An unexpected "your Facebook password was changed" email is either a real account event or a phishing attempt designed to steal your login. The correct response starts with verification. Do not click the button in the email. Navigate to Facebook directly and contain access from a trusted device.
| What you see | Most likely explanation | First move |
|---|---|---|
| You just changed your password | Normal security notification | Nothing urgent. Still review sessions if you changed it because of a scare. |
| You did not change it, but you can still log in | Password changed by someone else or a session-based compromise | Rotate password again, sign out everywhere, and review recovery methods. |
| You did not change it and you cannot log in | Active takeover and lockout | Start recovery at facebook.com/hacked. |
| The email looks odd or the sender domain is unfamiliar | Phishing | Verify via Facebook’s official email checks and ignore the message thread. |
Do not: click links or enter one-time codes because an email told you to. Open Facebook directly (app or typed URL) and work from there.
Step 1: Verify the email is really from Facebook
Start by assuming the email could be fake. Facebook provides an official method to confirm authenticity and review recent emails inside your account:
Facebook also documents what to do if you received a password reset email but did not request it:
Those two links are the safest starting points because they avoid the most common trap: being redirected to a lookalike login page.
Step 2: Contain access if you can still log in
If you can access the account, treat it as an incident even if you are not sure what happened. Containment is reversible.
- Change the password to a unique one stored in a password manager.
- Sign out of all other sessions and remove devices you do not recognize.
- Confirm your recovery email and phone number are correct.
- Review connected apps and remove anything you do not recognize.
If you receive repeated security alerts after doing this, assume the attacker still has a path through your email inbox, your device, or a connected app. Secure the email account next and update your devices and browser.
Step 3: If you cannot log in, use the official recovery entry point
Do not search for "Facebook support" and click random results. Use the official entry point:
facebook.com/hacked
If your account recovery email or phone was changed, you may be pulled into identity verification steps. The exact UI varies by region and device. The stable goal is the same: regain access, then immediately sign out of other sessions and fix recovery methods.
Why attackers trigger password-change emails
There are two common scenarios:
Real compromise
The attacker changed the password as part of an account takeover. Often they also change the email or phone number to lock you out. They may then use Messenger to scam friends or use Pages and ad accounts to monetize.
Phishing simulation
The attacker sent a fake email that looks like a Facebook notification. The goal is to get you to log in on a fake site and to capture your password and any one-time code you enter.
The two scenarios have the same first step: verify via official paths, then contain.
Checks that catch quiet persistence
After a scare, people change the password and stop. That is how re-compromise happens. Check the persistence paths that matter:
- Sessions: unknown devices still logged in.
- Recovery methods: email or phone changed, or a new method added.
- Connected apps: integrations you do not recognize.
- Business assets: new admins on Pages, new ad accounts, billing changes.
If your account was used to message others or run scams, secure the account first, then warn contacts via a separate channel. For signs and evidence points, see how to tell your Facebook has been hacked.
What not to do
These moves reliably make things worse:
- Do not respond to the email thread or call phone numbers inside the email.
- Do not share one-time codes with anyone claiming to be support.
- Do not pay or hire a "recovery" person in comments or DMs.
Unexpected password-change emails are high-signal because they are early. When you verify first, revoke sessions, and secure recovery methods, you cut off the attacker’s ability to turn one event into a lockout.
If you take only one lesson: the email is not the control surface. Your account settings are. Work from the inside out, and the phishing layer loses its leverage.
Once recovery methods are yours and sessions are clean, the incident stops being a question and becomes a closed event you can move past.
Build an evidence pack in two minutes
Evidence helps you avoid memory drift and helps if you need to work with support or financial institutions later.
- Screenshot the email header area (sender, subject, time) and the message body.
- If you can log in, screenshot unknown sessions/devices.
- If you run Pages or ads, screenshot any unknown admins, campaigns, or billing changes.
If you already clicked the email link
The danger is not the click. The danger is what you entered after clicking.
| What happened | What it implies | What to do next |
|---|---|---|
| You clicked but did not enter anything | Lower risk | Close the page and verify the alert inside Facebook settings. Rotate password if unsure. |
| You entered your Facebook password | Credentials may be captured | Change the password immediately and sign out everywhere. |
| You entered a one-time code or approved a push | Account takeover may have completed | Contain immediately: rotate password, revoke sessions, fix recovery methods, remove connected apps. |
If you are receiving multiple alerts such as "someone may have accessed your account", follow the containment sequence there too: someone may have accessed your account.
Secure the inbox that can reset Facebook
If the attacker can access your email, they can often recover Facebook again even after you fix it once. Before you assume this is "just Facebook", secure the email inbox tied to the account:
- Change the email password and enable stronger sign-in where possible.
- Check for mailbox forwarding rules and filters that hide security alerts.
- Review recent sign-ins and revoke sessions you do not recognize.
Hardening steps that prevent re-compromise
Once you have control again, you want to remove the attack paths that make Facebook incidents repeat.
- Use a password manager so reuse is not the weak point.
- Enable stronger sign-in on Facebook where available and keep recovery methods current.
- Keep devices updated and remove unknown browser extensions that can steal sessions.
Rule of thumb: if you changed the password but you did not revoke sessions and review recovery methods, you did not actually contain the incident.
If the account email or phone number changed
When attackers change the primary email, they are trying to own the recovery lane. That is a different severity level than a single suspicious login.
Use received Facebook primary email changed and then work through the full recovery flow in how to recover a hacked Facebook account.
Password change emails feel urgent because they imply loss of control. The safest response is to move the control surface away from the inbox and back into verified account settings.
When you verify the email, rotate credentials from a trusted device, revoke sessions, and secure recovery methods, you remove the attacker’s leverage. That is what prevents the same event from repeating tomorrow.
Most of the time, the real win is simple: secure the email inbox, keep passwords unique, and treat one-time codes as secrets. If those three hold, most takeover attempts fail quickly.
If you cannot access the email or phone number on the account
If an attacker changed the recovery options, you may be blocked from normal password reset flows. Facebook provides a help entry point for this situation:
Recover your Facebook account if you cannot access the email or mobile number
The UI and available options can vary by region, but the logic is stable: prove ownership through the options Facebook offers, regain access, then immediately clean sessions and recovery methods.
Why attackers trigger password reset flows even without access
Some attacks do not start with access. They start with pressure. Attackers trigger password reset emails so you will click quickly, then they intercept credentials through a fake login page. That is why "verify first" is not pedantry. It is the difference between an alert and a takeover.
Another pattern is credential stuffing: attackers try reused passwords across services. If they get in, they immediately reset the password to lock you out. If they fail, you still receive a flurry of reset and login alerts. In both cases, the fix is the same: remove reuse, secure the inbox, and revoke sessions.
Unexpected password change emails are not rare. The mistake is treating them as "email problems". The real problem is whether the control plane (email, recovery methods, sessions) is under your control.
If you can make that statement true again, the incident stops being ambiguous. You do not need perfect certainty. You need a clean account state you can defend.