Why changed recovery details are the real problem
When an attacker changes the recovery email, phone number, or MFA settings, they are not just locking you out. They are trying to make future recovery requests route back to them. That means speed matters, but so does working in the right order.
Start with the account that controls the others
If your email account is part of the incident, begin there before focusing on social platforms. A compromised mailbox gives the attacker a reset path into Instagram, Facebook, Apple, Google, and banking accounts tied to that address.
Check for password-reset emails, forwarding rules, and unfamiliar recovery details
Revoke active sessions and review trusted devices
Work through every important account that uses the same email address
Document the changes and use the platform's recovery path carefully
Support and automated recovery flows tend to work better when you can show the exact timeline: when the login failed, what changed, and which contact details were swapped. The goal is to remove the attacker and then harden the connected accounts so the same takeover path cannot be reused.
Frequently asked questions
If the hacker turned on 2FA, does that mean the account is gone?
Not necessarily. It means the attacker is trying to cement access, but many recoveries still succeed if you move quickly and work through the platform and connected email account methodically.
Should I contact friends or clients if messages were sent from my account?
Yes. If the attacker used your account to message others, warn people quickly so they do not click links, send money, or trust new requests that appear to come from you.
What if more than one account was taken over at the same time?
Treat it as a connected incident. Shared passwords, a compromised mailbox, or reused recovery details often let one breach spread into several accounts at once.