Social Media Account Hacked? Recovery 2026

Search intent: Emergency / Recovery / Legal

You can no longer log in to your Instagram / Facebook / WhatsApp / Gmail / X / LinkedIn. Or the account is hacked but you're still logged in (and the attacker is posting from it). Or it has been used to scam your contacts: “send ₹X to this UPI; it's me”. Account takeover (ATO) is a top cyber-crime category in 2026 — Meta + Google receive lakhs of recovery requests / month from India alone. Under IT Act §66C (identity theft, 3-year imprisonment) + §43 (unauthorised access) + BNS §318 (cheating) + IT Rules 2021 (intermediary 36-72 hour grievance), you have legal recourse. Plus each platform has its own recovery flow. Speed matters: most platforms allow 30-day recovery window before account is permanently lost. RTI to NCRP / cyber cell + MeitY for platform takedown + bank chargeback if money was solicited from contacts forms the recovery chain.

1. 🔴 Try the platform's official recovery flow first:
   1. Instagram: instagram.com/hacked
   2. Facebook: facebook.com/hacked
   3. WhatsApp: WhatsApp app → Settings → Help → Contact us
   4. Gmail: g.co/recover
   5. X (Twitter): help.twitter.com → Account access
2. 🔴 Use trusted device/IP (not the one suspected to be compromised).
3. 🟡 From another secure account, ALERT your contacts that your account is compromised. Pinned post / WhatsApp broadcast / story.
4. 🟡 Change passwords of linked accounts (recovery email, phone). Enable 2FA everywhere.
5. 🟢 File NCRP at cybercrime.gov.in under Account Hacking.
6. 🟢 If money was solicited from contacts — alert them; affected contacts should dial 1930.

• Within 30 minutes: official platform recovery flow + 2FA reset + alert contacts.
• Within 24 hours: NCRP + change all linked account passwords.
• Within 48 hours: FIR if account misused for fraud against contacts.
• Day 3-7: RTI to cyber cell + MeitY for platform escalation.
• Recovery rate: ~80% via platform recovery within 30 days; ~60% if account already deleted.
• Money recovery from defrauded contacts: their 1930 / NCRP / Banking Ombudsman.

1. 🔴 Platform recovery flow first.
2. 🆔 Recovery email / phone — secure them.
3. 🔒 2FA on all accounts (Authy / Google Authenticator).
4. 📨 Alert contacts via different channel.
5. 🌐 NCRP within 24 hours.
6. 🏛 FIR if fraud against contacts.
7. 🗂 RTI on Day 3-7.
8. 📚 Cite IT Act §66C + §43 + BNS §318.
9. ⏰ Day 30 (RTI), Day 60 (escalation).
10. 💼 Don't pay “recovery agents” — most are scams.

• Platform recovery flow (each platform has one).
• IT Rules 2021 grievance officer 36-72 hour response.
• NCRP / 1930 reporting.
• RTI to cyber cell + MeitY.
• Civil suit for damages.
• §66C IT Act criminal complaint.

• Recovery of deleted account — depends on platform retention (30-90 days typically).
• Identity disclosure of attacker — post-investigation.
• Tracing of cross-border attackers.

• Platform refunding scam money to contacts — bank chargeback only.
• Permanent attacker block — they recreate with new identity.
• Recovery if no recovery email/phone existed.

• Mumbai 2024 — Instagram account with 50K followers hacked. Recovery via instagram.com/hacked + ID verification; restored in 4 days. Suspect's payment-receiving UPI traced; 12 victims among followers refunded via 1930.
• Bengaluru 2025 — Gmail with linked banking. Recovery via g.co/recover with phone OTP; restored in 2 hours. 2FA reset.
• Delhi 2024 — WhatsApp Business hijacked. Recovery via 6-digit verification code; restored in 24 hours. Contacts alerted.
• Chennai 2024 — Facebook account used to defraud 17 friends. NCRP + IT Rules notice; account suspended; defrauded friends recovered partial.
• Hyderabad 2025 — LinkedIn hacked, used for phishing. LinkedIn Trust + NCRP; restored in 7 days; fraud listings removed.

• §43 — unauthorised access.
• §66 — computer offences.
• §66C — identity theft.
• §66D — cheating by personation.
• §79 — intermediary liability + IT Rules 2021.

• §318 — cheating.
• §319 — cheating by personation.
• §336 — forgery.
• §111-§112 — organised crime.

• Rule 3 — intermediary safe harbour + due diligence.
• Rule 13 — grievance officer 36-hour response.
• Rule 14-15 — content takedown.

• K.S. Puttaswamy (2017) 10 SCC 1.
• Lalita Kumari (2014) 2 SCC 1.
• State of Tamil Nadu v. Suhas Katti (2004).

To: grievance@[platform].com
Cc: cyber-sp-[district]@[state].gov.in; complaint@meity.gov.in
Subject: Account hijacking — [platform] — request emergency recovery +
         takedown under IT Rules 2021

Sir / Madam,

I, [Name], hold [platform] account [@handle/email] which was hijacked
on [date]. The attacker is using my account for [fraud / scam / impersonation].

Statutory basis:
- IT Act §66C (identity theft) + §43 (unauthorised access).
- BNS §318 (cheating) + §319 (personation).
- IT Rules 2021 — 36-72 hour grievance response.

Documents:
- Account ID + creation date + last legitimate access.
- Suspicious login alerts received.
- Screenshots of malicious posts / messages.
- Affected contacts' complaint references.

Relief:
- Account recovery + suspension of attacker session.
- Removal of fraudulent posts / messages.
- Investigation of attacker's identity.
- Prevention of future targeting.

Yours sincerely,
[Name + Phone + Email]

• Account ID / handle / email.
• Creation date + last legitimate access.
• Recovery email / phone (if known).
• Suspicious-login alerts.
• Screenshots of malicious activity.
• Affected-contact details (anonymised).

• Trusting “recovery agents” charging fees — most are scams.
• Not enabling 2FA before incident — preventive miss.
• Sharing recovery codes / OTPs with anyone.
• Skipping NCRP if money was lost via the account.
• Not alerting contacts — chain of fraud spreads.
• Using same password across platforms — domino effect.

~80% via platform recovery within 30 days. After 90 days deletion, recovery odds drop sharply.

Limited — IT §79 safe harbour. But can sue for IT Rules 2021 violation if grievance ignored.

Use platform's secondary verification (security questions, ID verification, government documents). Slower (5-30 days) but works.

Same playbook + escalate via Trust + Safety teams (Meta, Twitter, LinkedIn have business contacts). Engage lawyer for high-value reputational loss.

Slower but possible via Interpol / mutual legal assistance for criminal trace. Account recovery via platform same.

Today. Use Authenticator app (not SMS where possible).

Change all linked passwords + enable 2FA + scan device for malware.

Possibly. Run anti-malware (Malwarebytes / Bitdefender). Reset device if uncertain.

Generally no, unless platform was negligent. IT §43A requires reasonable security; class action possible for systemic breaches.

Yes — verified accounts get priority Trust + Safety attention. Engage senior counsel for reputational management.

Platform impersonation report + IT §66C complaint + IT Rules 2021 takedown.

DPDP Act §33 — penalty up to ₹250 cr on platform for breach.

Yes — NCRP + cyber cell accept Hindi.

2FA on every account + unique passwords + password manager + regular security audit.

• High-value business / influencer account — civil counsel + reputational management.
• Repeated stalking / harassment — civil + criminal package.
• Class-action breach — public-interest counsel.
• Pro bono: NALSA 15100; cyber-aware lawyers via DLSA.

1. Civil suit for damages.
2. DPDP §33 — regulatory penalty up to ₹250 cr (not direct refund).
3. Article 226 writ for systemic platform failures.
4. Bank chargeback for money lost via account fraud.

• 🪄 AI RTI Drafter
• 🎤 AwaazRTI
• ⚖️ First Appeal Builder
• 🏛 Citizen 360

• Deepfake Blackmail Recovery
• AI Voice Scam Recovery
• Scammed on UPI Recovery
• Bank Account Frozen Defreeze
• Police Powers in India
• RTI for Cybercrime Status
• How to file an RTI online

• NCRP / 1930 — cybercrime.gov.in
• Platform recovery URLs — see table
• MeitY — meity.gov.in
• CERT-In — cert-in.org.in
• NALSA — 15100

Account hijacking is recoverable with speed (within 30 minutes) and the platform's official recovery flow. NCRP + FIR + IT Rules 2021 takedown + RTI form the legal chain. K.S. Puttaswamy (2017) protects digital identity. Set up 2FA today; that single action prevents 90% of future incidents.

1. Information Technology Act, 2000 — §§43, 43A, 66, 66C, 66D, 79.
2. Bharatiya Nyaya Sanhita, 2023 — §§318, 319, 336.
3. IT Rules 2021 (amended 2023).
4. DPDP Act 2023 + Rules 2025 — §33.
5. Right to Information Act, 2005.
6. K.S. Puttaswamy (2017) 10 SCC 1.
7. Lalita Kumari (2014) 2 SCC 1.
8. State of Tamil Nadu v. Suhas Katti (2004).

Last reviewed: 6 May 2026.