Past midnight, a notification pops up: a post you never wrote just went live on your CEO's account. The clock is ticking, the platform is out of your hands, and the question is no longer how did this happen but how do you regain control before the story writes itself. Knowing the exact protocol for a social media hack is what separates a contained incident from a full reputational crisis.

What should you do first when a corporate account gets hacked?

The opening minutes decide everything. Before reacting publicly, you need to confirm the breach, document it, and figure out whether your team can still operate from the inside.

Start by taking screenshots of every post, message or demand the attackers are publishing. Sometimes it's a ransom note (we hijacked your account, we want money), other times it's just memes or random content meant to mock the brand. Either way, that evidence becomes the backbone of your investigation and any conversation with the platform or cyber authorities.

Then test whether you still have access. Hackers often change the password, unlink the email and remove the phone number tied to two factor authentication, leaving you locked out. If that's the case, stay calm, alert the team, and depending on the severity, escalate to cybersecurity authorities so the case can be properly investigated.

What is the first step in a social media hack? Confirm the breach, capture screenshots of everything the attackers post, and check whether you still control the email, phone and password tied to the account. That dictates your next move.

How do you find the vulnerability that let hackers in?

Regaining control is only half the job. The other half is figuring out how they got in, because if you don't, they'll come back. In real cases with executive accounts, the entry points are almost always preventable:

• Permissions granted long ago to third party apps that nobody uses anymore.
• Weak passwords reused across platforms.
• Recovery phone numbers tied to former employees who left the company.
• Verification emails that nobody updated after a team change.

Go into your CEO's accounts and your corporate channels today and audit every recovery email, phone number and active session. If two factor authentication isn't on, turn it on. Prevention is what gives you the time and tools to react when something actually breaks.

How do you communicate publicly during an account takeover?

By the time you're working on recovery, the media may already be echoing the hack. People see the strange posts, screenshots circulate, and silence starts to look like negligence.

Ask yourself: have you posted from another corporate channel, or from a personal executive account, explaining that you're aware and working on it? In crisis management, what you don't say also communicates. The images, the timing, the tone of the first public message all carry weight, the same way a CEO showing up first during a corporate incident, or a political figure visiting a natural disaster, sends a signal beyond the words.

Sometimes you'll recover the account fast and nobody notices. Most of the time, people do notice, and the question becomes what message you leave behind.

Should you announce a hack publicly? If the breach is visible or already trending, yes. A short statement from another verified channel acknowledging the issue protects credibility better than waiting in silence.

How do you regain control of a hacked platform or account?

Recovery speed depends on your relationship with the platform, the type of account, and the bureaucracy involved. With strong contacts inside the platforms, recovery can happen in hours; without them, you face documentation, verification and waiting periods.

Time zones complicate it further. Picture this real scenario: an executive traveling in a region where the Latin American team is asleep, and the hack happens right then. Without a war room protocol activated across geographies, hours are lost.

Two questions you should answer before any incident happens:

1. Who has access to each account, and is that list still current?
2. If the hack reaches a full platform (not just a social channel), do you have an activation protocol with the tech team to patch vulnerabilities immediately?

The Louvre Museum case is a useful reference. The vulnerabilities exploited there came from outdated systems and weak passwords, exactly the same pattern that exposes corporate social accounts. The fix is unglamorous: stronger passwords, updated software, audited permissions, and a tested protocol that everyone on the team knows by heart.

In the resources box you'll find a step by step protocol for acting during a hack. Tell me in the comments, does your team already have a cuarto de guerra defined, or would today be the day to build one?