A practical guide for influencer agencies, digital businesses and anyone whose livelihood lives on a platform
It is the email no business owner wants to wake up to. Three hundred clients. Years of contacts and content. A growing ad budget. All of it sitting inside a single Instagram handle, and somebody, somewhere, has just changed the password.
This article is about how to get it back.
Recovering a lost social media account, particularly one that has been hijacked, has quietly become one of the most common things our office is asked about. The reason is simple. The platforms, for all their public policies, are very bad at giving accounts back. Their automated recovery systems were never designed to cope with modern attacks, and their human support was never really built at all. If you are reading this because your Instagram, Facebook or other account has been taken from you, you are not on your own, and you have not run out of options.
A real example
A while ago we acted for the founder of a small but busy influencer agency. He looks after the social media of professional athletes and content creators across several countries. His Instagram handle was the storefront, the receptionist, the contract pad and the invoice book all rolled into one.
One morning he woke to a flood of automated security alerts from Meta, half of them in English and half in Vietnamese. By the time he opened his laptop, somebody on an iPhone in Ho Chi Minh City had taken control of his account, changed the password, and started running advertisements for skincare products through his ad account. He was locked out, completely, in under an hour.
What happened next is the rest of this article. It is also why, for any business whose value sits inside a platform, the most powerful tool in your locker is not your password manager. It is the General Data Protection Regulation.
How modern account takeover actually works
For years, security advice has revolved around two ideas: a strong password and two-factor authentication. Use both, the guidance went, and you are virtually bulletproof. That advice is becoming dangerously outdated.
The dominant attack vector now is session hijacking, sometimes called cookie hijacking. When you log into Facebook or Instagram, you authenticate yourself with a password and a 2FA code. The platform then issues your browser a session token that keeps you signed in. Think of it as a VIP wristband. You showed your passport once at the door, and now you can move around the venue without proving who you are at every bar.
Modern info-stealing malware, with names like Lumma and RisePro, does not try to crack your password. It silently extracts those session tokens from your browser, beams them to a server somewhere, and the attacker injects them into their own browser. They navigate to instagram.com and the platform welcomes them in. No password prompt. No 2FA challenge. As far as the system is concerned, this device has already passed every security check.
The typical delivery vector is a polite-looking email pretending to be a sponsorship offer, with a "campaign brief" PDF or zip attached. Influencer agencies and content creators are perfect targets. They receive contracts and brand briefs constantly, and they open them quickly. There are also zero-click variants, where simply receiving a malformed image in a messaging app is enough to compromise the device with no clicking required at all.
Why password hygiene is no longer the whole answer
Once you understand session hijacking, the limits of conventional advice become obvious. You can have a unique 24-character password and an authenticator app, and an attacker can still walk straight into your account by stealing the cookie that says you are already logged in. A hardware security key, like a YubiKey, will defeat the initial sign-in attempt and is the single most effective control against phishing, but it cannot stop a token that has already been issued from being lifted out of your browser.
The cybersecurity industry's longer-term answer is something called token binding, where each session cookie is cryptographically tied to the device that requested it, so a stolen cookie is useless on a different machine. Until that becomes universal across browsers and platforms, the practical defences are aggressive malware prevention, very short session lifetimes, and routinely revoking active sessions in your account settings.
AI is talking to AI, and the human is the one being told they do not exist.
Why the official recovery process keeps rejecting the real owner
The moment a hijacker started posting unauthorised ads from our client's account, Meta's automated systems sprang into action, not to help him, but to protect the platform. The Facebook account was suspended for breach of community standards. Because his Instagram was linked through Business Manager, it went down too. The cascade was instantaneous.
He did everything he was supposed to do. He changed his password. He requested a review. He submitted a photograph of his real, valid government-issued ID. The system rejected it, citing glare, blur, or some other minor flaw. Each time he resubmitted, the algorithm sent another generic refusal.
This is what we have come to call the faceless wall. Recovery is built around algorithmic identity verification. Once an attacker is inside an account, the very first thing they do is change the recovery email, the recovery phone number and the IP profile. From the algorithm's perspective, those new details are now the truth of the account. So when the real owner appears with the original device, the original IP and a real ID, the system sees an inconsistency and concludes that the legitimate owner is in fact the imposter trying to break back in.
It gets worse. Attackers routinely use generative AI to produce synthetic IDs that are mathematically tuned to satisfy the verification thresholds, with perfect lighting, perfect alignment and no glare. The algorithm cheerfully accepts them. The legitimate owner, taking a phone photograph of a real plastic card on the kitchen table, gets rejected.
And the appeal route is, more often than not, broken
On disabled Meta accounts, the appeal button has, for long stretches at a time, returned a generic placeholder message saying that the appeal cannot be reviewed at the moment, sometimes for months on end. The platform commits, in its own published policies, to a working appeal process, and then quietly fails to operate one. Whatever the reason, whether legacy code, outsourced moderation queues, or a deliberate bottleneck, the legal effect is the same. From a regulatory perspective, that gap is not a dead end. It is a useful piece of evidence.
The recovery black market, and why the obvious next step is a trap
When the front door is bricked up, desperate users go looking for a back door. There is now a mature ecosystem feeding on that desperation.
At one end are legitimate, specialist cybersecurity firms charging substantial retainers to navigate the bureaucracy. At the other end are scammers operating on Reddit, Telegram and from cloned WhatsApp profiles, promising guaranteed recovery within 24 hours for a few hundred dollars in cryptocurrency. The crypto goes through, the messages stop, and the user is victimised twice.
Even Meta's own paid solution, Meta Verified, runs into a paradox. One of its main perks is access to a live chat agent. But you cannot subscribe to Meta Verified from inside an account you cannot log into. Some users now create a fresh burner account, pay the monthly fee, verify it with separate ID, and then use the chat to plead the case of a different account altogether. The agent on the other end is rarely empowered to help.
The legal pivot: stop arguing terms of service, start arguing data protection
This is the point at which most lawyers' approach goes wrong, and where ours starts to differ.
If you write to Meta arguing that they have unfairly enforced their community guidelines, you are arguing contract law, on Meta's pitch, with rules that Meta wrote. The terms of service expressly reserve the right to terminate any account at any time for any reason, with no liability. You will lose, every time.
The pivot we make is to abandon the contract dispute entirely. The hijacked ad, the suspension reasoning, the community standards, all set aside. The legal weapon we reach for is statutory law: the General Data Protection Regulation, and the UK Data Protection Act 2018.
Article 15 GDPR: your account is your personal data
Under Article 15 of the GDPR, every data subject has the right to access their personal data and to require the data controller to confirm what is being processed about them. In this context, Meta is unambiguously a data controller, and your account is unambiguously full of your personal data. Your photos. Your messages. Your contacts. Your location history. Your business records.
When a platform permanently disables an account without operating a functioning appeal mechanism, it is not just enforcing a contract. It is denying a data subject access to their own personal data. That is a statutory failure, not a customer service issue, and statutory failures carry statutory penalties. Meta were fined 1.2 billion euros by the Irish Data Protection Commission in 2023 for unrelated GDPR breaches, which is the backdrop against which any subsequent demand letter is read.
The terms of service were drafted to protect Meta. The GDPR was drafted to protect you. Argue on the right pitch.
What a formal demand actually contains
A solicitor's letter that takes this approach does not ask the platform nicely to reconsider. It is served on specific corporate entities (typically Meta Platforms Ireland Limited at their Dublin headquarters, with a copy to Menlo Park) and it makes four discrete demands:
- Formal written confirmation of the precise reason for the initial suspension.
- Formal written confirmation of the reason for the subsequent permanent disabling.
- An immediate outline of the steps the data subject is required to take to be reinstated.
- An express undertaking to preserve all data within the account, suspending any automated deletion until the matter is resolved.
The fourth point is the one that changes the tempo. Once the platform's legal team are on notice that data must be preserved, any subsequent automated deletion is no longer routine policy enforcement. It becomes potential destruction of evidence, and an aggravated GDPR breach.
Where the GDPR addresses ownership of personal data, the EU Digital Services Act addresses platform accountability and requires very large platforms to operate genuinely accessible dispute-resolution mechanisms. A long-running, broken appeal route is exactly what the DSA exists to police. Citing both in the same letter widens the regulatory perimeter the platform's legal team are looking at, and sharpens the calculation about how much longer they want to ignore us.
How our client's case actually played out
It is worth walking through what that combination looked like, week by week, because the timing matters.
The first formal letter went out a few weeks after we were instructed, served on Meta Platforms Ireland Limited at their Dublin headquarters, with a courtesy copy to head office in Menlo Park. The four demands set out above were the spine of it. Explain the suspension. Explain the permanent disable. Set out the reinstatement steps. Preserve the data. We added a short paragraph reminding Meta of the 1.2 billion euro fine the Irish Data Protection Commission had already imposed for an unrelated breach, so that the regulator's name was on the page from the first sentence.
The first response came back through Meta's legal-intake system within about ten days. It was boilerplate. Citing 'security reasons', they declined to disclose details or restore the account. We expected that. Most cases sit at this stage for weeks, while the file is shuffled between contractors, none of whom can override the algorithm.
Three months in, we sent a second, sharper letter, copied to Meta's Privacy Operations team and marked for the attention of senior legal counsel. The tone was deliberately escalatory: 'extreme dissatisfaction', 'unacceptable', and an explicit note that the continued delay was compounding our client's loss, and therefore Meta's potential liability. We added a paragraph explaining how the broken appeal route also sat uncomfortably with the EU Digital Services Act.
Then we made the call that, in our experience, is what actually moves these cases. We picked up the phone to a partner at a firm we know well, who has acted for Meta on other matters, and gave him a quiet heads-up that the file was about to become a regulatory problem rather than a commercial one. He routed it internally to the senior legal contact we had been trying to reach for months.
Less than four weeks after that conversation, our client was sent specific, personalised instructions to bypass the hijacker's lockouts and regain administrative control of both his Facebook and Instagram accounts. Within the same week, his entire client base, contract history, content archive and ad account were back under his control. The hacker's altered recovery details were cleared. The 30-day deletion clock was stopped. After the better part of a year out of business, he was back online in a fortnight.
That is the playbook. A precise statutory letter to the right corporate entity, putting the regulator on the page from the first paragraph. A sharper, escalatory follow-up to push the file up inside the company. And a courteous, professional back-channel to a lawyer who can put it in front of someone empowered to act. Each step is necessary. Together, they reliably work.
A solicitor's thoughts on cases like this
What stays with me about cases like this one is how alone people feel by the time they reach our office. By then, most have spent weeks or months talking to robots, refreshing rejection emails and handing money to fixers on Telegram. They tend to start the conversation almost apologising for having let it happen, as though falling for a brand sponsorship email is something to be ashamed of.
It is not. The attacks have got cleverer than the defences. I have lost count of the senior, technically literate clients who have been compromised by the same handful of techniques. The shame is not on the person who opened a PDF. It is on a system that rejects your real ID three times in a row, while quietly accepting an AI-generated fake from somebody on the other side of the world.
If I could give one piece of advice that would change the outcome of nine out of ten of these cases, it would be this. Come to a lawyer earlier than you think you need to. The first week after a hack is when the data is freshest, the deletion clock is at its fullest, and the mistakes that compound the loss have not yet been made. The clients who get their accounts back quickest are the ones who picked up the phone before they paid a stranger in cryptocurrency.
And the last thing I would say, gently, is that this is not your problem to solve alone. The platforms count on people giving up. The point of the work we do is to remind them, in writing, that the rules apply to them too.
When to call us
If your account has been compromised, or if you are an agency, an athlete, an influencer or a small business that depends on a platform you do not own, there are two moments when picking up the phone is worth it.
The first is the moment the hack is confirmed, before the 30-day clock that platforms quietly run against deletion has elapsed. Early action lets us issue the data-preservation demand before any data is irretrievable. The second is when conventional appeals have failed, and you are being pushed towards the recovery black market. We can save you that detour.
Recovering a lost social media account is rarely a do-it-yourself job once the algorithm has decided you are the imposter. The good news is that the law is on your side. You just need somebody who knows which lever to pull.
Cohen Davis, internet law specialists, Soho, London.
