A hacked Facebook account is usually not a “Facebook problem”. It is an identity problem. Attackers want a control plane they can monetize: access to your profile, messages, connected Instagram, Pages, ad accounts, and your social graph for scams.
Your best outcome comes from doing three things in the right order: contain access, recover control, then harden so the takeover does not repeat.
Start here: the first actions that stop most damage
- If you can still log in: change password, log out unknown sessions, and enable stronger sign-in protection immediately.
- If you cannot log in: use Facebook’s official recovery flow first, not links from emails or DMs.
- If money is involved: check for ads you did not create and payment methods you did not add.
- If your phone number stopped working: treat it as possible SIM swapping and contact your carrier.
Do not: pay “recovery agents”, share codes, or install remote access apps because someone claims they can get your account back. Fake support is one of the most common follow-on scams.
Quick triage: what you are seeing and what it usually means
| Symptom | Likely cause | Best first move |
|---|---|---|
| Password changed or you were logged out | Credential theft or reused password | Use official recovery flow, then secure email and enable 2FA |
| You can log in, but posts/messages are being sent | Active session hijack or unknown device | Log out all sessions, change password, revoke connected apps |
| 2FA enabled that you do not recognize | Attacker added their own authenticator | Recover via identity checks and secure email/phone first |
| Ad spend or boosted posts you did not authorize | Monetization attempt | Stop campaigns, remove payment methods, document charges |
| Account disabled after takeover | Integrity enforcement or attacker behavior | Appeal with a clean timeline, then harden recovery channels |
If you can still log in
1) Change your password and secure your email
- Change your Facebook password to a unique, long password.
- Immediately secure your email account, because it controls password resets for Facebook and other accounts.
- If you reuse passwords, stop now. Password reuse is the most common cause of repeated takeovers.
2) Log out unknown sessions and devices
Attackers often keep access through an existing session even after a password change. Log out everywhere and re-authenticate from trusted devices only.
3) Review high-impact settings
- Recovery email and phone: remove anything you did not add.
- 2FA: enable strong authentication. Prefer an authenticator app. If you need context on options, see 2FA and its many names.
- Connected apps: revoke any third-party access you do not recognize.
4) Check for monetization damage
- Review ads and boosted posts.
- Remove unfamiliar payment methods.
- Document everything: screenshots, timestamps, ad IDs, charges.
If you cannot log in
Use Facebook’s official hacked-account flow and navigate to it directly, not through links in messages:
- facebook.com/hacked (official entry point)
- Facebook Help Center guidance on recovering a hacked account: Help Center
What to expect:
- You may be asked to confirm identity, devices, or prior account details.
- Recovery can depend on whether you still control the email/phone on the account.
- If the attacker changed recovery details, you may need additional steps and time.
If the attacker added their own 2FA or recovery email
This is a common persistence move. Your goal is to re-establish a trusted recovery channel. Do not guess through random links. Use only Facebook’s flows and preserve evidence of changes.
While you work the platform flow, secure the rest of your identity layer so the attacker cannot pivot:
- Secure email and remove unknown forwarding rules.
- Secure your phone number and carrier account (PIN, port-out lock where available). See SIM swapping.
- Secure linked accounts, especially Instagram and any password manager.
Key idea: The attacker only needs one surviving control path (email, phone, session, or connected app) to retake the account.
If you manage Pages or ad accounts
Business assets are a common monetization target. In addition to securing the personal account, audit:
- Page roles: remove unknown admins and editors.
- Business settings: check for partners or system users you did not add.
- Ad account billing: new payment methods, unusual spend, new campaigns.
- Pixels and domains: changes to ownership or verification can be a persistence move.
If you are dealing with Business Manager access loss, use the deeper playbook: recover a Facebook Business Page or Business Manager.
Device sanity check
Many takeovers start with phishing, but some persist through malware or browser compromise. If you entered credentials after clicking a link, do a quick check:
- Remove unknown browser extensions and reset browser notification permissions.
- Update OS and browser and reboot.
- If the device behaves strangely, change critical passwords from a different trusted device first.
If your account was disabled after the hack
Disables often happen because attacker behavior triggers integrity enforcement, or because the platform sees unusual activity and locks the account. The recovery approach is different from password reset.
Use a clean, factual timeline and focus on two things: proving legitimate ownership and proving that the compromise is remediated (new passwords, 2FA, cleaned devices if needed).
Detailed playbook: Recover your disabled Facebook account after a hack.
What to do if friends are being scammed from your account
Account takeovers often become social-graph scams: “I need help”, “verify this”, “I lost my phone”. Your priorities:
- Post a warning from a separate channel (Instagram story, email list, other social account) telling people not to send money or codes.
- Ask close contacts to report the account if needed. Reports can help surface enforcement quicker in some cases.
- Review your message history for what the attacker sent so you can warn people accurately.
Prevent the repeat takeover
- Unique password: never reuse the Facebook password anywhere else.
- Strong authentication: authenticator-app 2FA or passkeys when available.
- Session discipline: log out of shared devices, review active sessions periodically.
- Email security: email is the master key. Treat it that way.
If you want the broader model for why Facebook accounts get targeted and what attackers do with them, read why Facebook accounts get hacked. For phishing defenses that prevent most initial compromises, use how to identify scam emails.
Account recovery is usually a race between you and the attacker’s persistence. When you tighten the identity layer and remove unknown sessions quickly, most takeovers become recoverable. When recovery channels are weak, the platform’s automated flows become the bottleneck.
The stable strategy is to reduce dependence on luck. Make it hard for an attacker to keep access, and make it easy for you to prove ownership when something changes. That is how you turn a frightening incident into a controlled cleanup instead of a long-term lockout.