Your Account Got Hacked and You Can't Get Back In. Here's What Actually Works.
You wake up to an email saying your password was changed. You try to log in — wrong password. You hit "forgot password" — but the recovery goes to an email you no longer control. You check your phone number on file — it's been swapped to a number you don't recognize. In about four hours, someone has locked you out of your own digital life, and every door back in leads to a wall.
This isn't a rare horror story anymore. It's Tuesday.
Stop Panicking, Start Documenting
The first thing most people do is click frantically through every recovery option until they accidentally trigger a lockout. Don't. Before you touch anything else, take screenshots of every error message, every screen that shows your account status, and every email notification you received. This sounds boring, but it will matter enormously later.
Platforms like Google, Meta, and Apple all have human review teams who handle account recovery disputes. Those teams need evidence. A screenshot of the suspicious login notification with a timestamp from a country you've never visited is worth more than any explanation you write.
Write down the exact timeline of events while your memory is fresh — when you noticed the problem, what you tried, what changed.
The Recovery Paths, Ranked by What Actually Works
Start with the platform's official recovery form, not customer support chat.
Live chat agents at most major platforms genuinely cannot override account ownership decisions. They're reading from the same decision tree you are. The account recovery form, by contrast, routes to a specialized team with actual authority to investigate.
For Google accounts, this is the Account Recovery page. For Meta (Facebook/Instagram), it's the Hacked Accounts portal. Apple users go through iforgot.apple.com. These forms ask you to verify your identity through purchase history, previous passwords, trusted devices, or billing addresses — information a hacker typically doesn't have even after taking your account.
According to the Federal Trade Commission, you should also report the compromise to the platform immediately, because some services flag hacked accounts for expedited review rather than standard queue processing.
The Counterintuitive Part Nobody Tells You
Here's what most recovery guides skip: your old device might be your best key back in.
When a hacker changes your password and recovery email, they're changing credentials — but on many platforms, a previously trusted device still holds a valid session token. That token is essentially proof the device was you. If you have an old phone, laptop, or tablet that was ever signed into that account, don't factory reset it. Don't update it. Don't even restart it unnecessarily.
Open the app directly on that device. On Google, for example, an active session on a trusted device can let you generate a recovery code or confirm your identity without needing your current password at all. Apple's Trusted Device system works similarly — a six-digit code can appear on an old iPad even after your Apple ID password has been changed by someone else.
This window closes. Sessions expire. Act on this within 24-48 hours of discovering the breach.
When the Platform Won't Help
If automated recovery fails after two or three attempts, escalate — but strategically.
Some platforms respond to public social media posts tagging their support accounts faster than they respond to tickets. This isn't guaranteed, but it's not nothing either. More reliably, if your account is tied to a business, advertising spend, or a creator monetization program, mention that in your recovery request. Accounts with financial relationships get different triage.
According to Krebs on Security, SIM-swapping — where attackers convince your mobile carrier to transfer your phone number to a SIM card they control — is one of the most common ways hackers bypass two-factor authentication entirely. If you suspect this happened, call your mobile carrier immediately and ask them to add a port freeze or SIM lock to your account. This is a free feature most carriers offer and almost nobody uses.
File a police report, even if you think nothing will come of it. Some platform recovery teams require a case number before they'll escalate certain disputes, and having one costs you nothing but 30 minutes.
Rebuilding So This Doesn't Happen Again
Once you're back in — or if you're protecting a different account while this one is still locked — the single most impactful change you can make is moving away from SMS-based two-factor authentication entirely.
Use an authenticator app (Google Authenticator, Authy, or the one built into your password manager). These generate codes on your device rather than sending them over a phone network, which means a SIM-swap attack can't intercept them.
Store your backup codes somewhere physical. Print them. Put them in the same drawer as your passport. This sounds excessive until you're staring at a locked screen at midnight.
For your most critical accounts — email, banking, anything tied to your identity — consider a hardware security key. It's a small USB device that acts as physical proof of identity. A hacker on the other side of the world cannot use one they don't physically hold.
The Honest Limitation
Not every account comes back. If a hacker has held access long enough, changed enough information, and the platform's automated systems have flagged too many failed recovery attempts from your end, you may hit a wall that no form, escalation, or social media post gets through. Some platforms — particularly smaller services, gaming platforms, and older social networks — have essentially no human recovery infrastructure. The account is gone.
This is not a failure on your part. It's a design failure by platforms that treat account recovery as an afterthought. The best protection isn't recovery — it's making the initial takeover so difficult that it never happens. But if you're reading this because it already has, work the steps above methodically, document everything, and accept that speed is the single variable most in your favor right now.
Sources:
- Federal Trade Commission
- Krebs on Security