I Scanned a QR Code and My Social Media Was Hacked — What to Do Right Now
If your Instagram, Facebook, TikTok, or another social account was taken over after scanning a QR code, you're in the right place. Act immediately — every minute matters. Here's why this happened and exactly what to do to get your account back.
Why a QR code can take over your social account
QR codes in social media scams typically point to pages that steal your access in one of two ways:
- Fake login or OAuth page. The QR code linked to a page that mimicked “Sign in with Instagram,” “Continue with Facebook,” or a similar prompt — promising free followers, exclusive content, or account verification. When you tapped “Authorize,” you handed the attacker an access token. Unlike a stolen password, an OAuth token lets an attacker control your account and stay logged in even after you change your password.
- QR session-transfer attack. Some platforms — notably Discord and WhatsApp — use QR codes to link devices to an account. Scammers exploit this by sending a QR code that, when scanned, transfers your active session to the attacker's device. Scanning equals instant access: no password required.
- Direct credential phishing. The page looked exactly like Instagram's or Facebook's login screen. You entered your username and password, and the attacker now has your credentials — and used them before you could react.
The key implication: if you were hit by an OAuth or session-transfer attack, changing your password alone will not remove the attacker. You must revoke all active sessions.
Do these things immediately, in this order
1. Log out all sessions — right now
This is the most important step, and it must happen before the attacker changes your recovery email or phone number and locks you out.
- Instagram: Settings → Security → Active Sessions → Log Out All
- Facebook: Settings & Privacy → Settings → Security and Login → Where You're Logged In → Log Out of All Sessions
- TikTok: Profile → Menu (☰) → Settings → Security → Devices → remove all unrecognized entries
- Twitter / X: Settings → Security and Account Access → Apps and Sessions → Log Out of All Other Sessions
2. Change your password from a separate, clean device
Use a different device than the one you used to scan the QR code — ideally a computer or a phone that hasn't visited the suspicious page. Create a new password that is unique to this account and not used anywhere else. If you use a password manager, generate a random one now.
3. Revoke third-party app access
On Instagram, go to Settings → Apps and Websites and remove any app you don't recognize. On Facebook, go to Settings → Apps and Websites. Attackers often install a connected app so they can retain access even after sessions are terminated and passwords changed.
4. Enable two-factor authentication with an authenticator app
SMS-based 2FA is better than nothing, but an authenticator app (Google Authenticator, Authy) is significantly harder to bypass. Set this up on every social account you care about — not just the one that was compromised.
5. Review and report
Check whether the attacker changed your profile photo, bio, linked email or phone number, or sent any messages to your followers. Reverse any changes you find. Then report the compromise to the platform using the links below — this flags the attacker's activity and may help recover any content they deleted.
If you're already locked out of the account
If the attacker already changed the email or phone number associated with your account, you'll need to go through the platform's identity verification process:
- Instagram: On the login screen, tap “Forgot password?” then “Need more help?” You'll be guided through a selfie video verification to confirm you're the original account owner.
- Facebook: Go to facebook.com/login/identify. You can use a trusted contact, a recognized device, or a government ID.
- TikTok: On the login screen, select “Use phone / email / username,” then “Forgot password.” Choose the ID verification option if you no longer have access to the original email or phone number.
These processes can take hours to days. Start them immediately and be patient — do not create a new account in the meantime, as this can complicate the recovery review.
Frequently asked questions
Can scanning a QR code hack my social media account?
Yes — indirectly. QR codes for “free followers,” “exclusive content,” or “account verification” typically lead to OAuth-spoofing pages or session-transfer flows that hand the attacker access to your account. The QR code delivers you there; the page does the damage.
I changed my password but the hacker is still in my account. Why?
If the attack used an OAuth token or QR session-transfer, the attacker's session exists independently of your password. Changing your password doesn't invalidate their active session. You must explicitly revoke all sessions in your security settings — that's what forces them out.
How do I recover my account if I'm already locked out?
Use the platform's official recovery flow. Instagram: “Forgot password?” → “Need more help?” (selfie verification). Facebook: facebook.com/login/identify (trusted contacts or ID). TikTok: “Forgot password” → ID verification. These identity checks can take time — start immediately and avoid creating a new account while the review is pending.
What should I do after I get my account back?
Revoke all active sessions, change your password, enable authenticator-based 2FA, remove any unrecognized connected apps, and check for changes the attacker made to your profile and linked contact details. Then report the incident to the platform so they can review suspicious messages or posts sent from your account.
Stop the scan before it stops you
QRsafer previews the destination URL and checks it for phishing, OAuth scams, and session-hijack pages before your browser opens — so the next QR code promising “free followers” gets flagged before you can tap anything on it. Free on iOS and Android.