Account recovery is where good security plans fail. When recovery is inconsistent, a minor incident (one phished login, one reused password) can turn into weeks of lockout, repeated takeovers, and expensive business downtime.
| If you are… | Do this first | Why |
|---|---|---|
| Still signed in | Secure email, then change Facebook password and review sessions | Contain the incident before the attacker changes recovery details |
| Locked out | Start from the official recovery entry points and avoid “support” scams | Third-party “recovery” offers are a common secondary attack |
| Running a Page or Business Manager | Audit admin roles and business access in parallel | Attackers often pivot from the personal profile into assets that can spend money |
| Seeing password/email change alerts | Assume takeover until proven otherwise | Those alerts usually mean a control-plane change already happened |
Safety note: do not call random “Facebook support” phone numbers. Attackers run support scams that steal your login, payment info, or ID documents. If you see one, start with how Facebook support scams work.
Stabilize the control plane first (email, phone, devices)
Facebook recovery depends heavily on the email inbox and phone number on file. If those are compromised, recovery becomes a loop: you regain access, then the attacker resets it again.
- Secure the email account tied to Facebook: change its password, enable 2FA, and remove suspicious forwarding rules.
- If your phone number is on the account, secure the carrier account too (PIN/port-out protection where available). If your number is being targeted, review SIM swapping.
- Work from a clean device. If you suspect malware or stolen browser sessions, start with how to detect spyware.
If you can still sign in: contain and harden before you get logged out
When you still have a valid session, speed matters. The attacker’s next move is usually to change the primary email, add a new phone number, or enable 2FA so you cannot remove them.
1) Change the password and sign out unknown sessions
- Change your Facebook password to a unique password (ideally stored in a password manager).
- Review where you are logged in and end sessions you do not recognize.
2) Check and repair account recovery details
- Confirm the primary email is yours. If you received an email change alert, use what to do when your Facebook primary email changes.
- Review phone numbers and remove anything you did not add.
- Check for newly added contact methods that would let an attacker re-enter later.
3) Turn on stronger sign-in protections
Facebook security options vary by device and region. Use the strongest method you can support operationally.
- Enable 2FA and prefer an authenticator app or a security key over SMS.
- Store backup codes where you can access them during an incident without logging into the compromised account.
- Review login alerts so you are notified quickly when a new device signs in.
For a deeper hardening pass, use how to secure your Facebook account.
4) Remove suspicious third-party access
Attackers sometimes keep access through connected apps, browser extensions, or reused sessions on other devices.
- Remove unknown connected apps and logged-in devices.
- Verify you did not grant “business integrations” or admin roles you do not recognize.
If you cannot sign in: use official recovery paths and keep evidence
Use the official recovery entry points and work methodically. Recovery flows can change, and menus can vary by device and region, but the structure is consistent: prove identity, prove control of an inbox/phone, and remove attacker-added factors.
- Start from Facebook’s official hacked-account recovery path and follow the prompts to secure the account.
- If you can find your account but cannot pass the prompts, document what fails (screenshots, timestamps, the email address or phone used) so you can retry consistently.
- If you received a password change alert you did not trigger, follow what to do after a Facebook password change alert.
If you need a step-by-step recovery flow, use how to recover a hacked Facebook account and what to do if your Facebook account is compromised.
Common mistake: repeatedly attempting recovery with a compromised inbox. If the attacker controls your email, every recovery code and alert is visible to them.
Common lockout scenarios and what they usually mean
| What happened | What it often indicates | Best next move |
|---|---|---|
| Your email was changed | Recovery takeover | Secure email first, then use email-change remediation steps and hacked-account recovery |
| 2FA was enabled and you did not do it | Attacker trying to lock you out | Work the official recovery prompts and keep proof of identity ready |
| Password changed and you cannot reset | Inbox compromise or phone takeover | Regain control of email/phone, then restart recovery from official entry points |
| Account disabled after suspicious activity | Automated enforcement or attacker behavior | Use disabled-account appeal routes and document the timeline |
| Page or ad account access lost | Business asset pivot | Audit business roles and admins immediately, not only the personal profile |
If you manage Pages or Business assets: contain spend and admin access
When an attacker gets into a personal Facebook profile, the next targets are often Pages and Business Manager assets because they can run ads, message customers, or impersonate brands.
- Review admins and roles on Pages and remove unknown accounts.
- Check connected ad accounts and billing activity for unauthorized spend.
- If you are locked out of business assets, start here: recover a Facebook Business Page or Business Manager.
Why recovery feels inconsistent, and how to reduce dependency on it
Recovery is hard for every platform because attackers abuse recovery too. That means the platform will sometimes demand more proof than you can quickly provide, and sometimes automated systems will make the wrong call. The goal is to make recovery a last resort by building a stable account state:
- Only you can access the primary email and phone on file.
- 2FA is enabled with a method you can reliably use.
- Login alerts reach you quickly, and you review them when something looks off.
- Sessions and connected apps are pruned regularly so an attacker cannot hide.
If you are trying to decide whether your account has already been compromised, start with how to tell your Facebook has been hacked and why Facebook accounts get hacked.
Recovery becomes less fragile when your identity proofs are strong before the incident: a secured inbox, controlled phone number, and a second factor you can actually use under stress. Once you can reliably prove “this is me” and you can reliably receive alerts, takeovers become louder, slower, and easier to contain before they turn into a long lockout.