My Social Media Account Was Hacked

Signs Your Account Was Hacked

You may have noticed one or more of these:

Posts, comments, or messages you didn’t write appeared from your account
Friends or followers contacted you about strange messages they received from you
Your password stopped working
You received an email saying your email address or password was changed — but you didn’t do it
You were suddenly logged out on all devices
You see login activity from locations or devices you don’t recognise

Step 1: Can You Still Log In?

Your next steps depend on whether you still have access.

If you CAN still log in

Act immediately — before the attacker locks you out.

1. Change your password right now

Go to your account’s security settings and change your password before anything else.

Your new password must be long (at least 16 characters), unique, and never used on any other account. Use our password generator to create one — it works entirely in your browser, nothing is sent anywhere.

2. Enable two-factor authentication (2FA)

This is the most important step. With 2FA enabled, even someone who has your password cannot log in without also having access to your phone.

Use an authenticator app (Google Authenticator, Authy, or Microsoft Authenticator) rather than SMS — text messages can be intercepted.

3. Sign out of all other sessions

Check where your account is currently logged in and terminate any sessions you don’t recognise:

Facebook: Settings & privacy → Settings → Security and Login → Where you’re logged in
Instagram: Settings → Security → Login activity
Discord: User Settings → My Account → scroll down to “Where you’re logged in” → Log out all other devices

4. Check which apps have access to your account

Attackers often connect malicious third-party apps to maintain access after you change your password.

Facebook: Settings → Security and Login → Apps and Websites
Instagram: Settings → Security → Apps and Websites
Discord: User Settings → Authorised Apps

Remove anything you don’t recognise or no longer use.

5. Verify your recovery information

Make sure the email address and phone number linked to the account are still yours — attackers often change these to prevent you from recovering the account.

If you CANNOT log in (you’ve been locked out)

Open the section for your platform below.

Facebook

Go to facebook.com/hacked — this is Facebook’s official recovery page for compromised accounts. It will guide you through the process based on your specific situation.

If your recovery email and phone number are still yours:

On the login page, click “Forgot password?” and enter your email or phone number. Facebook will send a recovery code. Use it to set a new password.

If the attacker already changed your recovery email and phone:

On the login page click “Forgot password?” → “Try another way” → “No longer have access to these?” You’ll be asked to provide a new contact email and answer questions to verify your identity — this may include identifying friends in photos or uploading a government-issued ID.

Alternative: Meta Account Recovery Hub

Meta’s central recovery page at meta.com/account-recovery-support covers Facebook, Instagram, and Threads in one place.

Important: Do not use third-party services or websites claiming to recover your account. These are scams.

Instagram

Go to instagram.com/hacked or open the Instagram app and on the login screen tap “My account was hacked”.

Step-by-step recovery:

On the login screen, tap “Get help logging in” (Android) or “Forgot password?” (iPhone)
Enter your username or the email address you used when you signed up
If you see “Need more help?” — tap it
Instagram will ask you to verify your identity

Identity verification:

Instagram may ask you to film a short video selfie to compare against photos in your account. This is processed by Instagram’s automated system and typically takes 24–48 hours.

If that’s not available, you may be asked to submit a government-issued ID.

Alternative: Meta Account Recovery Hub

You can also use meta.com/account-recovery-support which covers both Facebook and Instagram accounts.

Note: Instagram support is slow. Start the process immediately and be patient — it can take several days.

Discord

Submit a support ticket directly to Discord at dis.gd/hackedaccount. Include:

Your exact Discord username (with the numbers, e.g. username#1234 or the new @handle format)
The email address linked to your account before the hack
A clear description of what happened and when

If the attacker enabled two-factor authentication (2FA) and locked you out:

Look for your Discord backup codes — they are saved as a file called discord_backup_codes.txt or as a screenshot you may have taken when you first set up 2FA. One backup code lets you log in even without the authenticator app.

If you cannot find your backup codes, Discord cannot remove 2FA remotely — you will need to submit the support request above and wait for their team to verify your identity manually.

First, secure your email

Before doing anything in Discord, check whether the attacker also accessed your email. If your email is compromised, they can undo any recovery you do. See the email hacked guide if needed.

After recovery:

Once you’re back in — enable 2FA immediately, go to User Settings → Authorised Apps and remove anything you don’t recognise, and check User Settings → Connections for any accounts the attacker may have linked.

Step 2: Check What the Attacker Did

Once you’re back in your account, check what happened while they had access.

Check messages sent from your account

The attacker may have messaged your contacts asking for money, sending malicious links, or spreading misinformation. Check your sent messages and direct message history.

Check posts and stories

Look for posts, comments, stories, or reels you didn’t create. Delete anything the attacker posted.

Check linked accounts and connected apps

If your social media account was connected to other services — Spotify, gaming accounts, shopping sites — the attacker may have accessed those too.

Step 3: Tell Your Contacts

Don’t let your contacts stay in the dark. Send a message by text, phone, or another social media account to warn them:

Ignore any unusual messages, links, or requests for money they received from your account
Do not click any links sent from your account in the past few days
Your account was hacked but you are now recovering it

What NOT to Do

Don’t pay anyone who claims to be able to recover your account — these are scams
Don’t reuse your old password anywhere
Don’t use the same password on multiple social media accounts — one breach exposes them all
Don’t trust unofficial recovery services — only use the platform’s own recovery tools
Don’t reply to the attacker if they contact you — especially if they’re trying to extort you

When to Contact Authorities

Contact the police immediately if:

Someone is blackmailing or extorting you — threatening to publish photos, videos, or private information unless you pay
The attacker is threatening you, your family, or your safety
Money was sent from your account, or people were scammed using your identity
Your account was used to commit fraud or impersonate you to harm others

These are crimes — filing a report is not optional. Even if you don’t think the police can help technically, the report creates an official record needed for insurance claims, employer notifications, or legal action.

Contact your employer’s security or IT team if:

The hacked account was connected to work systems
Work contacts were messaged or sensitive work information was visible in your messages

Prevention Checklist

Unique password for each social media account — never reused (use our password generator)
Two-factor authentication enabled with an authenticator app (not SMS)
Recovery email and phone number are correct and accessible
No unrecognised apps connected to your account
Login activity alerts enabled
You know where your 2FA backup codes are saved (especially for Discord)
Your email account (used for recovery) is also secured with 2FA