Who’s in your Facebook and Instagram accounts?

What to do if you receive a notification about a suspicious login to your Facebook or Instagram account.

What to do if someone tries to hack your Facebook or Instagram account

A notification pops up on your smartphone screen: “We detected an unusual login attempt from Rio de Janeiro, Brazil.” Whether the login attempt occurs where you live, halfway around the world, on the kind of phone you use, or from a device you’ve never heard of, what’s really going on here is an attempt to make you panic. Don’t panic.

Either someone’s been busted trying to log in to your account or not, and freaking out will not help. To help you remain calm and survive the incident with minimal losses, we are arming you with knowledge of what it might be and what to do.

What it might be

To begin with, let’s figure out how an outsider could have gained access to your account in the first place. It can happen in one of several ways.

Data leak and credential stuffing

Data leaks and breaches pop up in the news quite often, and even if Facebook and Instagram weren’t hit directly, if another website is breached and the compromised data included your account info, then cybercriminals possess your credentials. Using a list of e-mail usernames and passwords, they can carry out a credential-stuffing attack — that is, they enter the stolen credentials on other sites. That works because people use the same password for multiple accounts, an unforced but extremely common error.

Alternatively, your Facebook or Instagram credentials might have leaked from an associated app. For example, in June of last year, SocialCaptain, a service for growing Instagram following through automation, leaked thousands of Instagram account passwords. The service didn’t encrypt client data, as it turned out. It is reasonable to assume that many SocialCaptain users have since encountered hacking attempts.


You could be looking at the results of a phishing scam, that your username and password landed in the hands of scammers. It happens. Maybe you clicked on a link and entered your credentials on a convincing fake Facebook or Instagram login screen. For example, just recently, our experts uncovered a phishing campaign that lured victims to fake login pages by threatening to block their Facebook account for copyright infringement.

Password theft

Malware can also steal credentials. For example, many Trojans come with a built-in keylogger, a program that, as the name suggests, logs keystrokes on the keyboard. If you picked up malware that logs keystrokes, then cybercriminals have every username and password you’ve entered since.

Access token theft

Perhaps someone stole your access token. To avoid having to enter your password every time you sign in to Facebook or Instagram, the app saves a small piece of login information on your computer, known as an access token, or token for short. If a cybercriminal steals a valid token, they can access the account without a username and password.

Tokens have been stolen through vulnerabilities in Facebook — for example, in 2018, attackers got hold of access tokens for 50 million Facebook accounts. Tokens can also be stolen through browser extensions.

Login from another device

Nor is it inconceivable that you logged in to Facebook or Instagram from someone else’s device — at a party, in an Internet café, in a hotel lobby — and did not log out afterwards. Or, for example, if you forget to sign out of your account on a device you later sell or give away, you may be giving someone else access to your account.

False alarm (phishing again)

Perhaps your account was not hacked at all. It’s also possible someone is trying to do precisely that, using a fake notification about a suspicious login attempt. That is phishing, as discussed above, but a slightly different variation. Instead of threatening to block your account, cybercriminals can use a fake login attempt notification with a link to a phishing site similar to the real login page. The hope is that the panic-stricken victim will go to the fake site and enter their credentials there.

What to do

Now that you know the possible causes, it is time to act.

First, log in to your account — but definitely not through the link in the notification (as we already know, it might point to a phishing site). Use the social network’s mobile app or manually enter the address in your browser. If the password does not work and you are locked out, refer to our detailed guide on what to do if your account has already been hijacked.

If you were able to log in, go to your account settings and check the authenticity of the notification. Each social network has its own interface; here’s how Facebook and Instagram manage messages.

Then, proceed to Account logins. If you see no suspicious entries, then the message was just phishing; delete and move on.

If you do see something suspicious in the list of account logins, take action immediately to mitigate the damage:

  • Immediately sign out of your account on all devices. On Instagram, you will have to end each session manually in the Account logins menu. Facebook can do it with a single click or tap under Security and Login in the settings. Your session on the current device will remain active.
  • Confirm your phone number and e-mail address in the account settings; attackers can change those details to receive links or codes for changing account passwords. If they did, change them back.
  • Set a new password, and make it one that is strong and that you don’t use anywhere else. If you are worried about keeping track, save your passwords in a password manager, which can also help you come up with a strong combination.
  • Enable two-factor authentication to make hacking into your accounts harder for cybercriminals, even if they get your password.
  • Scan all of your devices with a reliable antivirus to ensure they are free of malware.

Attention to security settings combined with good protection software will turn your account into a fortress.