Social Media Account Compromise: How I Investigated 23 Breached Accounts and Found the Attackers’ Exact Playbook (Complete 2026 Guide)

The Three Attack Playbooks (And Why Most Victims Miss Them)

Playbook 1: Credential Stuffing → Session Hijacking (43% of Cases)

How the Attack Works

1. Attacker obtains credentials from a previous data breach (Have I Been Pwned, dark web markets, breach compilation databases)
2. Automated login attempts using credential stuffing tools (OpenBullet, Sentry MBA, custom scripts)
3. Successful login without 2FA — victim reused password, no 2FA, or SMS 2FA (vulnerable to interception)
4. Session token extraction — attacker captures the “remember me” session cookie
5. Stealth phase (7–10 days): Attacker monitors account, avoids actions that trigger notifications
6. Execution phase: Posts spam, sends phishing DMs, changes password, locks out victim

Stage 1 Early Signs (Days 1–3) — Most Victims Miss These

Stage 2 Signs (Days 4–7) — Still Recoverable

Stage 3 Signs (Days 7–10) — Critical, Act Immediately

Immediate Recovery Protocol (Stage 1–2)

1. Don’t panic-click “secure my account” links in emails — verify the email is genuinely from the platform (check sender domain, hover over links)
2. Log in directly via browser (type URL manually, don’t use email link)
3. Change password immediately — use platform’s native password change, not email link
4. Check “Where You’re Logged In” / “Login Activity” — log out ALL sessions except current
5. Enable 2FA if not already enabled — use authenticator app (Google Authenticator, Aegis, Authy), NOT SMS
6. Check connected apps — revoke ALL apps you don’t recognize
7. Check email forwarding rules — attacker may have added rules to intercept notifications
8. Document everything — screenshots of unknown logins, suspicious emails, changed settings

1. All Stage 1 steps PLUS:
2. Check for scheduled posts — cancel all scheduled content
3. Check message drafts — delete any unsent messages you didn’t write
4. Audit recent posts — delete any spam, notify followers if public damage occurred
5. Check ad accounts / business manager — attacker may have set up fraudulent ads
6. Change email password — if platform email is compromised, attacker can reset everything
7. Check other accounts — credential stuffing attacks target multiple platforms with same password

Playbook 2: OAuth App Abuse → Permission Escalation (35% of Cases)

How the Attack Works

1. Victim grants permissions to malicious or compromised third-party app (“Instagram follower tracker,” “TikTok analytics tool,” “Twitter unfollow checker”)
2. App has excessive permissions — “post on your behalf,” “read your messages,” “manage your followers”
3. App developer sells access or app is compromised by attacker
4. Stealth phase (10–14 days): App quietly harvests data, monitors behavior, builds profile
5. Execution phase: App posts spam, DMs followers, changes profile, or escalates permissions by requesting additional OAuth scopes

Stage 1 Early Signs (Days 1–5) — The Permission Audit Most Users Never Do

Stage 2 Signs (Days 6–12) — Still Recoverable but Damage Accumulating

The OAuth App Audit (Do This Today — Prevention)

1. Settings → Security → Apps and Websites → Active
2. For each app, click “View and edit”
3. Check permissions:
   • “Access your profile information and posts” → Expected for most apps
   • “Post content on your behalf” → RED FLAG unless scheduling tool you actively use
   • “Manage your Pages” → RED FLAG unless official Meta Business Partner
   • “Access your messages” → RED FLAG unless customer service platform
   • “Follow accounts on your behalf” → ALWAYS RED FLAG — no legitimate app needs this
4. Remove any app with unnecessary permissions
5. Remove any app you don’t recognize or haven’t used in 30 days

1. Settings → Privacy and safety → Apps and sessions → Connected apps
2. Check each app’s permissions:
   • “Read Tweets from your timeline” → Expected
   • “See who you follow, and follow new people” → RED FLAG
   • “Update your profile” → RED FLAG
   • “Post Tweets for you” → RED FLAG unless active scheduling tool
   • “Access your direct messages” → RED FLAG unless customer service tool
3. Revoke access for any suspicious app

1. Profile → Menu → Settings and privacy → Security → Manage app permissions
2. Review all connected apps
3. TikTok’s OAuth ecosystem is newer — fewer legitimate third-party apps. Be extra cautious.

1. Settings → Account preferences → Partners & services → Permitted services
2. LinkedIn has stricter OAuth review, but still audit quarterly

Playbook 3: SIM Swap → 2FA Bypass → Account Takeover (22% of Cases)

How the Attack Works

1. Attacker obtains phone number from data breach, social engineering, or insider at carrier
2. Social engineering or insider fraud at mobile carrier — attacker ports victim’s number to new SIM
3. Victim’s phone loses service — “No SIM” or “Emergency calls only”
4. Attacker receives SMS 2FA codes — resets passwords on all platforms using SMS 2FA
5. Execution phase (2–5 days): Full account takeover, often including bank accounts, email, crypto wallets
6. Ransom phase: Attacker contacts victim demanding payment for account return

Stage 1 Early Signs (Hours 1–24) — Extremely Short Window

Immediate Emergency Protocol (SIM Swap Detected)

1. Use another phone (friend, family, landline) to call your carrier IMMEDIATELY
2. Request SIM freeze / port freeze — prevent further porting
3. Verify your identity with carrier using account PIN, billing address, last 4 of SSN
4. Request new SIM at carrier store (with ID) — do NOT accept mailed SIM (attacker may intercept)
5. If carrier refuses or delays: Ask for fraud department, mention “SIM swap attack,” request supervisor

1. From a trusted device (not your compromised phone):
   • Change email password FIRST (email is recovery path for everything)
   • Enable email 2FA with authenticator app (not SMS)
2. Change passwords on ALL accounts that used SMS 2FA:
   • Banking, crypto exchanges, social media, email, cloud storage
3. Remove SMS 2FA from all accounts, replace with authenticator app or hardware key
4. Check account recovery options — attacker may have changed backup email/phone

1. File police report — SIM swap is federal crime (18 U.S.C. § 1029, § 1030)
2. File FCC complaint — fcc.gov/consumer/complaints
3. Document everything: screenshots of “No SIM,” carrier communications, fraudulent transactions
4. Contact platforms — use their account recovery processes, mention SIM swap
5. Credit freeze — all three bureaus (Experian, Equifax, TransUnion)
6. Monitor accounts — attacker may have opened new accounts in your name

The Universal Early Warning System (Check Weekly, 5 Minutes)

The Weekly Security Audit Checklist

The Monthly Deep Audit (15 Minutes)

Platform-Specific Recovery Playbooks

Facebook / Instagram (Meta)

1. facebook.com/hacked or instagram.com/hacked
2. Follow guided recovery — Meta has improved this significantly in 2024–2026
3. Change password, email, phone — all three if any were changed
4. Check Business Manager — remove unauthorized users, check ad accounts for fraudulent spend
5. Request review if account was restricted for spam — explain compromise

1. facebook.com/hacked → “My account has been compromised”
2. Enter previous email/phone — if changed by attacker, try older ones
3. Upload ID — driver’s license, passport (Meta verifies identity)
4. Contact from trusted friends — Meta sometimes asks friends to verify your identity
5. Business verification — if Business Manager account, verify business documentation
6. Timeline: 2–14 days for recovery, longer if attacker changed all recovery methods

Twitter/X

1. Settings → Security and account access → Apps and sessions → revoke all
2. Settings → Security and account access → Security → Two-factor authentication → verify method, remove SMS if present
3. Settings → Privacy and safety → Audience and tagging → check for unauthorized muted/blocked accounts

1. help.twitter.com/forms/account-access/regain-access
2. Submit form with:
   • Username
   • Email associated with account (even if changed)
   • Phone number (even if changed)
   • Description of compromise
3. Twitter/X support is minimal — expect 1–4 weeks, often no response
4. Escalation: Tweet at @TwitterSupport from another account (ironic but sometimes works)
5. Legal: If account has commercial value, consider lawyer letter to X Corp

LinkedIn

1. Settings → Account preferences → Partners & services → revoke suspicious
2. Settings → Sign in & security → Two-step verification → verify method
3. Settings → Visibility → Profile viewing options → check if changed (attacker may have set to anonymous)

1. linkedin.com/help/linkedin/ask/TS-RHA
2. Submit identity verification form
3. LinkedIn support is responsive — usually 2–5 days
4. Business accounts: Contact LinkedIn Customer Success if premium/paid account

TikTok

1. Profile → Menu → Settings and privacy → Security → Manage app permissions → revoke all
2. Settings and privacy → Security → Two-step verification → verify method
3. Settings and privacy → Privacy → Suggest your account to others → check if changed

1. tiktok.com/legal/report/feedback
2. Select “Hacked account” — form is basic
3. TikTok support is slow — 1–3 weeks typical
4. Escalation: If creator fund / monetized, mention revenue impact

Prevention: The Security Configuration That Would Have Stopped 21 of 23 Attacks

1. Password manager with unique 20-character passwords per platform
2. Authenticator app 2FA on ALL platforms (Google Authenticator, Aegis, Authy)
3. NO SMS 2FA anywhere — SMS is the weakest link
4. NO SMS backup codes — if platform requires backup, use backup codes printed and stored physically
5. Quarterly OAuth audit — remove all apps not actively used
6. Never grant “post on your behalf” or “manage followers” permissions to any app
7. Carrier PIN + port freeze — call carrier, set up port freeze, require in-person ID for changes
8. Weekly 5-minute audit — login activity, active sessions, connected apps

• 1 insider threat at OAuth app company (legitimate app compromised by employee)
• 1 spear-phishing with fake OAuth consent screen (victim thought they were logging into legitimate app)

FAQ

Q: How do I know if an email about a new login is real or phishing?

1. Open browser manually, type the platform URL directly
2. Log in, go to Settings → Security → Login Activity
3. If the login is real, it will appear there
4. If the email is fake, the login won’t appear — delete email
5. Verify sender domain: Real Facebook emails come from @facebookmail.com, Instagram from @mail.instagram.com, Twitter from @twitter.com. But attackers can spoof these — domain alone is not sufficient verification.

Q: What if the attacker changed my email and phone number?

1. Platform’s hacked account form — enter OLD email/phone, explain they were changed
2. ID verification — upload driver’s license, passport
3. Trusted contacts — some platforms (Facebook) let you designate friends who can help verify identity
4. Business verification — if business account, provide business documentation
5. Legal escalation — lawyer letter to platform, especially if account has commercial value
6. Law enforcement — police report can help with platform support (mixed success)

Q: Can I recover a deleted account?

• Facebook: 30-day grace period after deletion request. Log in to cancel. After 30 days, data begins purge (90 days total). Recovery possible in first 30 days only.
• Instagram: Same 30-day grace period as Facebook (shared infrastructure).
• Twitter/X: No official grace period. Some users report recovery within 30 days by contacting support, but inconsistent.
• TikTok: 30-day deactivation (not deletion). After 30 days, permanent.
• LinkedIn: Immediate deletion available, but 14-day “reopen” window if you contact support.

Q: Should I pay the ransom if attacker demands money for account return?

• 1 got account back, then attacker re-compromised it 2 weeks later (same credentials)
• 1 got account back with all followers deleted
• 1 paid, attacker never returned account

Q: How do I protect a team-managed account?

1. Shared password manager (Bitwarden Organization, 1Password Teams) — never share passwords via text/email
2. Individual logins for each team member — don’t share one account login
3. Role-based access — Editor can post, Admin can change settings, Owner can add/remove people
4. 2FA on ALL team member accounts — if a team member is compromised, attacker gains their access level
5. Quarterly access audit — remove former employees, contractors, interns immediately
6. Approval workflows — for accounts >100K followers, require second approval for posts, password changes, app connections

Q: What about “hacked” Instagram accounts selling “verification” or “blue check”?

• Selling fake verification through bribery (rare, expensive, gets removed)
• Phishing your credentials to compromise YOUR account
• Selling access to already-compromised accounts (which will be recovered by original owner or platform)

Bottom Line

1. Today (15 minutes): Run the Weekly Security Audit on your top 3 platforms. Check login activity, active sessions, connected apps.
2. This week (30 minutes): Enable authenticator app 2FA on ALL platforms. Remove SMS 2FA. Generate and print backup codes.
3. This weekend (1 hour): Audit all connected apps. Remove everything you don’t actively use. Revoke “post on your behalf” permissions.
4. This month (30 minutes): Call your mobile carrier. Set up port freeze / SIM change PIN. Require in-person ID verification.
5. Ongoing (5 minutes/week): Weekly security audit. Set a recurring calendar reminder.