Instagram Hacked? How to Report, Recover and Protect Your Account in 2026

Instagram is no longer just a photo-sharing app. For South African businesses it is a sales channel, a customer service desk, and a brand asset, which is exactly why criminals target it. At Da Vinci Cybersecurity, Instagram-related cases now land on our desks weekly: hijacked business profiles held to ransom, cloned accounts running advance-fee scams on a company’s own customers, and phishing DMs dressed up as “Meta Support” copyright warnings.

This guide answers the questions we get asked most, in plain language, so you can act fast when minutes matter.

How do I report a hacked Instagram account?

If you can no longer log in, do not waste time messaging the hacker or posting from another account. Go directly to instagram.com/hacked from a browser. This is Meta’s official recovery hub and it walks you through four scenarios: my account was hacked, my password was changed, my account was disabled, or someone else got access.

From the app, you can also tap “Get help logging in” (Android) or “Forgot password?” (iPhone) on the login screen, then follow the prompts to request a login link or security code sent to your original email address or phone number.

If the hacker changed your email address, check your inbox for a message from security@mail.instagram.com, Meta sends a “revert this change” link that remains valid even after the attacker updates your details. This single email is often the fastest route back into your account.

How do I recover an Instagram account when the hacker changed everything?

When the email, phone number, and password have all been changed, request a video selfie verification. From the login screen, choose “Get help logging in”, submit an account you believe was compromised, and select the option confirming you cannot access your email or phone. Meta will ask you to record a short video selfie to match against photos on the account. This works for accounts that have photos of you; business accounts without a face attached may need to verify through the original email domain or supporting documents instead.

While you wait for recovery:

  1. Secure the email account first. If the attacker got into Instagram via your email, they still have the keys. Change that password and enable two-factor authentication immediately.
  2. Warn your followers from another channel (your website, WhatsApp, a linked Facebook page) that the account is compromised and any payment requests coming from it are fraudulent.
  3. Preserve evidence. Screenshot the hijacked profile, any ransom demands, scam posts and DMs — with URLs and timestamps visible. If the matter becomes a criminal case or an insurance claim, this documentation is what investigators and SAPS will need.

How do I report someone impersonating me or my business on Instagram?

Impersonation is now more common than outright hacking. Fraudsters clone a legitimate company’s profile — same logo, same photos, a near-identical handle with one extra letter, and then DM the real company’s followers with “special offers” that end in an EFT to a mule account. We investigated exactly this pattern in a recent Cape Town matter where a fake entity impersonated a legitimate plant-hire business to run advance-fee fraud.

To report an impersonation:

  • If you have an Instagram account: open the fake profile, tap the three dots, choose Report → Something about this account → It’s pretending to be someone else, then select whether it is impersonating you, your business, or someone you represent.
  • If you don’t have an account: use Meta’s impersonation reporting form on the Instagram Help Centre, where you can submit a government ID or business documents to prove identity.
  • For trademark abuse (your logo or brand name on a scam profile), file through Meta’s Brand Rights Protection / intellectual property reporting channel, these reports are often actioned faster than ordinary impersonation reports because they carry legal weight.

Ask your staff and loyal customers to report the fake profile as well. Multiple independent reports materially speed up takedowns.

What are the most common Instagram scams targeting South Africans in 2026?

The patterns we see in live casework:

  • Fake “Meta Support” copyright violation DMs. A message claims your account will be deleted within 24 hours unless you “appeal” via a link. The link harvests your credentials. Meta never sends enforcement notices by DM.
  • Cloned business accounts running deposit scams against the real business’s followers, equipment hire, ticket sales, puppies, accommodation, and forex “investment” pages are the local favourites.
  • Investment and crypto flipping scams, often hijacking a trusted account so the pitch appears to come from someone the victim knows.
  • Sextortion, particularly targeting teenagers, where attackers coerce images and then demand payment. Report these immediately, to Instagram, and to SAPS. Do not pay.
  • Verification badge scams offering the blue tick for a fee via DM. Verification is only available through Meta’s official in-app subscription and application process.

How do I protect my Instagram account from being hacked?

Five controls close most of the gaps:

  1. Turn on two-factor authentication using an authenticator app (Settings → Accounts Centre → Password and security → Two-factor authentication). Prefer an authenticator app or security key over SMS, because SIM-swap fraud remains rife in South Africa.
  2. Use a unique, long password that isn’t reused from any other service, stored in a password manager. Most account takeovers start with a password leaked in an unrelated breach.
  3. Check “Accounts Centre → Password and security → Where you’re logged in” monthly and remove devices you don’t recognise.
  4. Restrict access for businesses. Never share the actual password with staff or agencies, use Meta Business Suite roles so access can be revoked per person the day someone leaves.
  5. Verify your contact details are current. Recovery depends on the email and phone number on file; an old, abandoned email address on the account is an open door.

For companies, add Instagram to your incident response plan: who owns the account, who has recovery access, and who gets called at 22:00 on a Friday when the posts change to crypto giveaways.

When should you bring in a forensic investigator for an Instagram incident?

Meta’s self-service tools solve the straightforward cases. Call in professional help when:

  • Money has been lost, by you or by customers defrauded through a cloned account. Tracing beneficiary accounts, mule networks, and linked handles requires OSINT and financial-crime investigation, and properly preserved evidence if you want a criminal case or civil recovery to succeed.
  • The takeover is part of something bigger. A hijacked social account is frequently the visible symptom of business email compromise or a wider network intrusion.
  • Takedowns keep failing. Persistent impersonation networks spin up replacement profiles within hours. Mapping and dismantling the network, across Instagram, Facebook, WhatsApp and fraudulent domains, is investigative work, not form-filling.
  • You need evidence that stands up in court. Screenshots taken casually are easy to challenge. Forensically preserved evidence with chain-of-custody documentation is not.

Da Vinci Cybersecurity investigates social media fraud, impersonation and account-takeover incidents for businesses across South Africa, combining OSINT investigations and digital forensics with coordinated platform takedown requests. We also run dark web monitoring to flag when your staff credentials, the usual entry point, appear in breach data before criminals use them.

Frequently asked questions

Can Instagram accounts be recovered after the hacker deletes them? Sometimes. Meta retains deleted accounts for roughly 30 days before permanent removal, so act immediately through instagram.com/hacked and the security email revert link.

Should I pay a “recovery service” I found online? No. The overwhelming majority of Instagram “recovery hackers” advertising in comments and DMs are scammers who will take your money, and often your remaining credentials too. Use Meta’s official channels or a verifiable, registered investigations firm.

Do I report Instagram fraud to the police in South Africa? Yes, if money was lost or extortion is involved, open a case at your nearest SAPS station and report the incident to your bank’s fraud line immediately so beneficiary accounts can be flagged. Bring your preserved evidence.

How long does Instagram take to remove a fake account? Anywhere from hours to weeks. Impersonation reports supported by ID or business registration documents, trademark-based reports, and multiple independent user reports all shorten the timeline.

Concerned your business account or brand is being targeted? Contact Da Vinci Cybersecurity for a confidential assessment.

LinkedIn
Facebook
Threads
X
Pinterest
Reddit
WhatsApp
Instagram
]