I gave my social media login to an agency in Dubai and now I can't get it back. What do I do?
Arnav N J
I've seen this happen more often than people realize, especially when agencies are handed full login credentials instead of being added as authorized managers. The good news is you almost always have a path back to your accounts, even if the agency is uncooperative. Here's what actually works.
Start with the platform itself, not the agency
Most platforms have account recovery flows that don't require the current password if you can prove ownership. For Instagram and Facebook, go to the in-app "Forgot password" flow and choose recovery via your registered email or phone number. If the agency also changed your recovery email or phone, use Meta's "My account is compromised" form, this is specifically designed for situations where someone else has control of your login details. You'll need to verify identity, sometimes with a government ID or a short video selfie depending on the platform.
For Google-linked accounts (YouTube, Google Business Profile), use Google's Account Recovery process at accounts.google.com/signin/recovery, it walks you through previous passwords, recovery emails, and device history to verify it's really you.
For LinkedIn, their support team can manually verify ownership through company registration documents or ID if you're locked out of a business page.
Check if you still have any access point
Before assuming you're fully locked out, check whether you can still log into the associated email account the social profiles were registered with. If yes, you can often trigger a password reset directly without needing the agency's cooperation at all.
If the agency changed the recovery email/phone
This is the trickier scenario, but platforms anticipate exactly this kind of dispute. Submit a report through the platform's official "account taken over by someone else" or "business account dispute" form, and be ready to provide proof of original ownership: business registration documents, original sign-up email if you have it, invoices, or any communication showing you hired the agency for management, not transfer of ownership.
Put it in writing with the agency
Even if they're stonewalling, send a written request (email, not just WhatsApp) asking for access to be restored within a specific timeframe, and mention that you're escalating to the platform and, if necessary, legal counsel. Sometimes agencies sit on access out of habit or leverage for unpaid invoices rather than malice, having it in writing also protects you if this escalates.
If money or contracts are involved
If there's an unresolved payment dispute or you signed an agreement that's unclear about asset ownership, it might be worth a quick consult with a lawyer, especially since you're dealing with a Dubai-based agency and may be in a different jurisdiction. This isn't something I can advise on directly since contract terms vary, but it's worth flagging early rather than after months of back and forth.
Going forward
Once you regain access, the safer setup is to never hand over your actual password to any agency again. Instead:
- Add them as an admin/editor through Meta Business Suite, Google Business Profile, or LinkedIn Page admin roles, this gives them working access without your login credentials.
- Enable two-factor authentication tied to your own phone number, so even if someone has your password, they can't get in without your device.
- Periodically check the "Account Activity" or "Where You're Logged In" sections on each platform to see active sessions and revoke any you don't recognize.
Drupad
As an SEO analyst working closely with digital branding and social media teams, I have seen how dangerous it can become when businesses hand over complete control of their social media accounts to an external agency without proper ownership safeguards. One of our clients faced a very similar issue with a Dubai-based marketing agency. Initially, the agency handled everything from Instagram and Facebook ads to content scheduling and page management. The problem started when the client decided to move to another vendor. Suddenly, the agency stopped responding properly and refused to hand over the passwords, admin access, and recovery email credentials tied to the accounts.
My team first approached this like a digital asset recovery project rather than just a social media dispute. We immediately checked who still had ownership access through Meta Business Manager, Google account recovery logs, linked phone numbers, recovery emails, and two-factor authentication settings. In many cases, agencies quietly replace the original recovery email with their internal email IDs. That was exactly what happened here.
We documented everything thoroughly, including invoices, contracts, WhatsApp chats, onboarding emails, screenshots of ownership history, payment records and proof that the client originally created and funded the accounts. This documentation became extremely important later.
From the legal side, Dubai and the UAE take unauthorized digital access very seriously under the UAE Federal Decree Law No. 34 of 2021 on Combatting Rumors and Cybercrimes. Unauthorized retention of account access, misuse of credentials, or refusal to return control of digital assets after termination can potentially fall under cybercrime and unauthorized access provisions. UAE law also treats tampering with digital evidence seriously, including deleting records or hiding access history.
We advised the client to send a formal legal notice requesting immediate transfer of ownership and revocation of unauthorized access. At the same time, we started platform-level recovery through Meta, Google, and LinkedIn support systems using business verification documents. Once the agency realized legal escalation and platform investigations had started, they cooperated surprisingly fast.
The biggest lesson I learned from this experience is that agencies should never become the permanent owners of business accounts. Always keep the original email ownership, enable two-factor authentication yourself, maintain admin-level access, and use role-based permissions instead of sharing passwords directly. Digital accounts today are business assets, not just social media pages, and recovering them can sometimes feel like recovering control of an entire company identity.