I guess I need more karma to post in r/hacking, so I hope this post reaches the right crowd in here.

So, I've been approached many times by family or friends over the years asking me to help them recover their hacked social media accounts, mostly Instagram it seems. I only attempted this once for my brother who was being blackmailed, and it was an insanely time intensive process.

I had to use social engineering to make it seem like I was a dumb friend of his just shooting the shit, build a rapport and get myself to appear as an easy target; ultimately leading to a potential to phish them. That was a quick summary of everything but it was a lot of work over a stupid social media account. After that I just tell people no, it's not worth the time and energy.

My Question: Is social engineering + phishing really the only realistic attack vector against someone who's already compromised an account? In my mind I can only think of a few other methods:

1. Session Hijacking / Cookie theft - but would require them clicking something or establishing a connection somehow, and hopefully they would know better being as they use this tactic themselves.

2. Brute Force - but they more than likely changed the password when initially compromising the account so a password from a dump wouldn't work, and I doubt they would use one in the rockyou list or something.

So for the average person whose social media gets hacked, recovering their account is pretty much a lost cause unless they find someone who's willing to invest that kind of time to recover it for them right? Are there better tactics people use for this purpose that I'm not thinking of?