Instagram Account Hacked: Step-by-Step Recovery Guide for Kids and Parents

Your daughter tells you her Instagram account is posting things she didn’t post. Or she can’t log in at all — the password stopped working overnight. Or a friend sends a screenshot of a fake account using your daughter’s photos to solicit followers. These three scenarios are distinct problems, each requiring a different response, but parents often treat them identically and waste critical time going in circles on Instagram’s help pages.

Instagram has approximately two billion monthly active users. The National Center for Missing and Exploited Children (NCMEC) received more reports about Instagram in 2022 than any other platform for child exploitation-related content. The platform’s scale makes it a target, its popularity with teens makes children disproportionately affected, and its account recovery tools — while functional — are not designed to be self-explanatory for a panicked parent at 11 pm.

This guide maps the exact steps, in the right order, for three distinct situations: a hacked account you’re still partially in, a fully locked-out account, and an impersonation account using your child’s identity.

Key Takeaways

• The order of recovery matters: secure the linked email account before attempting Instagram recovery, or you may lose access to both
• Instagram has specific recovery paths for accounts locked out due to email/password change — the “Need more help?” option triggers a selfie video verification process
• Impersonation accounts (fake accounts using your child’s photos) are handled separately from hacked accounts — use the “Report” function, not the account recovery flow
• The most common attack vector is password reuse: the child’s Instagram password was the same as a password exposed in a prior breach elsewhere
• Turning on two-factor authentication with an authenticator app — not SMS — prevents most account takeovers even when a password is stolen

Three Scenarios, Three Different Responses

Not all Instagram “hacks” are the same, and mixing up the response can make recovery harder.

Scenario A: The Account Is Posting Things Your Child Didn’t Post

The account is still accessible, but unfamiliar posts, DMs, or follows are appearing. This means someone has active access — either through a compromised password, a session they’re logged into on another device, or a linked third-party app that has been weaponized.

Immediate action sequence:

1. Go to Settings > Accounts Center > Password and Security > Where You’re Logged In. Review all active sessions. Tap “Log out of all sessions” to terminate every active login.
2. Change the password immediately from within the app.
3. Check Settings > Security > Apps and Websites — revoke access for any third-party apps you don’t recognize, especially “follower tracking” or “analytics” apps, which are common attack vectors.
4. Enable two-factor authentication if it isn’t already on.

Scenario B: Fully Locked Out — Password and Email Were Changed

This is the most distressing scenario. The attacker changed both the Instagram password and the email address linked to the account, meaning standard email recovery won’t work.

The recovery sequence matters here:

First, check whether the email account linked to Instagram (before it was changed) is still accessible. If your child’s Gmail or other email is still intact, do not skip this — an attacker who changed the Instagram email may be preparing to access other accounts using the same email. Secure that email first.

Then, on the Instagram login screen:

1. Enter the username and tap “Forgot password”
2. Choose to receive the reset link by email or phone
3. If the attacker changed both and you receive nothing, tap “Need more help?” at the bottom of the screen — this triggers Instagram’s identity verification flow
4. Instagram will ask you to complete a selfie video verification — a short video where you turn your head in a specific direction. This is compared against photos on the account.
5. The request is then manually reviewed. Response times range from a few hours to several business days.

If the selfie verification process fails (which can happen if the account has few photos of the actual child, or if the child’s appearance has changed significantly), you can file a support request specifying that the account belongs to a minor: instagram.com/hacked

Scenario C: Impersonation — A Fake Account Is Pretending to Be Your Child

This is legally and emotionally distinct from a “hacked” account. The real account may still be fine; a separate account has been created using your child’s name and photos.

Do not use the account recovery flow. Instead:

1. Navigate to the fake account
2. Tap the three-dot menu in the top right
3. Select “Report” > “It’s pretending to be someone” > “Me or someone I know” > follow prompts for impersonation
4. If your child is under 13, select the “My child” option — Meta applies heightened review for minor-related reports
5. Document everything: screenshot the fake profile, its followers count, any DMs it has sent

Instagram typically acts on impersonation reports involving minors within 24–72 hours. If the fake account is sending messages to your child’s contacts, also advise those contacts to report it directly — more reports accelerate review.

The Password Reuse Problem: Why Most Hacks Start Elsewhere

A 2023 Google/Harris Poll survey found that 65% of people reuse the same password across multiple sites. Among teens, behavioral research suggests this number is even higher because teens typically create their first passwords without guidance.

When any website is breached — a gaming site, a school tool, a food delivery app — the leaked email-and-password combinations are tested against major platforms automatically. This is called “credential stuffing.” If your child used the same password for Instagram that they used for, say, an old Roblox account or a gaming forum that was breached, the attacker doesn’t need to do anything clever. They just run the stolen credentials against Instagram and walk in.

You can check whether an email address appears in known breach databases at haveibeenpwned.com. This site, operated by security researcher Troy Hunt and data-checked by Microsoft, shows which breaches an address appears in. If you find the address in breach results, every account that uses the same password as the breached account is at risk.

Preventive Settings: What to Configure Before an Attack

Two-Factor Authentication: Authenticator App, Not SMS

Instagram’s default 2FA option is SMS — a text message with a code. As detailed in our article on SIM swapping attacks, SMS-based 2FA can be defeated if an attacker transfers the teen’s phone number to a new SIM. Authenticator app codes are generated locally and are immune to SIM swapping.

To switch to authenticator-based 2FA:

1. Settings > Security > Two-Factor Authentication
2. Choose “Authentication app”
3. Instagram will generate a QR code — scan it with Google Authenticator, Authy, or Microsoft Authenticator
4. Save the backup codes Instagram provides — store them somewhere offline

Login Activity Alerts

Settings > Security > Emails from Instagram: enable all security notification emails. These are sent to the linked email when a new device logs in. This won’t stop an attack, but it provides early warning before a full takeover.

Third-Party App Audit

Settings > Security > Apps and Websites shows every app that has requested access to the Instagram account. Teens accumulate these from “see who unfollowed you” tools, filter apps, and giveaway sites. Most are granted broad read permissions. Remove any app that is inactive or unrecognized.

Username and Contact Privacy

Settings > Privacy: review who can find the account by phone number or email address. For teen accounts, these should be set to “No one.” This prevents reverse-lookup attacks where an attacker knows the phone number and uses it to find the account.

Account Recovery Codes: Save Them Now

When 2FA is enabled, Instagram generates a set of backup codes. These are single-use codes that allow account recovery if your child loses their authenticator device. Take a screenshot of these codes and save them somewhere the parent has access to — a printed document in a drawer, a note in a parent’s password manager. They are useless if stored only in the teen’s phone.

Platform Comparison: Instagram vs. Other Platforms for Recovery Speed

Platform	Standard Recovery Time	Minor-Specific Escalation	Best Contact Method
Instagram (hacked)	1–5 business days	Yes (select “minor” in form)	instagram.com/hacked selfie flow
Instagram (impersonation)	24–72 hours	Yes (report as parent)	Report button on fake profile
Snapchat	1–3 business days	Limited	support.snapchat.com
TikTok	3–7 business days	Available for under-13	TikTok Help Center form
Facebook/Meta	3–10 business days	Yes (parents can report for minors)	facebook.com/hacked

What DMs to Preserve and What to Screenshot

If the hacked account was used to send messages to your child’s contacts — especially if those messages contained inappropriate content — preserve evidence before recovery:

• Screenshot the account’s recent posts (visible even after password change if posts haven’t been deleted)
• Ask friends who received DMs to screenshot and preserve those messages
• Note the date and time of first unusual activity
• If any DMs solicited images of your child or contacts, this is reportable to NCMEC at cybertipline.org

Law enforcement involvement is warranted when a hacked account is used to solicit minors, send threats, or distribute intimate images.

What to Watch For Over 3 Months

Month 1: Complete the recovery steps and confirm the account is secured. Enable authenticator-based 2FA and save backup codes. Search the linked email address on haveibeenpwned.com and change the Instagram password to something unique.

Month 2: Audit connected apps — remove everything unrecognized. Review the account’s “Login activity” to confirm no unknown sessions remain. Have a conversation with your child about why password reuse is dangerous using the breach results as a concrete example.

Month 3: Review whether your child has changed their contact privacy settings and whether their profile is set to private vs. public. Do a fresh app audit, as new permissions accumulate. Check whether the linked email account has its own 2FA enabled — it is the master key to the Instagram account.

Frequently Asked Questions

My child is 12 and shouldn’t technically have an Instagram account. Can I still report a hack?

Yes. Instagram’s minimum age is 13, but Meta’s support process doesn’t require you to disclose the child’s age to get account recovery help. If you’re reporting an impersonation or exploitation, you can and should identify your child as a minor — it triggers additional review protocols under NCMEC reporting agreements.

The hacker changed my child’s profile photo and username. Can Instagram restore the original?

Instagram’s account restoration can restore access to the account, but it does not automatically revert profile changes made by the attacker. Once you have access back, you’ll need to manually update the username and photo. If the username was taken by someone else in the interim, you may need to choose a new one.

How long does the Instagram selfie verification take?

Typically 1–5 business days for standard review. Instagram does not notify you when the review begins; you’ll receive an email when a decision is made. If you haven’t heard back in 5 business days, you can resubmit the form. Keep checking the spam folder of the linked email for Instagram’s response.

Can I report a hack to the police?

Yes, and for significant cases you should. File a report with your local police department and also submit a complaint to the FBI’s Internet Crime Complaint Center at ic3.gov. For any incident involving solicitation of images of a minor, report to NCMEC’s CyberTipline at cybertipline.org — Meta is legally required to submit reports of child sexual exploitation to NCMEC, and your independent report creates a parallel record.

What if the hacker is someone from my child’s school?

School-based cyberbullying involving account takeover may constitute unauthorized access under the Computer Fraud and Abuse Act (CFAA) at the federal level, or equivalent state statutes. Document everything and contact the school’s principal and your local police simultaneously.

---

About the author

Ricky Flores is the founder of HiWave Makers and an electrical engineer with 15+ years of experience building consumer technology at Apple, Samsung, and Texas Instruments. He writes about how kids learn to build, think, and create in a tech-saturated world. Read more at hiwavemakers.com.

Sources

1. National Center for Missing and Exploited Children (NCMEC). (2023). CyberTipline 2022 Report. NCMEC. https://www.missingkids.org/content/dam/missingkids/pdfs/2022-ncmec-cybertipline-report.pdf
2. Google/Harris Poll. (2023). Online Security Survey. Google. https://services.google.com/fh/files/blogs/google_security_survey_2023.pdf
3. Federal Bureau of Investigation Internet Crime Complaint Center (IC3). (2023). 2022 Internet Crime Report. https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf
4. Brookman, J., et al. (2022). Protecting teens online: Platform transparency and accountability. Georgetown Law Technology Review, 6(1), 1–54.
5. Anti-Phishing Working Group (APWG). (2024). Phishing Activity Trends Report Q3 2024. https://apwg.org/resources/apwg-reports/
6. Common Sense Media. (2023). The Common Sense Census: Media Use by Tweens and Teens 2023. Common Sense Media. https://www.commonsensemedia.org/research/the-common-sense-census-media-use-by-tweens-and-teens-2023
7. Pew Research Center. (2024). How Teens Navigate Screen Time. Pew Research Center. https://www.pewresearch.org