Instagram Hacked and Email Changed: How to Recover Access
TL;DR
If your Instagram was hacked and the attacker changed your email address, act immediately: check your old inbox for a "Revert this change" link from Meta. If that window closed, use Instagram's "Get more help" flow to verify your identity via video selfie or government ID. If Instagram won't respond, legal escalation under GDPR and the Digital Services Act can force a resolution.
Why This Scenario Is Harder Than a Standard Hack
Most Instagram recovery guides assume you still have access to your registered email address. When an attacker changes that address, the standard "forgot password" flow stops working entirely — the reset link lands in the attacker's inbox, not yours.
This attack pattern is increasingly common: a hacker gains access through phishing or a credential breach, immediately swaps the email to lock you out, then uses the account for scams or follower reselling. The window to recover on your own is narrow — but it exists, and knowing exactly what to do makes all the difference.
Step 1: Check Your Old Email for the Revert Link
When anyone changes the email address on an Instagram account, Meta automatically sends a notification to the previous email. That message contains a "Revert this change" link — a single click that undoes the change and locks the attacker out.
Check your old inbox immediately, including spam and promotions folders. The link is typically valid for about one hour from when the change was made. If you find it in time, click it, then immediately change your password, enable two-factor authentication, and log out all other active sessions.
Even after reverting the email change, audit your account carefully: check whether your phone number, birthday, and linked Facebook account were also modified. Attackers often change multiple fields to complicate recovery.
Step 2: Use "Get More Help" at the Login Screen
If the one-hour window has passed, your next path is Instagram's identity verification flow.
- Open the Instagram app and tap Get help logging in.
- Enter your username, email address, or linked phone number.
- Tap Need more help? at the bottom of the screen.
- Follow the prompts — Instagram may offer a login link to an older email or phone number, or direct you straight to identity verification.
If Instagram can reach an older contact method on file, use it. If not, proceed to the identity verification steps below.
Step 3: Complete the Video Selfie Verification
Instagram may ask you to record a short video selfie — a few seconds of your face turning in different directions. This is processed by automated facial recognition and compared against photos already on your profile.
- Use good, even lighting and remove hats or sunglasses.
- Review time ranges from minutes to several days — no fixed timeline is given.
- If your account had few face photos (common for business or branded pages), the system may not be able to match you. In that case, move directly to Step 4.
Step 4: Submit a Government-Issued ID
If video verification is unavailable or unsuccessful, Instagram accepts a government-issued photo ID — passport, national identity card, or driver's licence. Look for a Submit a request or Need more help? link within the support flow.
Allow 5 to 15 business days for review. Common rejection reasons: the name on your ID does not match the account name, the image is blurry or cropped, or the profile contains no face photos to compare against. If rejected, resubmit with a clearer scan and add any additional context about the account.
Step 5: Legal Escalation When Instagram Does Not Respond
Instagram's automated support frequently stops after the standard flows are exhausted — leaving users in silence for weeks. This is where EU law becomes a practical tool rather than just background knowledge.
Under GDPR Article 17, you have the right to access and control personal data stored about you. Under DSA Article 20, very large platforms must operate an internal complaint-handling system and justify any decision that restricts your access. As a Meta platform operating in the EU, Instagram is subject to both.
Submitting a formal complaint framed as a data rights claim — rather than a generic support request — reaches a different team and carries legal weight. For more detail on how these rights apply, read our guide on your legal rights when Instagram blocks your account.
Recovery Timeline at a Glance
| Method | Timeline | Success Rate |
|---|---|---|
| Revert email link (used promptly) | Immediate | Very high |
| Video selfie verification | Minutes to days | Moderate |
| Government ID submission | 5–15 business days | Moderate |
| Legal escalation (GDPR / DSA) | 2–4 weeks | High with professional help |
Act within 24 to 48 hours if at all possible. If the attacker uses the account for policy violations while they have control, Instagram may disable it entirely — creating a second, separate appeal challenge on top of the hack. For a broader overview of options, see our guide on recovering a hacked Instagram account.
When to Consider Professional Account Recovery
If you have exhausted all self-service options and Instagram is not responding, a professional recovery service is worth considering. Recover handles Instagram restoration through legal arguments grounded in GDPR and DSA, bypassing the automated support queue to reach real people inside Instagram's legal and trust-and-safety teams rather than bots.
Recover's success rate is 97%, with 96% of cases resolved within 30 days. No password is required, and a full money-back guarantee applies if recovery fails. The Pay After Recovery option requires only a €19 deposit upfront — the full fee is charged only after access is restored.
One important caveat: if your account has been compromised for more than 80 days, the chances of recovery decrease. A 50% refund guarantee applies in those cases. Do not delay if you are considering this route.
Secure Your Account After Recovery
Once access is restored, take these steps before anything else:
- Enable two-factor authentication using an authenticator app — not SMS, which can be intercepted via SIM swapping.
- Revoke access to any unrecognised third-party apps under Settings → Security → Apps and Websites.
- Review your login activity and log out all unknown sessions.
- Set a strong, unique password not used on any other platform.
- Never click links in direct messages claiming to be from Instagram — phishing via DM is the single most common entry point for these attacks.
For a complete security checklist, see our guide on how to secure your Instagram account in 2026.