Nearly 2 out of 5 Americans say that hackers have taken over their social media accounts. And those numbers are likely to rise as more and more account information gets leaked in breaches of big corporations.
“[Hackers are] taking those credentials and, in an automated fashion, they’re gonna bounce those up against every other account out there on the web,” says Lisa Plaggemier, executive director of the National Cybersecurity Alliance. Even if you don’t reuse the exact same password on other accounts, hacker software can easily generate iterations until they get a hit.
(Chances are, you’ve been involved in multiple data breaches. To find out, visit the site have i been pwned?, enter your email address, and see how you’ve been affected.)
Other times, people hand their logins to crooks by responding to scam emails saying, for instance, that your Facebook page has been scheduled for deletion and you must log in immediately (at the bogus link below) to appeal the action.
There are probably things you could have done better (or not done) to prevent getting hacked. But the past is the past. Let’s get back online first and then protect your accounts better going forward.
Recovering your account
The steps for regaining access to your account vary from online service to service—sometimes by a little and sometimes by a lot. But they follow a general pattern — escalating from easy password resets and proving your identity to (sometimes) getting help from actual humans. Unfortunately, if hackers have manipulated your account too much, such as changing your username, password, and contact info, you may not be able to recover your account.
First, you have to realize that you’ve been hacked. Here are some signs:
- Pics or videos you never shot appear as your Facebook, Instagram, or TikTok posts.
- Friends are getting bogus messages from you on Facebook or Twitter.
- Spotify is playing music you never queued up.
- A device you don’t own logged in with your Apple ID.
- New contacts appear in your Snapchat account.
- A genuine email from Instagram says that your email address was changed.
If anything like this happens, the first thing tech companies advise is to log in and change your password — assuming hackers haven’t already changed it to one only they know. When you do change your password, make sure it’s a good one. (I’ll describe how to do that further down.)
If your password no longer works, you’ll have to take other steps to recover your account. On Instagram and elsewhere, for instance, you can request a login link be emailed to your registered address or a security code be texted to your registered phone number (assuming hackers haven’t changed those as well). Some services, such as Apple and Spotify, provide human support for assistance.
Recovery steps for each service
If the mechanics of app-centric services vary a lot between Android and iOS (like with Instagram), I’ll provide instructions for the web interface. If not (as with TikTok), I’ll give instructions for mobile.
Your Apple ID is the key to a lot of personal information, including purchases and online subscriptions. And if you use iCloud extensively, hackers might access your contacts, calendar, photos, notes, and even your GPS location.
To change your password, visit the Apple ID sign-in page and click Sign In. If the site doesn’t accept your Apple ID, go to another Apple device you own, like a Mac, iPhone, or iPad.
On your Mac, click the Apple menu in the upper left of the screen, then click System Preferences and then Apple ID. Click Password & Security, then click Change Password. On an iPhone or iPad, go to Settings and tap your name. Then click Password & Security and Change Password.
Go to facebook.com/hacked and click “My Account Is Compromised.” On the next page, enter your email or mobile number. On the following page, you are asked to log in with your current or old password. So even if a hacker has changed your password, your former password should still allow you to get in and take back control of your account.
If for some reason Facebook still doesn’t accept the password you entered, you can send an email to one of the addresses it has on file, which should protect you even if the hacker changed the “current” contact email. If this doesn’t work, click on the “No longer have access to these?” prompt. Facebook will then check other items to identify you, such as whether you are logging in from a device or location you have used before. (“Device” includes the specific web browser.)
If all else fails, you’ll be asked to upload any of 13 ID types, including your passport, driver’s license, marriage certificate, green card, and voter ID card. Hold your ID up to your webcam for scanning. Facebook will email you with instructions on how to continue.
What if all the automated tools fail? Facebook has said that it is building better support but has not said if that will include help from humans.
(For more details and strategies, including paid recovery services, see our full how-to guide.)
Losing access to your Google account can be an especially big problem, as it could lock you out of Gmail, YouTube, Google Drive, and other services.
If you think you’ve been hacked, try to sign in to your Google account to update your password. If the login page won’t accept your email and / or password, go to Google’s account recovery page and click on the Forgot email link.
You’ll be asked to enter the email address you want to recover and then the last password you remember. (This might be your “real” password before a hacker changed it.) If that password doesn’t work, click “Try another way.” If a backup email is associated with your compromised account, you’ll get a message with a verification code to enter.
If you don’t have or can’t access a recovery email, click “Try another way” again, and Google will text or call the phone number you have on file (if you have one) with a code. If you get the code, enter it and create a new strong password.
If that doesn’t work, click “I don’t have my phone.” Depending on how much information Google has on you, it may be able to ask more questions to establish your identity. But it’s possible that, at this point, you may be out of luck. And Google doesn’t really offer human support to get you past the hurdle. (If you call support at 650-253-000, you’ll get a voice bot that generally points you to various webpages for help.)
(For more details, see our full how-to guide.)
Since it differs slightly for Android and iPhone, let’s go over the web process. Go to instagram.com. If Instagram no longer accepts your username and password, try the “Log in with Facebook” option (assuming you have a Facebook account). If neither of these works, click on Forgot password.
On the next screen, enter your username or registered email address to receive a login link via email or your registered phone number to get a code via text. In the email, click “Reset your password” or, on the phone, click the link in the text message and enter the code sent with it. Either method takes you to the screen for entering a new strong password. Then log in and get back to ‘graming.
If these don’t work, enter the login information you most recently used (pre-hack) and click “Can’t reset your password?” to get to Instagram’s help page. Click on “I think my Instagram account has been hacked,” then scroll to “Request a security code or support from Instagram.” You’ll find instructions walking you through how to request help (including by text message) from the Android and iOS apps.
For more details, see Instagram’s support page.
Since the Android and iOS apps vary, it’s easiest to explain how to do this on the web (although Snapchat only works with Google Chrome and Microsoft Edge). First, go to the login page. If Snapchat won’t accept your username and / or password, click Forgot password and verify your identity by entering your registered phone number or email address. You’ll then get a text or email with a link to reset your password.
This should work even if the hacker has changed your account info. Whenever that info is changed, Snapchat sends a link to the old email saying “Your password was just changed. If this wasn’t you, click here and we’ll undo the change.”
If for some reason Snapchat no longer recognizes your email or phone number, visit the support page and fill out a form to request help recovering your account. (For more details, see Snapchat’s account recovery page.) In an email to The Verge, Snapchat said that its Trust and Safety team works 24/7 and that “in the vast majority of cases we respond to reports and concerns within hours of receiving a report.”
Go to Spotify’s password reset page and enter your username or the email address you used to register. If Spotify recognizes either, it will send an email with a link to a page where you can reset your password. If this doesn’t work, you can contact Spotify’s live chat support.
For more details, see Spotify’s support page.
In case your username and password have been compromised, TikTok offers a lot of ways to log in, including through Facebook, Google, Twitter, Apple, and Instagram (if you’ve associated any of them with your TikTok account).
To change your password in the Android or iOS app, tap Profile in the bottom right, then tap the three-line hamburger icon in the top right. Tap Settings and Privacy and then Manage account. Select Password, and TikTok will email or text you a six-digit code to enter before you can create a new strong password.
If a hacker changed your email and phone number, you will not be able to log in and will have to contact user support. You can submit a support request in the app, through a form, or by emailing firstname.lastname@example.org.
(For more details, see TikTok’s support page.)
Go to the password reset form and enter your username, email, and phone number. Select whether you’d like to get a login link via email or a code via text.
If Twitter doesn’t accept this information, visit the help center page for hacked or compromised accounts and fill out the form to get help.
For more details, see Twitter’s support page.
Securing your account for the future
Hopefully you’ve gotten back into your account. Now, it’s time to make sure no one else can. It starts with creating a strong password that is nothing like any of the other passwords you use.
The advice on formulating passwords has evolved from silly character substitution (P@$$w0Rd!) to long, nonsensical statements (correcthorsebatterystaple). But the best strategy is to employ a password manager either in your browser or in freestanding apps to generate long, unique strings of gibberish (such as “ES%q9i#y8o!bJ6”) and fill them in for you on desktop and mobile. (Many such apps are free.)
Should someone still get or guess this complex password, you can throw in another roadblock by using something called two-factor or multifactor authentication (2FA or MFA). You’ve probably experienced this when, say, your bank texts you a code that you have to enter on your computer to log in.
Text is an okay way to do 2FA / MFA, but it’s best to share your phone number with as few companies as possible (again, the danger of data breaches plus a hack called SIM swapping or SIM hacking, which allows crooks to commandeer your phone number). Even more secure is to set up a 2FA / MFA code generator like Authy or Google Authenticator on your phone.
It’s a bit of work to get these extra security measures set up, although the password manager quickly pays for itself by saving all the hassle of trying to create and remember strong passwords. And those few ounces of prevention are a small price for avoiding the hassle of getting your account hacked.