What to Do Immediately After a Social Media Account Takeover: A 10‑Step Recovery Checklist

If your social account just got taken over, stop scrolling. Use this 10‑step, time‑sequenced recovery checklist to act fast — and reclaim control within 24 hours.

Account takeover is chaotic: messages sent in your name, damaging posts, or even financial fraud. In early 2026 the threat landscape escalated — password‑reset waves hit Instagram and Facebook, LinkedIn users faced coordinated policy‑violation attacks, and AI misuse on X amplified impersonation risk. If you suspect a takeover, every minute counts. This guide gives a practical, time‑sequenced plan for LinkedIn, Facebook, Instagram and X, plus evidence checklists, four ready‑to‑use templates and prevention steps to stop a second attack.

Fast summary — what to do in the next 24 hours

1. Hour 0–1: Lock the account from further damage. Stop active sessions, change passwords, cut off attackers’ access.
2. Hour 1–6: Notify platforms, contacts and banks. Report the compromise to the platform using the official “compromised account” flow; tell close contacts to ignore suspicious messages.
3. Hours 6–24: Gather evidence and escalate. Collect screenshots, email headers and timestamps; report to UK authorities if you suffered financial loss or blackmail.
4. After 24 hours: Harden and monitor. Switch to hardware security keys / passkeys, review apps and run a security audit.

10‑Step Recovery Checklist (First 24 Hours) — Time‑sequenced

Immediate (0–60 minutes)

1. Step 1 — Confirm takeover, preserve evidence.

   If you can still access the account, take screenshots of any malicious posts, messages or profile changes. If you cannot access the account, take screenshots of any suspicious password reset emails, alerts from the platform or messages from contacts saying they received posts from you.

   • Screenshot the profile page (showing username & avatar).
   • Save email headers for reset or login notifications (don’t forward — save raw headers).
   • Note exact timestamps (UTC) and device names shown in login alerts.
2. Step 2 — Reset the email account used to sign in.

   Most takeover chains start with the email. If attackers control your email, you lose the platform account recovery route. Change that email password immediately from a separate, secure device and enable strong MFA on the email (preferably an authenticator app or hardware key).

3. Step 3 — End active sessions and remove device access.

   If you still have access, go to the account’s security settings and sign out other devices or end all sessions. That stops many attackers that rely on active tokens.

   Platform quick actions (if you have access):

   • Facebook / Meta — Security > Where You're Logged In > Log Out of All Sessions or use facebook.com/hacked.
   • Instagram — Settings > Security > Login Activity > Log Out of Suspicious Sessions.
   • LinkedIn — Me > Settings & Privacy > Sign in & security > Where you’re signed in.
   • X — Settings and privacy > Security and account access > Apps and sessions.

Short term (1–6 hours)

4. Step 4 — Change passwords and remove saved logins.

   Create a new, unique password using a password manager. Do not reuse passwords. If you must, use a secure device that you know is not compromised. Replace saved passwords in browsers and on devices.

   Use a long passphrase or a random password generator; aim for 16+ characters and avoid predictable substitutions.

5. Step 5 — Turn on phishing‑resistant MFA (immediately where possible).

   Switch from SMS MFA to a stronger method immediately: phishing‑resistant authentication such as hardware security keys (FIDO2 / U2F), platform passkeys or authenticator apps (TOTP) as a minimum. In 2026, passkeys and hardware keys are widely supported across major platforms — they block phishing and many automated AI attacks we saw in late 2025–2026.

6. Step 6 — Report the account as compromised to the platform.

   Use the platform’s official “compromised account” or “hacked account” process — don’t rely on generic support email. When reporting, attach screenshots and explain the impact (impersonation, financial requests, phishing sent to contacts).

   Template note: Below we include short, ready‑to‑paste templates for platform reports and messages to contacts.

Recovery and escalation (6–24 hours)

7. Step 7 — Tell your network and flag suspicious messages.

   Ask contacts to ignore or delete suspicious posts, links or DMs sent from your account. If your account was used to send phishing links, advise everyone who clicked to change passwords and watch for fraud.

   Post a short status update from another verified channel (email or another social account) to warn followers — include what to ignore and when your official account is restored.

8. Step 8 — Check connected apps and revoke access.

   Attackers often use third‑party apps and OAuth tokens to maintain access. Revoke all app permissions and reconnect only to apps you recognise. On LinkedIn and Facebook, review business integrations; on Instagram and X, check connected publishing tools.

9. Step 9 — Contact your bank, and if UK‑based, report to Action Fraud if money was taken.

   If financial details or payment links were posted, or if money was lost, contact your bank straight away. For UK victims of fraud, report to Action Fraud and keep the crime reference. For identity theft or severe reputational damage, consider early legal advice.

10. Step 10 — Collect and export evidence; escalate if platform response is slow.

    Export messages, media and audit logs (where platforms allow). If the platform response is delayed and the harm is immediate (scam messages, defamatory posts), escalate: use verified complaint channels, press a complaint via the platform’s business/ads support, or ask your MP to help if there is regulatory risk. For persistent refusal to reinstate or remove impersonation, consider legal notice or an injunction.

Platform‑specific tips (fast reference)

LinkedIn

• Use LinkedIn Help Center > Account access > “I think my LinkedIn account was hacked.” Upload proof of identity if requested.
• If flagged with policy‑violation posts (the late‑Jan 2026 wave), emphasise in your report that the changes and posts are fraudulent and provide timestamps.
• Check connected third‑party apps and revoke API tokens used by scheduling tools.

Facebook / Instagram (Meta family)

• Meta provides a dedicated “hacked” flow — follow the official forms (Meta’s “report compromised account” pages). For Instagram password‑reset chaos seen in Jan 2026, expect higher volumes — include email headers and screenshots to speed triage.
• Use “Support Inbox” on Facebook to track your case and save the case number.

X (formerly Twitter)

• X’s Help Center has a “compromised account” form. If your account was used to amplify AI deepfake content (Grok‑related incidents in 2025–2026), point that out — platforms are prioritising harmful AI misuse cases.
• Change any API keys linked to developer apps and review third‑party publishing tools.

Evidence checklist (what to collect and how to store it)

Accurate, timestamped evidence speeds restoration and supports fraud reports and legal steps.

• Screenshots of posts, DMs, profile changes (use full‑screen mode to show timestamps and URLs).
• Email notifications (save raw headers — they show the sending server).
• Login alerts (device type, approximate location or IP if shown).
• Exported data where available (Facebook/Meta and LinkedIn allow data download requests).
• Chat logs from contacts who received malicious messages — ask them to screenshot and forward securely.

Three ready‑to‑use templates

Copy these into the platform form or messages to contacts. Keep them factual and calm — angry language slows support triage.

1. Platform support (short)

Hello — my account was compromised at [time UTC]. The attacker changed [email/phone/profile], posted [brief description], and contacted my followers with phishing links. I have screenshots and login alerts. Please flag this as urgent: impersonation and fraud. Case details attached. — [Your full name, username, contact email]

2. Message to contacts (DM or email)

Hi — my [platform] account was hacked. Please ignore any messages or links you received from me since [time]. Do not click any links or send money. I’m working to restore control. I’ll update you from my email [your email]. — [Your name]

3. Bank fraud notification (short to use by phone/email)

I am reporting unauthorised transactions and account compromise relating to a social media hack on [platform]. I have evidence (screenshots and messages) and request a fraud review. Please freeze suspicious payments and advise next steps. Crime reference (if available): [Action Fraud ref]. — [Full name, account number, contact]

Advanced strategies and 2026 security trends

Late 2025 and early 2026 saw new patterns: mass password‑reset campaigns against Meta platforms, LinkedIn policy‑violation attacks, and AI‑facilitated content abuse on X. Attackers increasingly use AI to automate social engineering and to craft convincing phishing content. Defenders must upgrade beyond SMS MFA and passwords.

• Passkeys & hardware security keys: The most robust protection. In 2026, major platforms support passkeys — set one up and store recovery codes safely.
• Phishing‑resistant authentication: WebAuthn, FIDO2 and hardware tokens block credential‑harvesting sites and many SIM swap attacks.
• Zero‑trust inbox habits: Treat unexpected password‑reset emails with suspicion; check raw headers and never click reset links from an email — go to the site directly.
• Credential monitoring: Use a reputable password manager with breach notifications; change passwords if a leak is reported.
• Limit OAuth scope: Revoke unnecessary third‑party app permissions quarterly.

Case studies — short, real‑world learning (anonymised)

These examples echo common patterns seen in 2026 platform incidents.

Case: Instagram password‑reset wave

“Sarah” received a Meta password reset email she did not request. Her account was locked by the attacker who then messaged followers with phishing links. Sarah followed the quick checklist: secured her email, reported via Meta’s compromised account form with screenshots, and used a hardware key to regain control. Because she had saved recovery codes and revoked unknown sessions, restoration took under 12 hours.

Case: X content abuse (AI deepfake amplification)

“Tom” saw AI‑generated, humiliating posts appearing under his handle. X’s prioritisation of AI misuse cases in 2026 meant his report was escalated. Tom produced message logs and asked followers to ignore the posts. Legal counsel issued a takedown notice and X removed the content within 48 hours.

When to involve authorities or get legal help

If there’s financial loss, extortion, identity theft or ongoing impersonation, escalate beyond the platform:

• UK — Action Fraud: Report cyber fraud and keep the reference number for banks and insurers.
• Data protection concerns: If personal data was exposed by the platform or a third party, the ICO may be relevant.
• Legal notice: If posts are defamatory or impersonation persists and platform removal is delayed, consider a solicitor to send a takedown or cease‑and‑desist letter.

Final actionable takeaways — act now

1. Within the first hour: secure your email and end all sessions.
2. Within six hours: change passwords, enable phishing‑resistant MFA, and report to the platform.
3. Within 24 hours: inform contacts, revoke app access, contact banks if needed, and gather robust evidence for authorities.

In 2026 the attack surface is evolving — AI makes scams faster and more convincing, but authentication technology and platform policy enforcement have also matured. Your best defence is speed, evidence and shifting to phishing‑resistant security.

Downloadable resources and next steps

Get our free pack: a printable 24‑hour checklist, platform report templates, an evidence collection worksheet and a step‑by‑step guide to set up passkeys and hardware security keys. Visit complains.uk/recovery‑pack (or use the “Download recovery pack” button on this page).

Need help now? If your account is actively sending fraud messages or you’ve lost money, contact your bank and report to Action Fraud immediately. For hands‑on assistance with platform escalation and complaint drafting, our consumer advocacy team can review your evidence and send platform escalation letters.

Sources & further reading

Recent coverage that shaped the 2026 threat picture includes reporting on Meta password‑reset attacks and LinkedIn policy violation waves (Jan 2026) and AI misuse on X. For technical implementation of passkeys and FIDO2, consult platform help centres and security vendors. Key stories from Jan 2026 highlighted the importance of swift recovery and phishing‑resistant MFA.

Take action now: download the recovery pack, secure your email, and turn on a hardware key. The faster you act, the better the chance you’ll reclaim control — and stop attackers from doing more damage.

Call to action

Download the 24‑hour recovery pack from complains.uk/recovery‑pack and get a personalised review of your evidence. If you’ve been hacked in the last 48 hours, start the recovery checklist now and contact our team for support.

Related Reading

• Decentralized Custody 2.0: Building Audit‑Ready Micro‑Vaults for Institutional Crypto in 2026
• Regulation & Compliance for Specialty Platforms: Data Rules, Proxies, and Local Archives (2026)
• Edge AI at the Platform Level: On‑Device Models, Cold Starts and Developer Workflows (2026)
• Behind the Edge: A 2026 Playbook for Creator‑Led, Cost‑Aware Cloud Experiences
• Edge AI HATs and Near-Term Quantum Devices: Designing Hybrid Workflows
• From Stove Pot to 1,500-Gallon Tanks: How a Beverage Brand Scaled (and What Restaurateurs Can Learn)
• Ergonomic Insoles for Drivers: When Custom Scans Matter (and When They Don’t)
• Staying Connected Overseas: Which AT&T Plans and Bundles Work Best for Travelers
• Build the Ultimate Futsal Warm-Up Playlist: From BTS’s Arirang to Hans Zimmer Anthems