Security

How to secure your account after recovery — the post-recovery checklist

Your account is back. Now lock it down so you don't end up here again. The complete post-recovery security checklist for Instagram and Facebook.

May 14, 20266 min readBy Shilder Recovery Team
Written by Shilder Recovery TeamReviewed by Shilder Editorial ReviewLast reviewed 2026-05-15

You got your account back. Don’t close the tab. The next 30 minutes determine whether you’re here again in six months.

This is the exact checklist we send every customer after a successful recovery. It works for both Instagram and Facebook — the principles are the same, the menus are slightly different.

Short answer
What should I do immediately after recovering my Instagram or Facebook account?

Change your password, enable authenticator-app 2FA (not SMS), review login history and sign out all devices, remove unfamiliar trusted contacts, audit connected apps and revoke unknown ones, update recovery email and phone, and back up your data. Do all of these within the first hour — that’s the window when an attacker who still has session tokens can resume access.

Within the first hour

These steps matter most. Do them in this order.

1. New password, password manager

A unique 16+ character password, generated by a password manager and stored only there. Not “Summer2026!” with a number bumped. Not the same password you use on three other sites.

The most common reason accounts get hacked the second time is password reuse across services. Pick a password manager (1Password, Bitwarden, Apple Keychain, anything that isn’t a sticky note) and let it generate something you don’t need to remember.

2. Authenticator app 2FA

If you only do one thing from this list, do this. SMS 2FA is better than nothing but it’s defeated by SIM-swap attacks — which is how most “sophisticated” takeovers work in 2026.

  • Instagram: Settings → Security → Two-Factor Authentication → Authentication App.
  • Facebook: Settings → Security and Login → Use Two-Factor Authentication → Authentication App.

Use Google Authenticator, Authy, 1Password (built in), or any TOTP app. Avoid Microsoft Authenticator if you’re going to switch phones often — its account migration is rough.

Save the backup codes. Print them. Put them somewhere offline. If you lose your authenticator and don’t have backup codes, you’re back in 2FA-lockout recovery territory.

3. Review login history, sign out everything

Go to active sessions:

  • Instagram: Settings → Security → Login Activity.
  • Facebook: Settings → Security and Login → Where you’re logged in.

You’ll see a list of every device currently logged in. Anything you don’t recognize, log out. When in doubt, log everything out and re-authenticate on your devices.

This step is the one most people skip and the one that catches the most active threats — session tokens persist even after a password change.

4. Remove trusted contacts and recovery options you didn’t set

Attackers often quietly add their own recovery options before they’re kicked out. Check:

  • Recovery email addresses.
  • Recovery phone numbers.
  • Trusted contacts (Facebook’s legacy feature).
  • 2FA backup methods.

Remove anything you didn’t personally set up.

5. Audit connected apps

Many takeovers happen through compromised third-party apps that you authorized years ago and forgot about.

  • Instagram: Settings → Security → Apps and Websites → Active.
  • Facebook: Settings → Apps and Websites → Active.

Revoke anything you don’t actively use. If you’re unsure, revoke it — legitimate apps will prompt you to re-authorize when you next use them.

Within the first day

6. Update recovery email and phone

After kicking out attacker-added recovery options, make sure your real ones are set. Use:

  • An email account that has its own strong 2FA.
  • A phone number on a SIM you actually own (not a number used by anyone else).

If your previous email account is the one that got compromised originally, replace it with a new one before you continue.

7. Back up your data

Download a copy of everything from your account so you have a permanent off-platform record:

  • Instagram: Settings → Accounts Center → Your information and permissions → Download your information.
  • Facebook: Settings → Your Facebook Information → Download Your Information.

Pick JSON for full fidelity or HTML if you want it readable. Store the export somewhere offline.

8. Change passwords on linked services

If you used your Instagram or Facebook account to sign in to other services (login with Facebook, etc.), the attacker may have had access to those too while they had your account.

Audit:

  • Spotify, Netflix, Hulu (anything you signed in with Facebook).
  • Dating apps that connect to your social account.
  • Forums or web tools where you used social login.

Change passwords on each, and consider unlinking social login where you can.

9. Tell your contacts

If the attacker sent suspicious messages from your account, your contacts may have been scammed by what looked like “you”. A short message clarifying that your account was compromised stops the spread.

Don’t over-explain. Something like: “My account was compromised yesterday. If you got a message from me asking for money, a click on a link, or anything unusual, that wasn’t me. I’ve recovered the account and locked it down.”

Ongoing — the next 30 days

10. Watch for unusual login alerts

Meta sends login-alert emails when your account is accessed from a new device. Don’t mute these. If you see one you didn’t initiate, treat it as a fresh attack and repeat the first-hour checklist.

11. Don’t click password-reset emails you didn’t request

Common post-recovery scenario: you start getting password-reset emails for your Instagram, Facebook, email, or other services. These are usually attackers trying to regain access. Don’t click. Don’t reset. If you didn’t request it, ignore it.

12. Re-audit connected apps monthly for a quarter

Attackers sometimes use slow re-entry tactics — install one new connected app every few weeks hoping you’ll forget the audit. For the first 90 days post-recovery, re-check your connected-apps list monthly.

What not to do

  • Don’t reuse your previous password with a tweak. The attacker likely has it; small tweaks don’t protect against credential-stuffing.
  • Don’t enable SMS 2FA as your only second factor. SIM-swap attacks are the entire reason your account is here.
  • Don’t skip backup codes. Lose your authenticator app without backup codes and you’re looking at another recovery cycle.
  • Don’t leave third-party apps you don’t actively use connected. They’re your widest attack surface.
  • Don’t announce on your recovered account that you were hacked. It often invites a second round of attacks from people who saw the original takeover.

The single most important thing

If you take nothing else from this guide: enable authenticator-app 2FA today, save the backup codes offline, and use unique passwords stored in a password manager. Those three things stop 95% of takeover scenarios.

We send this checklist to every customer after a successful recovery. It’s how we keep them from being here again.

Official sources referenced

We use official Meta, Instagram, and Facebook documentation as source material, then add operational context from anonymized Shilder case work.

← All guides

Ready to get your account back?

Submit your case in under three minutes. Expert review starts the same day.

Start a case Read the FAQ