If you are reading this, the chances are that something has just gone very wrong. Maybe you cannot log into Instagram or Facebook. Maybe strange posts are going up on your account that you cannot stop. Maybe a robot just told you, again, that your ID is not clear enough. Your stomach is in a knot, you are scrolling on your phone trying to find someone, anyone, who can help.
We see this every week. The shock of losing access to your own account, especially one that holds your business, your friendships and years of memories, is real, and it is bigger than people who have not been through it realise. Take a breath. There is a route back, and the rest of this article walks you through it in plain English.
There is one thing you need to understand from the start. Time is of the essence. The longer you wait, or the longer you spend on the wrong route, the more it costs you, and in some cases the difference between getting your account back and losing it forever is measured in days, not weeks.
Why this is more urgent than it looks
Most people lose their first week to the help pages, then their second week to scammers, then a month to silence. By the time they think about a solicitor, the damage is already stacking up.
There are three clocks ticking against you from the moment you lose access. The first is the platform itself. Meta typically runs a 30-day countdown on a permanently disabled account before the data inside it is wiped. Once that timer expires, your photos, your messages, your contacts, your client list and your work history are gone for good, and not even the platform itself can bring them back.
The second is your business and your reputation. Every day the account stays dark, your customers and followers are wondering whether you have gone out of business, breached a contract, or are simply ignoring them. Some of them have been receiving spam from your account in the meantime. Some have been quietly clicking unfollow. The longer the silence, the more you are going to have to rebuild later.
The third clock is the algorithm. While a hijacker is using your account to blast adverts and links, the platform is logging all of it as suspicious behaviour and quietly downgrading the account. Even after we win it back, that downgrade lingers for months. The earlier we stop the bleeding, the less of that long-tail damage you carry.
Time is the one thing you cannot get back. Every day the account is dark is a day of revenue, reputation and reach you do not recover later.
A story that will sound familiar
A while ago we acted for a young man who runs the social media for a few hundred athletes. His Instagram is, quite literally, his business. One morning he woke up to a flood of security emails from Facebook, half of them in a language he does not speak. By the time he reached for his laptop, somebody on the other side of the world had taken over his account, changed the password, and was running adverts for skincare cream he had never heard of.
He did everything the help pages told him to do. He changed his password. He uploaded his ID. He clicked the appeal button. Nothing worked. The system kept telling him his ID was unclear, the appeal button kept returning a generic error. For the better part of a year, his livelihood was simply switched off.
When he finally instructed us, we got him back online in a fortnight. The painful part was the year he spent trying to do it on his own first.
Why your password and 2FA didn't save you
Most of us were taught that strong passwords plus two-factor authentication keep us safe. That used to be more or less true. It is becoming less true every year.
The way most accounts are stolen now has nothing to do with passwords. When you log into Instagram or Facebook, the app gives your phone a kind of electronic wristband, called a session token, that says: this person is already logged in, leave them alone. That wristband is what stops you having to type your password every five minutes.
Hackers no longer try to guess your password. Their software steals the wristband. Once they have it, they paste it into their own phone or laptop and Instagram waves them through. No password is asked for. The two-factor code is never even requested. As far as the system is concerned, that device is already logged in.
How does the wristband get stolen? Usually through an email that looks like a sponsorship offer, with a "campaign brief" attached. You open it, expecting to see how much somebody wants to pay you. The document looks empty or broken, you sigh, you carry on with your day. The software has already done its work in the background.
Why sending in your ID over and over does not work
When the hacker gets in, the first thing they do is change your recovery email and phone number. To the platform's computer, it now looks as if the person in another country is the real you, and you, sitting in your kitchen with your real driving licence in your hand, are the imposter.
That is why the algorithm rejects your real ID. It compares the photo you have just uploaded against the email and phone number now on the account. They do not match, so it concludes you are not the owner. It does not matter how clear your photo is.
To make matters worse, hackers now use AI to produce fake IDs that are designed to slip through this exact verification system. The fake ID gets accepted while your real one is rejected for glare. AI is talking to AI, and the human is the one being told they do not exist.
The shortcut that almost always isn't, and why it costs you twice
When the platform stonewalls you, you start Googling. Within minutes you will find people on Reddit, Telegram, Instagram itself or in YouTube comments, all promising to recover your account in 24 hours for a few hundred pounds in cryptocurrency. Some of them have professional-looking websites. Some sound like sympathetic insiders. They are, with very few exceptions, scammers.
What we see, week after week, is the same pattern. The "fixer" asks for an upfront fee, often in Bitcoin or Ethereum so it cannot be reversed. They string you along for a few days, sometimes a few weeks, asking for "additional verification fees" or "platform release charges". Then they vanish. You have lost the money, you have lost more time on the deletion clock, and you are no closer to your account.
Worse, some of them ask you to share screenshots, ID and even passwords as part of their "process". You hand over more of your personal information to a stranger you cannot identify. We have seen identity fraud follow on from one of these scams more than once.
You will also see Meta Verified suggested as a route to live human support. The catch is that you cannot subscribe to Meta Verified from inside an account you cannot log into. Some people set up a fresh account, pay the fee, and try to use that to plead the case of their real account. The agent on the other end is rarely empowered to help. Another week wasted, another fee paid, no result.
The fixers on Reddit and Telegram are not insiders. They are scammers in a very good costume, and the tax they charge is your time, your money and very often your personal data.
The trick the algorithm cannot ignore: it is your data
Here is the part most people do not realise. Your account is not just an account. Legally, in the UK and across Europe, your account is a collection of your personal data. Your photos, your messages, your contacts, your work history, your location. That data belongs to you, not to Meta.
The General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 give you a clear right of access to your own personal data. When a platform locks you out and refuses to operate a working appeal, it is not just enforcing a contract. It is denying you access to your own data. That is a legal failure, not a customer service issue.
That is the lever a solicitor uses. We do not write to Meta arguing about community guidelines or terms of service, because they wrote those rules and they will win that argument every time. We write to them as a data controller that is breaching your statutory rights. The wording matters because the consequences for them are very different. Statutory breaches carry statutory penalties, and Meta were fined 1.2 billion euros by the Irish Data Protection Commission in 2023.
What we actually do, in plain English
When a client calls us about a hijacked account, this is what happens, usually within the first 48 hours.
- We send a formal solicitor's letter to Meta in Dublin and California, putting them on notice as a data controller and freezing the 30-day deletion clock so your data cannot be wiped while we work.
- We follow up with a sharper escalation letter inside the company, citing both the GDPR and the EU Digital Services Act, so the file lands in front of senior legal counsel rather than an outsourced contractor.
- Where appropriate, we use a professional back-channel to a lawyer who acts for Meta, so the file moves to someone with the authority to override the algorithm.
In our most recent case of this kind, the account was returned within four weeks of that back-channel conversation. After the better part of a year of the client trying on his own, we got him back online in a fortnight.
When to pick up the phone
There are two moments when calling a solicitor is the right move, and both of them are sooner than people usually think.
The first is right after you realise the hack has happened, ideally before you have wasted any time on Reddit fixers or paid for a Meta Verified burner account. Acting in the first few days lets us put the platform on notice while every email, screenshot and timestamp is still fresh, and while the deletion clock is at its fullest. Early calls are cheaper calls.
The second is when you have been bouncing around the appeal system for weeks, and you are about to start sending crypto to a stranger online. Stop, before you do. We have seen what happens after. We can almost always do better, and faster.
We have helped recover lost social media accounts dozens of times now, for influencers, agency owners, small businesses and private individuals. The platforms are very large, very automated, and very good at saying no. The law is on your side. You just need somebody who knows which lever to pull, and you need them now, not next month.
Cohen Davis, internet law specialists, Soho, London.
