Get started →
Safety · 5 min read · 24 May 2026

The account-safety checklist every creator should run this month.

Accounts don't usually get 'hacked' — they get phished, recycled-password'd, or quietly taken over through an app you authorised in 2023 and forgot. This is the boring checklist that prevents nearly all of it. Twenty minutes, once a month.

TTom Hale · Safety Lead

The 10-point checklist

  1. Switch 2FA from SMS to an authenticator app. SIM-swap attacks defeat SMS codes; they can't touch an authenticator app (Google Authenticator, Authy, 1Password). Five minutes per platform, single biggest upgrade on this list.
  2. Download your backup codes — and store them off your phone. 2FA locks you out too if you lose the device. Print the codes or store them in a password manager. "Phone died, authenticator gone, no backup codes" is the most common unrecoverable lockout we hear about.
  3. Audit authorised third-party apps. Settings → Security → Apps and Websites (Instagram) and the equivalents on TikTok/YouTube. Revoke everything you don't actively use. Old scheduling tools and that analytics app from two years ago are standing attack surface.
  4. Use a unique password per platform, in a password manager. Credential-stuffing (recycled passwords from old breaches) takes more accounts than actual 'hacking' does. If your Instagram password also opens your email, fix that today.
  5. Never give your password to a growth service. Legitimate services deliver with your public handle only. Password requests mean engagement automation (bannable) or harvesting (worse). More on telling safe from sketchy here.
  6. Turn on login alerts. Unrecognised-login notifications are your smoke alarm; the first hour of a takeover is when recovery is easy.
  7. Verify your recovery email and phone are current. Recovery flows route through them. An old university email as your recovery address is a takeover waiting to happen.
  8. Learn the three phishing patterns that catch creators: fake "your account will be deleted — verify now" copyright emails, fake brand-deal DMs with a 'contract' link that opens a lookalike login page, and fake "blue tick eligibility" messages. Platforms don't DM you login links. Ever.
  9. Check active sessions monthly. Settings → Security → Login Activity. Sign out anything you don't recognise — sessions on old devices stay valid for years.
  10. Lock down the email account behind everything. Your email is the master key — whoever controls it controls every recovery flow. Authenticator-app 2FA on the email itself, before anything else.

If you've been hacked: the first hour

Grow safely, too.

IGFollowers never asks for your password — just your public handle. That's rule one on this checklist, and it's non-negotiable.

See how it works →

Frequently asked questions

Is SMS two-factor authentication good enough?

It's far better than nothing, but SIM-swap attacks defeat it. An authenticator app takes five minutes to set up and removes that entire attack class — it's the single best upgrade a creator can make.

Can a follower service get my account banned or stolen?

A service that only takes your public handle can't access your account at all — there's nothing to steal. The danger is services that ask for your password to run automation. Never share credentials with any growth tool.

How do creators actually get hacked?

Overwhelmingly through phishing (fake copyright or brand-deal emails leading to lookalike login pages) and recycled passwords from old data breaches — not sophisticated hacking. The checklist's first five items prevent the large majority of takeovers.

Keep reading

SafetyIs buying Instagram followers safe? The honest answer.GrowthSocial proof in 2026: why follower count still matters despite what people say.InstagramThe 2026 Instagram algorithm explained: what changed and how to win it.