Hacked Instagram account: how to get it back
The short version: go to instagram.com/hacked and request a login link to the email or phone you originally used. Before that, search your inbox for a message from security@mail.instagram.com, if the hacker changed your email, that message has a revert link that undoes it in one click. If codes fail, Instagram can verify your identity with a video selfie for accounts with photos of you.
Start here: the official recovery path
Instagram layers its recovery: login links first, then the change-reversal email, then human identity verification. Work them in order:
- Start at Instagram's hacked flow. Open instagram.com/hacked and pick what happened. This route exists precisely for accounts whose email or password an attacker changed.
- Request a login link or security code. Instagram can send a login link or code to the email address or phone number you originally used, even in many cases where the attacker has since changed details on the account.
- Check your inbox for the change-reversal email. When the email on an Instagram account is changed, Instagram notifies the old address from security@mail.instagram.com with a "revert this change" link. If that mail is in your inbox, it is the fastest undo there is.
- Use identity verification if the code route fails. For accounts with photos of you, Instagram can offer a video-selfie check to prove the face behind the account. It takes a day or so to review. Accounts without photos of a person get an alternative set of questions instead.
- Secure the account the moment you are in. Change the password, log out unknown sessions, fix the email and phone on the account, and turn on two-factor authentication before you do anything else.
If the hacker changed your email or phone
Instagram assumes this will happen, which is why every change to an account's email triggers a notice to the old address with a revert link. That mail from security@mail.instagram.com is your fastest path, check for it before anything else, and be careful to verify the sender, because fake "Instagram security" mail is itself a common phishing lure. If the revert window has passed, the hacked flow plus identity verification still gets genuine owners home, it just takes a day or two longer.
Back in? Lock it down before you do anything else
- Fix the contact details. Remove any email address or phone number that is not yours, they are the attacker's way back in.
- Log out unknown sessions and revoke access for third-party apps you do not use.
- Turn on two-factor authentication with an authenticator app. Our 2FA setup guide shows the safe way.
- Check linked accounts in Accounts Centre, a linked Facebook shares the blast radius.
- Check your DMs and recent posts for scams sent in your name, and warn anyone who was messaged.
If you cannot get back in
If the official process keeps looping, do not pay anyone who cold-calls or advertises instant recovery, and never pay a ransom for your own account. In Australia, report the takeover through ReportCyber at cyber.gov.au, and if money or identity documents are involved, IDCARE provides free, government-funded support. If the account matters too much to gamble on, our assisted recovery works the provider's process for you: verified identity first, then patient, documented escalations. Start here.
Stop the next one before it starts
Getting the account back is the urgent half. The lasting half is closing the back door that let this happen: account recovery. A strong password and two-step verification guard the login, but a "forgot password" flow aimed at a weak recovery channel walks straight past both. Our guide to the recovery gap explains the mechanics, and the email security guide covers the five moves that actually matter. If you want the back door watched for you, that is exactly what SAFE2RECOVER does: we hold and guard the recovery mail for your important accounts, so a reset you did not ask for gets stopped before it lands. Get protected, there is no card required to start.
Frequently asked questions
The hacker changed the email on my Instagram. Is the account gone?
Usually not. Instagram sends a notice to your old address from security@mail.instagram.com whenever the account email changes, and it contains a revert link that undoes the change. Search your inbox for it first. If it has expired, go to instagram.com/hacked and request a login link to your original details, then escalate to identity verification if needed.
How does Instagram's video selfie verification work?
If the account has photos of you, Instagram can ask for a short video selfie to compare against them. Instagram reviews it within about a business day, and it exists for this case: the rightful owner locked out by someone who changed everything. Follow the capture instructions carefully and use good lighting.
I got an email saying my Instagram email was changed, but I did not change it. What do I do?
Act on it immediately. That email, from security@mail.instagram.com, includes a link to revert the change and secure your account. It is the single fastest way to stop a takeover in progress. Verify the sender address carefully, then use the revert link, change your password and turn on two-factor authentication.
What should I check after recovering my Instagram account?
Fix the contact details first: remove any email or phone that is not yours. Then log out all sessions you do not recognise, revoke third-party app access you do not use, and turn on two-factor authentication with an authenticator app. If the account is linked to Facebook in Accounts Centre, check that side too, and review your DMs for scam messages sent in your name.