How To Recover Your Hacked Facebook Account

If you are dealing with a Facebook account takeover, treat it like an incident response problem, not a “reset my password” problem. In, most Facebook compromises we see fall into one of these buckets:

Credential phishing (attacker gets your password and immediately changes email/phone).
Session hijacking (attacker steals your logged-in session cookie and never needs your password).
SIM swap / number port-out (attacker intercepts SMS codes and account recovery).
Infostealer malware (attacker steals browser tokens, saved passwords, and persistent sessions).
Business asset takeover (Pages, Business Portfolios/Business Manager, ad accounts, payment methods).

Recovery works best in order: secure the email account first, regain access, remove persistence (sessions, devices, connected apps), then harden sign-in and recovery paths so the attacker cannot reset their way back in.

Before You Start

Recover from a clean device. If you suspect malware or a sketchy browser extension, do not keep logging in from that device. Use a different, trusted phone/computer for recovery.
Do not speed-run recovery. Repeated attempts trigger rate limits and “feature blocks,” which can push you into recovery loops.
Preserve evidence. Screenshot security emails, login alerts, ad charges, Page role changes, and timestamps. Evidence matters most when self-serve recovery fails.

Key official recovery URLs (type them yourself, don’t click random links):

https://www.facebook.com/hacked (hacked/compromised flow)
https://www.facebook.com/login/identify (find your account)
https://accountscenter.facebook.com/ (Meta Accounts Center: Password & security, logins, 2FA, passkeys)

1) Immediate Containment

Your first goal is to stop the attacker from keeping access while you recover. If this is session hijacking or malware, changing your Facebook password alone may not end the compromise.

A. Secure your email first

Change your email password (from a clean device), then enable app-based 2FA or a passkey.
Check for persistence: forwarding rules, mailbox filters, “authorized apps”, and “app passwords”. Attackers often add a forwarding rule so they still receive codes after you “recover” Facebook.
Review recent sign-ins and sign out unknown sessions.

Why this matters: If the attacker controls your email, they can instantly re-take Facebook via password resets, “confirm it was you” prompts, or email-change confirmations.

B. Secure your phone number

Call your mobile carrier and ask if there were recent SIM changes, number port-outs, or device swaps.
Add a port-out PIN (or account PIN) and remove weak verification methods where possible.
If you suspect SIM swap, assume SMS-based Facebook recovery codes are compromised.

Why this matters: With a successful SIM swap, the attacker can intercept SMS codes, reset passwords, and complete “security checks” in real time.

C. Check active sessions and log out everything you don’t recognize

From Facebook (or Meta Accounts Center), go to:

Settings & privacy → Settings → Accounts Center → Password and security → Where you’re logged in

End sessions from unfamiliar devices/locations.
If available, use Log out of all sessions (then re-login only on trusted devices).

Why this matters: Session hijacking and infostealers rely on existing sessions. If you don’t terminate sessions, attackers can keep posting, messaging, and managing business assets even after you change passwords.

D. Revoke suspicious connected apps (OAuth) and remove unknown devices

In Facebook settings, review Apps and websites and remove anything you don’t recognize.
In Accounts Center, review security settings for unknown devices and connected experiences you never approved.

Why this matters: A malicious “connected app” can be a backdoor that survives password changes.

E. Check for added admins

For Pages: check Page access / admin roles and remove unknown admins.
For Business assets: go to https://business.facebook.com/ and inspect Business settings: People, Partners, System Users, Assets.

Why this matters: Many “Facebook hacks” are actually business asset theft. If the attacker becomes an admin, recovering the personal profile may not restore the Page or ad account.

F. Assume device compromise until proven otherwise

If you suspect infostealer malware: stop logging in on that device. Use a different, known-clean device for recovery.
Remove unknown browser extensions, update OS/browser, run reputable malware scanning, and consider a full OS reinstall if you can’t establish trust.

Why this matters: If the attacker is stealing tokens/cookies from your browser, every login attempt can hand them fresh access.

2) Identify the Type of Compromise

Recovery succeeds faster when you diagnose the failure mode. Use this checklist to route yourself into the correct flow.

Password changed? You can’t log in and old passwords fail.
Email removed or changed? Password reset goes to an address you don’t recognize.
Phone number changed? SMS codes go to a number you don’t control.
“Hacker enabled 2FA Facebook”? You get stuck at a 2FA challenge you never set up.
Account disabled? You see a disabled/locked message or cannot search the profile.
Business Manager hacked? Page roles changed, Business Portfolio admins changed, ad spend running.
Ads running fraudulently? You see campaigns you didn’t create, or your card is being charged.

Important: “Disabled” and “Hacked” are not the same. A hacked account can be disabled as a consequence (spam, policy violations, automation). The recovery path and timelines differ.

3) Step-by-Step Recovery Paths

Facebook’s interfaces change frequently, and button labels can vary by country/app version. The URLs below are the stable entry points we use in practice; follow the nearest matching on-screen option.

Case A: You’re still logged in

If you can still access the account on at least one device, you have leverage. Prioritize containment before you get logged out.

From a clean device, change the Facebook password and immediately log out suspicious sessions (Accounts Center → Password and security → Where you’re logged in).
In Accounts Center, review and correct: primary email, phone number, 2FA method, passkeys.
Remove unknown devices and suspicious connected apps (Apps and websites).
If your email was changed recently, check your inbox for security emails and use the official “this wasn’t me”/revert links if present (do not rely on forwarded messages; verify by logging into the mailbox directly).
For business users: inspect Page access and Business settings immediately, remove unknown admins, and pause active ad campaigns if unauthorized spend is happening.

Documentation required: Usually none (unless you hit a security checkpoint).

Expected response time: Immediate.

What typically fails: The user changes password on an infected computer and gets re-compromised within minutes due to stolen cookies/tokens.

How to escalate: If business assets are involved and you have access to business support surfaces, gather evidence (timestamps, ad account IDs, Page IDs) before opening a support ticket.

Case B: Locked out, but you still control the email address

This is the “standard” recovery scenario: the attacker changed your Facebook password, but your email inbox is still yours.

Go to https://www.facebook.com/login/identify.
If you are starting from the login screen in the app or browser, choose Forgot password? or Forgotten account? to reach the same recovery flow.
Search for your account using email, phone number, or name.
Select your account and choose the option to receive a login code (email or SMS).
Enter the code and complete any security prompts Facebook shows.
Once back in, immediately run containment: sessions, connected apps, email/phone, 2FA.

Documentation required: Usually none if you can receive the code.

Expected response time: Immediate if the code delivery works.

What typically fails: Recovery codes are sent to an attacker-controlled email because the email on-file was changed. If that’s your situation, move to Case C.

Case C: Facebook account hacked and email changed

This is one of the most common reasons people get stuck. The password reset flow keeps offering attacker-owned contact points.

Start at https://www.facebook.com/hacked.
Select the option matching My account is compromised, then follow prompts to identify the account.
If you reach a screen that only shows the attacker’s email/phone, look for an option like No longer have access to these? or Try another way.
When asked for a new contact method, provide an email you control and can secure long-term (ideally not the email you believe was compromised).
If Facebook offers identity confirmation, do it once with a high-quality submission (see Identity Verification Deep Dive below).

Documentation required: Often government ID or other identity confirmation if contact methods were changed.

Expected response time: Ranges from minutes (automated checks) to days (manual review), and sometimes no response.

What typically fails:

Recovery lockout loops (“feature unavailable”, “try again later”, “we can’t verify you”).
Untrusted environment (new device + VPN + new country) causing Facebook to block recovery attempts.
Email is compromised (attacker still sees codes via forwarding rules).

How to escalate: If you run a business and the compromise is impacting ads/Page access, document the business impact and open a business support case if you have access. Personal accounts often have no live support.

Case D: Hacker enabled 2FA on Facebook

This is a high-friction scenario: the attacker adds their authenticator app or phone, then locks you out behind 2FA. Do not search for “bypass” tricks. Those approaches are unreliable, can violate terms, and can worsen lockouts.

Start at https://www.facebook.com/hacked and complete the compromised-account flow.
If you reach a 2FA challenge you cannot satisfy, use any on-screen option like Try another way, Need another way to authenticate?, or Get help.
If offered, choose identity confirmation/ID submission.
If you previously saved recovery codes, use them (they are designed for exactly this situation).

Documentation required: Commonly identity confirmation.

Expected response time: Variable; may be immediate or several days depending on identity verification outcome.

What typically fails: The user keeps retrying the 2FA screen until Facebook rate-limits recovery attempts. Make one high-quality attempt, then wait for the system to process before trying again.

Case E: Facebook account disabled after hack

Accounts are sometimes disabled because the attacker used them for spam, scams, or automation. The recovery path is usually an appeal process, not the hacked flow alone.

Attempt login normally. If Facebook offers an appeal or “confirm identity” path, follow it carefully.
Attempt https://www.facebook.com/hacked as well, but understand it may redirect into the disabled/appeal workflow.
Document: dates/times of suspicious activity, security emails you received, and your steps taken to secure email/phone.

Expected response time: From hours to weeks. Some cases never receive meaningful review.

What typically fails: Users submit low-quality ID images or inconsistent names, triggering auto-rejection loops.

Case F: Facebook Business Manager hacked

If your Page or ad account is compromised, treat this as both an account takeover and a financial fraud incident.

Contain immediately: remove unknown admins (Page access and Business settings), end sessions, and reset passwords from a clean device.
In https://business.facebook.com/, review Business settings for: People, Partners, System Users, connected apps, payment methods.
If unauthorized ads are running: pause campaigns, remove payment methods you don’t recognize, and gather evidence (ad account ID, charge receipts, screenshots, timestamps).
Look for official reporting/help surfaces within Business Suite. If you have access to business support, open a case and provide the evidence package.

Evidence package (what to capture):

Business Portfolio/Business Manager ID, ad account ID, Page ID.
List of new admins/partners/system users added, with timestamps.
Unauthorized campaign names, spend, billing events, and payment methods.
Security alerts from Meta/Facebook about logins or changes.

Expected response time: Business support response times vary widely. Paying products and verified business surfaces often get faster routing, but nothing is guaranteed.

What typically fails: Recovery focuses only on the personal profile. Meanwhile, the attacker keeps admin access to the Business Portfolio and can re-add themselves even after you “fix” your login.

Recovery Lockout Loops

If you see messages like “You can’t use this feature right now,” “Try again later,” or you keep landing back on the same screen, you’re likely rate-limited or failing a trust signal.

Stop repeated attempts. Wait several hours (sometimes 24 to 48) before trying again.
Use a trusted device/network. Recover from a phone/computer you previously used for Facebook, on your home network (avoid VPNs during recovery).
Clear the attack surface. If malware is suspected, do not recover from that device.
Do one high-quality identity submission. Ten bad submissions are worse than one excellent one.

What Still Works in

What actually works:

Using facebook.com/hacked for compromised flows rather than random “contact forms.”
Recovering from a trusted device and network.
Identity verification done carefully (quality and consistency).
Business support surfaces (when you legitimately have access) for Page/ad account incidents.

What typically does not work:

Calling “Facebook support numbers” found in search results (many are scams).
Emailing random “Meta support” addresses or paying individuals on social media promising recovery.
Trick-based “2FA bypass” hacks. They are unreliable, risky, and often lead to stricter lockouts.

4) Identity Verification Deep Dive

Identity verification is where many recoveries succeed or fail. Facebook’s systems often auto-reject submissions for quality, mismatch, or policy reasons. Treat your submission like evidence you’d send to an investigator: clean, complete, and consistent.

ID submission requirements

Use the best camera you have and shoot in bright, indirect light.
Avoid glare, blur, cropping, heavy filters, or low resolution.
Submit the full document with all edges visible unless the flow explicitly asks otherwise.
Use your legal name and ensure it reasonably matches the name on the Facebook account.

Common name-mismatch situations

Nickname on Facebook: if Facebook asks for explanation, state: “Account name is a nickname; legal name matches attached ID.” Keep it factual.
Maiden name / changed name: if you have supporting documents, be prepared to provide them if requested.
Business brand name account: personal profile verification is harder if the account name is not a real name. Expect friction.

Why submissions get auto-rejected

Name mismatch (nickname on Facebook vs legal name on ID).
Unreadable text (blur, glare, low contrast).
Partial document or cut-off edges.
Repeated submissions with the same low-quality image.
Signals that suggest automation or scripted abuse (too many attempts from many IPs/devices).

How to increase success probability

Submit once with a high-quality image, then wait. Avoid spamming resubmits.
Use a trusted device and network you’ve used for Facebook before.
Make sure your email inbox and phone number are secure first, or you risk immediate re-compromise after approval.
If you keep failing, step back and reassess: compromised email, SIM swap, or malware will sabotage recovery.

Appeal loops: If you keep landing back on the same screens with no progress, it is often a system limitation, not user error. At that point, stop repeated attempts, preserve evidence, and consider escalation routes (business support surfaces, verified subscriptions, or professional assistance).

5) When Facebook Recovery Fails

In real incident response, we plan for failure modes. Facebook recovery can fail for reasons that are outside your control:

No live support for personal accounts: many users have no human escalation channel.
Signal mismatch: you’re recovering from a new device/country/VPN, and Facebook blocks the attempt.
Attacker persistence: malware/token theft keeps re-authenticating the attacker.
Business vs personal routing: business support may help with ad accounts or Pages but not the personal profile that owns them.
Verified products are not guarantees: some paid/verified surfaces can improve routing, but they do not guarantee restoration.

Where DIY fails in complex cases: People focus on the Facebook password reset while the attacker maintains control of email forwarding, mobile number, browser tokens, Page roles, or business admins. Recovering the login is not the same as removing the attacker’s footholds.

How Hacked.com helps: We handle thousands of compromise cases each year, including Facebook and Meta business asset incidents. We build a containment plan, identify the compromise type (phishing vs session hijack vs SIM swap vs malware), and help you sequence actions so you don’t lock yourself into recovery loops. Hacked.com has been covered by major media outlets, and our work is focused on reliable incident-response execution, not “tips and tricks.”

6) Post-Recovery Hardening (Expert-Level)

Once you regain access, your objective is to prevent the same attacker (or the same technique) from working again.

Use app-based 2FA or hardware keys

Preferred: authenticator app or passkeys in Meta Accounts Center.
In Accounts Center, go to Password and security → Passkeys (if available) and add a passkey on your primary devices.
Generate and store recovery codes offline (password manager or printed), so you can recover if you lose your phone.
Best for high-risk users: hardware security keys (FIDO2) where supported.
Avoid: SMS 2FA for critical recovery. SMS is vulnerable to SIM swap and carrier-account compromise.

Remove weak recovery paths

Remove old phone numbers and emails you no longer control.
Add a separate recovery email that is not used anywhere else, secured with strong 2FA.
If you currently rely on SMS for codes, switch to app-based 2FA and remove SMS-based recovery where the UI allows.

Business separation

Create a dedicated admin account for managing Pages and Business Portfolios, with the strongest security controls.
Minimize admins. Avoid shared logins.
Review Business settings quarterly: People, Partners, System Users, connected apps.

Device hygiene and cookie theft prevention

Remove unknown extensions, keep browser/OS updated, and avoid cracked software.
Use a password manager and unique passwords. Reused passwords turn one breach into many takeovers.
Be skeptical of “Meta support” DMs and ads. In, many phishing campaigns impersonate Meta support and drive users to fake recovery portals that steal sessions.

Session lifetime management

Periodically review Where you’re logged in and end sessions you don’t recognize.
If you travel or use VPNs, expect additional login friction. Plan recovery methods in advance.

7) Real Attack Examples (Anonymized)

Example 1: Phishing page that steals a session cookie

A victim receives a message claiming their Page will be disabled. The link opens a convincing “Accounts Center” lookalike. Instead of stealing only the password, the site steals the active session cookie (often via a malicious browser prompt/extension flow). The attacker immediately logs in, adds themselves as Page admin, and starts running crypto scam ads. The victim changes their Facebook password but stays compromised because the attacker’s session persists and the victim’s computer is still infected.

Example 2: SIM swap attack

The attacker social-engineers the mobile carrier, ports the number, then uses SMS-based password reset to take over Facebook. They enable 2FA, change the email, and lock the victim out. Recovery succeeds only after the victim restores control of the phone number with the carrier, secures email, then completes the hacked flow with identity confirmation.

Example 3: Infostealer malware token theft

The victim downloads a “free” tool. An infostealer exfiltrates browser cookies, saved passwords, and active sessions. The attacker logs in from a different country but appears as a trusted session because the cookie is valid. Any login attempts from the victim keep generating fresh sessions for the attacker until the device is cleaned and all sessions are terminated.

Example 4: Rogue employee removes access

An employee with Business Portfolio admin access removes the owner, adds a new partner, and transfers Page control. The personal Facebook profile is fine, but the business assets are gone. Resolution requires business-asset documentation, internal governance evidence, and engagement with business support channels where available.

Example 5: “Crypto investment” takeover via DM

The attacker uses a compromised friend account to send a realistic “help me secure my account” link. The victim enters credentials into a fake portal, the attacker changes email and phone, then uses the account to scam contacts. This often escalates into Marketplace fraud and ad account abuse.

FAQ

How long does it take to recover a hacked Facebook account?

If you still control the email/phone and can receive codes, recovery can be immediate. If your Facebook account is hacked and email changed, or if the hacker enabled 2FA on Facebook, recovery often depends on identity verification and can take days. In some cases, users get stuck indefinitely due to system limitations.

Can police help?

Police reports can be useful for documentation (especially for business fraud, identity theft, or significant financial loss), but police usually cannot directly restore your Facebook account. Treat law enforcement as part of an evidence and fraud-response process, not a recovery shortcut.

Can you call Facebook?

For most personal accounts, there is no reliable phone-based support. Be cautious: many “Facebook support numbers” in search results are scams. Use official in-app support surfaces when available, and start with https://www.facebook.com/hacked.

What if the hacker deleted my account?

Deleted vs disabled can be hard to distinguish from the outside. If the account is truly deleted and the deletion window has elapsed, recovery may be impossible. If you suspect deletion, move quickly, preserve evidence, and attempt the official hacked flow immediately.

Can Hacked.com guarantee recovery?

No. No legitimate firm can guarantee Facebook recovery because Meta controls the final decision and the tooling. What we can do is maximize your probability of success by fixing the root cause (email/phone/device compromise), preventing re-takeovers, building evidence packages, and guiding you through the highest-yield recovery paths for your specific compromise type.

If you’re stuck: If you’ve tried facebook.com/hacked and facebook.com/login/identify and you’re in a loop, it usually means the compromise is deeper (email/phone/device/business-admin persistence) or the recovery surface is failing. That is the point where incident-response sequencing and evidence quality become the differentiators.