What to Do If Your Instagram Account Gets Hacked
You may get locked out for good if you don’t move quickly. Here's what to do—and how to plan ahead.
By Thomas Germain
We may be in the midst of an Instagram hacking epidemic.
In recent months, users running Instagram accounts big and small have found themselves locked out of their accounts, with few options for recourse.
If you’re worried your account has been compromised, you might want to skip ahead to “Do This If You’re Locked Out of Instagram,” and follow the instructions. If you act quickly, you may be able to solve the problem fairly easily. Otherwise, things can get very tricky.
That’s what Afua Ayisi learned after she lost control of the Instagram account she runs for her small New York City business. A little over a week ago, Ayisi clicked a link in an Instagram message from a criminal posing as one of her business contacts. That took her to an exact replica of Instagram’s log-in page, and Ayisi typed in her credentials. It was a big mistake.
“I would say it was all over in under 3 minutes,” Ayisi says. She was logged out almost immediately, and the email address and password on the account were changed. Soon the scammer was contacting her customers, trying to rope people into a bitcoin scheme.
“It’s just so violating,” she says. “I can’t even describe the feeling.”
The problem has affected several high-profile Instagram users, too. A criminal reportedly compromised the Instagram account for Bored Ape Yacht Club, a leading collective for NFTs (non-fungible tokens, digital files that can be bought and sold as investments) in late April. Reports say the hacker was able to steal $3 million of NFTs by tricking the account’s followers with a phishing attack. Then, the account for Gabriel Clark, a 12-year-old who amassed 256,000 followers after going viral for his woodworking skills and raising money for Ukrainian children affected by the war, was allegedly taken over by “Russian hackers,” according to the boy’s father.
Once your account is lost there’s often little you can do about it.
“Instagram has been notoriously uncooperative when people lose access to their accounts, and insensitive that many people have business revenue that depends on them,” says Dan Guido, the CEO of security firm Trail of Bits.
Ayisi waded through a confusing set of recovery tools that failed half a dozen times over the course of a week. Shortly after we contacted Instagram to ask about Ayisi’s case, one of the tools started working—though a spokesperson says the timing was just a coincidence.
“We have sophisticated measures in place to stop bad actors in their tracks before they gain access to accounts, as well as measures to help people recover their accounts,” the spokesperson says. “We know we can do more here, and we’re working hard in both of these areas to stop bad actors before they cause harm, and to keep our community safe.” Instagram is currently testing a new feature that lets a user’s friends help verify their identity when an account gets hacked.
While Ayisi eventually recovered her account, others haven’t been so lucky: We spoke to users who say their Instagram accounts were lost forever.
You may have a very brief period of time after an Instagram hijacking to save the account. Below you’ll find all the steps you can follow, in the order you should try them. We also have advice on what to avoid doing to try to recover your account and how to protect yourself to begin with.
Try This First
There are any number of indicators that your Instagram account has been compromised, such as suddenly getting logged out, activity that you don’t recognize, or an email from the company saying that someone has changed the password. You may also just worry that you gave away your log-in credentials in a phishing attack. In any of those cases, follow these steps immediately.
If you still have access to your account, head to Instagram’s Login Activity page. Follow this link, or tap your profile photo in the bottom right of the app. Open the menu > Settings > Security > Login Activity.
This page will show you every location and device where your account is logged in. If you see anything you don’t recognize, tap it and hit log out. That will kick off anyone who has broken in.
Next, change your password. Click here, or go to Settings > Security > Password. Follow the prompts.
Time is of the essence. Attackers may use automated computer programs to change your log-in credentials once they get access, says Dustin Warren, senior threat researcher at the security firm SpyCloud. It could be a matter of seconds, not minutes, before your problem gets much worse.
Next, go to the email account you used to register your Instagram account. Hackers will change the email address associated with your account so that you can’t get back in. Look for an email letting you know your email address has been changed. The email should come from firstname.lastname@example.org. (Check the spelling to be sure it’s that exact address.) You might be able to undo the damage by clicking the “Revert this change” link in that message to open Instagram’s settings.
If these steps worked, you’re in luck. Skip the next section and follow our instructions for securing your account going forward. Otherwise, on to round two.
Do This If You're Locked Out Of Instagram
If the steps above failed, head to Instagram’s help page for hacked accounts.
Assuming the hacker already changed the email for your account, they probably changed the password, too. You can follow the steps on Instagram’s help page to have a Login Link sent to the phone number tied to your profile. But the hacker may have changed the phone number, too.
Here’s how to check: On Instagram’s log-in page, click either “Get help logging in” (on Android) or “Forgot password?” (on iPhone).
You’ll see the email address and phone number currently registered with your account. Ask for a Login Link if the contact information is correct. When you receive it, follow the instructions.
If your email and phone number have been changed, tap “I can’t access this email or phone number,” and follow the prompts. They’ll have you to put in a support request, and you may be asked to submit a “video selfie,” which will be compared to photos on your Instagram account to verify your identity.
The last resort is to use Instagram’s hard-to-find page for log-in support.
These steps might not work. Ayisi tried all of them multiple times before the verification process succeeded, and online forums are full of people who ultimately gave up.
“The thing that makes this so hard is that the systems you set up to help people get their accounts back can also be used by hackers to break in,” Warren at SpyCloud says. “I think there’s more the platforms could be doing, but verifying people’s identity online is a crazy mess. I sympathize with Instagram’s trust and safety team.”
Things You Shouldn't Try
The steps above are basically your only options, according to the experts we spoke to. You may find people suggesting alternative routes online, but proceed with caution.
In particular, you may come across people and services who say they can recover your account—for a fee. Experts say you should stay away.
“No one other than employees at Instagram and the hacker will be able to change the details of that account to get it back,” Warren says. “I’ve seen a lot of people get scammed a second time by someone promising to help.”
Similarly, the experts we spoke to say it’s not a good idea to pay if the hacker offers to give you the account back for money (or anything of monetary value). Paying a ransom means trusting a criminal, and there’s no reason to assume they’ll follow through.
“I hate to say it, but if you’re not hearing a response from Instagram, that might be it,” Warren says. “The best thing you can do is educate people around you. Tell them about your experience so it doesn’t happen to them.”
How to Keep From Getting Hacked on Instagram
If you’ve followed all the steps above and didn’t solve the problem, it might be time to just make a new account. Going forward, there are several steps every Instagram user should implement to protect themselves.
First, use a strong, unique password. You can follow CR’s tips to make your credentials harder to crack. (The best plan is to use a password manager.) Second, set up multifactor authentication, or MFA (sometimes known as two-factor authentication). With MFA, you’ll be sent a code after you enter your password, so hackers can’t get in without access to more information. Experts say using an MFA app is far more secure than setting up MFA with a phone number.
You should also make it a habit to check any emails Instagram sends you, so you’ll find out quickly if someone changes the account’s email address, password, or phone number. You can adjust your notifications in Instagram’s settings so that you won’t get emails about anything else.
Finally, be careful when you’re talking to people online, even if it’s people you know. Take a look at CR’s guide to the latest scams for tips on protecting yourself. If someone sends you a link in a direct message, you might want to message them elsewhere to be sure it’s legit. “Yes, we shouldn’t be clicking links,” Ayisi says, “but we should also acknowledge that these hackers are getting smarter and smarter.” It can happen to anyone, and it’s easy to let your vigilance slip.
More from Consumer Reports:
Top pick tires for 2016
Best used cars for $25,000 and less
7 best mattresses for couples
Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2022, Consumer Reports, Inc.