so it never happens again. No fluff, no scammy 'recovery services' — just the official steps that actually work in 2026.

First 60 Minutes: What to Do Right Now

Speed matters. In the first hour, a hacker is usually doing three things: messaging your friends with scams (crypto, gift cards, fake 'help me' pleas), changing your recovery email and phone to lock you out, and turning on two-factor authentication with their own device so even Meta can't easily verify you. The faster you act, the more of those steps you can reverse.

1. 1From a device you've used to log into the account before (same phone, same laptop, same home Wi-Fi), try logging in. Meta trusts known devices and will often let you in with just the password — or let you reset it via a trusted browser.
2. 2Check your email — including spam and trash — for a Meta message titled 'Your Facebook password was changed,' 'Your email address was changed,' or 'A new login from…'. These messages contain a 'Secure your account' or 'Revert this change' link that reverses the hacker's changes in one click.
3. 3Warn your followers from another channel (a different account, text, WhatsApp). Tell them not to click any links or send money — your account is compromised.
4. 4Do NOT pay anyone on TikTok, Telegram, Instagram DMs, or Fiverr who claims they can recover your account for $50–$500. Every single one of them is a scammer who will take your money and disappear. Meta is the only entity that can restore your account.

How to Recover a Hacked Facebook Account

Facebook's official recovery portal is the only place to start. Anything else — third-party 'support' numbers, paid recovery services, DMs from accounts claiming to be Meta — is a scam.

Step 1: Go to facebook.com/hacked

Open a browser (not the app) and go to facebook.com/hacked. Click 'My Account Is Compromised.' Enter the email, phone number, or username tied to the account. Facebook will look up your account and offer recovery options based on what the hacker has and hasn't changed.

Step 2: Reset your password from a trusted device

If the hacker only changed your password, Facebook will send a reset code to your email or phone. Use a device you've logged in from before — Facebook is much more likely to approve the reset from a recognized browser or phone.

Step 3: If the email was changed — use the 'Secure your account' link

When a hacker changes your email, Meta automatically sends a notice to your OLD email saying 'Your email address has been changed.' That email contains a link that says 'If you didn't do this, secure your account here.' Clicking it reverses the change and gets you back to the password reset flow. This is the single most important email to find — check spam, trash, and any old inboxes.

Step 4: Identity verification (when automated recovery fails)

If the hacker changed your email AND phone AND turned on 2FA, Facebook will route you to identity verification. You'll be asked to upload a photo of a government-issued ID (driver's license, passport, state ID). Use the same name and birthday that's on the Facebook account. Meta reviews these manually — expect 1–5 business days for a decision.

Step 5: Use Trusted Contacts (if you set them up)

If you previously set up 3–5 Trusted Contacts on Facebook, you can request recovery codes from them. Each friend gets a unique code; you collect 3 of them and enter them at facebook.com/recover to regain access. This is one of the few methods that works even when ID verification fails.

How to Recover a Hacked Instagram Account

Instagram's recovery is more automated and — surprisingly — often faster than Facebook's, because of the video selfie verification system Meta rolled out in 2022 and expanded through 2025.

Step 1: Go to instagram.com/hacked

On a browser, open instagram.com/hacked. Choose 'My account was hacked.' Enter your username, email, or phone. Instagram will guide you through whichever recovery path matches your situation.

Step 2: Request a login link

From the Instagram app's login screen, tap 'Forgot password?' → 'Need more help?' → 'Send security code.' Instagram sends a one-time login link to your email or phone. Open it on the same device you usually use to log in.

Step 3: Video selfie verification (when email and phone are both changed)

This is the recovery method that saves most hacked Instagram accounts in 2026. From instagram.com/hacked, when prompted, choose 'Get support.' Instagram will ask you to record a short video selfie turning your head left and right. Their system compares the video against the selfies and photos already on your account. If it's a match, you get a recovery email within 24–48 hours. Tips: use good lighting, no hat or sunglasses, and match the appearance shown in older posts on the account.

Step 4: Report the hacked account

If the hacker has already deleted or disabled your account, go to help.instagram.com → 'Privacy and Safety Center' → 'Report Something' → 'Hacked Accounts.' Submit the report and wait for an emailed response from Instagram support (1–7 days).

What to Do If You Can't Get In At All

Sometimes Meta's automated flows fail — usually because the hacker has been in the account long enough to delete the recovery email, change the linked phone twice, and turn on 2FA. Here's what still works:

• Submit ID verification multiple times — many users get approved on the 2nd or 3rd attempt with a clearer ID photo.
• If the account is connected to a Facebook Business Manager, Meta Business Support is the fastest path — open a chat at business.facebook.com/business/help.
• If you ran ads, contact Meta Ads Support — they have a separate, faster escalation queue.
• If you have a verified blue check, use the Meta Verified priority support chat.
• File a report with the FBI's Internet Crime Complaint Center (IC3.gov). This won't directly recover your account but creates a paper trail if the hacker is committing fraud in your name.
• If the hacker is impersonating you to scam friends or customers, report each fraudulent post/message — Meta's trust & safety team often suspends impersonating activity faster than they restore accounts.

Once You're Back In: Lock It Down

Getting the account back is half the battle. The other half is making sure the hacker can't walk right back in — they often keep a session cookie or a connected app that lets them in even after a password reset.

1. 1Change your password to something unique and 16+ characters. Use a password manager (1Password, Bitwarden) — never reuse a password across sites.
2. 2Turn on two-factor authentication with an authenticator app (Google Authenticator, Authy, 1Password) — NOT SMS. SIM-swap attacks bypass SMS 2FA in minutes.
3. 3Review and revoke all active sessions: Settings → Security → 'Where You're Logged In' → log out of every device you don't recognize.
4. 4Remove suspicious connected apps: Settings → Apps and Websites → remove anything you don't actively use.
5. 5Check linked accounts and admin roles — especially Business Manager, Pages, and Ad accounts. Remove any admin you don't recognize.
6. 6Review your email account too — if the hacker reached Facebook through your Gmail, your email is also compromised. Change that password and turn on 2FA there.
7. 7Check recent payments and ad spend. Hackers commonly run thousands of dollars in ads on stolen accounts. Dispute fraudulent charges with your bank and Meta.
8. 8Set up Trusted Contacts (Facebook) so future recovery is faster.

How Hackers Get In (So You Can Stop It Next Time)

Almost every social account compromise we investigate at Cybrvault traces back to one of four causes:

• Phishing — a fake 'Meta Support' email or DM that asks you to log in to verify your account. The login page is fake and steals your credentials.
• Password reuse — your password leaked from another site (LinkedIn, Adobe, MyFitnessPal) and the hacker tried it on Facebook.
• SIM-swap — the hacker convinced your mobile carrier to port your number to their SIM, then used SMS 2FA to reset your account.
• Malicious connected apps — you authorized a 'free followers' or 'who viewed your profile' app years ago and it sold your access token.

Defense is simple: unique 16+ character passwords stored in a password manager, authenticator-app 2FA on every social account, a SIM-lock or eSIM with your carrier, and a quarterly review of connected apps.

When to Call a Professional

If the account is tied to your business income, has thousands of followers, or the hacker is actively scamming your customers, a professional incident response team can escalate to Meta's business support faster than self-service flows. Cybrvault's social media account recovery service handles Facebook, Instagram, TikTok, and X account compromises — most are recovered in 24–72 hours.