A "primary email changed" alert from Facebook is one of the strongest takeover signals you can get. Attackers change the primary email because it cuts you off from password resets, security alerts, and the fastest recovery links.
If you only do one thing: secure the email inbox that used to be on the Facebook account, then go directly to facebook.com/hacked from a device you have used to log in before.
Start here (first 10 minutes)
- Lock down your email first: change the email password, review forwarding and filters, and enable two-factor authentication (2FA).
- Do not trust links in the notification email yet: confirm the message is real using Facebook's guidance on verifying emails from Meta.
- Use the official recovery flow: open facebook.com/hacked and follow prompts from a known device and network if possible.
- Preserve evidence: take screenshots of the alert, the timestamp, and any new email address or phone number you see in the account.
Confirm the alert is real (avoid the second trap)
Takeovers are often paired with phishing. The attacker wants you panicked and clicking. Before you act on an email that claims your Facebook email changed, validate that it really came from Meta.
- Use Facebook's official instructions to confirm whether an email is legitimate: Check if an email is really from Facebook.
- If you are unsure, do not click any buttons in the email. Type facebook.com/hacked into your browser and start recovery from there.
- Watch for lookalike domains and "support" replies asking for codes. Legitimate support will not ask for your password or one-time 2FA codes.
If you want a practical checklist for spotting these traps, use how to identify scam emails while you recover.
Stabilize the control plane before you fight Facebook
Facebook recovery depends heavily on the accounts and devices that prove you are you. If the attacker has access to your email inbox, phone number, or a logged-in device session, recovery can loop forever. Fix the control plane first.
| Control | What to check | Why it matters |
|---|---|---|
| Email inbox | Password, 2FA, forwarding rules, filters, connected apps | The attacker uses email access to approve resets and intercept alerts. |
| Phone number | Carrier account access, unexpected SIM changes, SMS delivery | If SMS is used for 2FA or recovery, a hijacked number breaks recovery. |
| Known devices | Any device where you're still logged in to Facebook | Existing sessions can be the fastest way to reverse changes and log out the attacker. |
| Password manager | Vault security, device trust, recovery email | If the vault is compromised, every password reset becomes temporary. |
Common mistake: resetting Facebook repeatedly while the email inbox is still compromised. The attacker just keeps re-asserting control through resets.
Try to reverse the email change quickly
If you still have access to the email address that used to be primary, treat it as urgent. In many takeovers, Meta sends notifications that include an option to secure the account or reverse a change. Those links can be time-sensitive and may stop working after additional changes are made.
The safest approach is to use the official recovery and confirmation prompts from facebook.com/hacked, especially if you are not fully confident the notification email is genuine.
If you can log into Facebook from any device, also check your account's recent security emails in Facebook. This helps you separate real security events from spoofed messages. (You may be prompted to log in.)
If you're still logged in somewhere, use that access to kick the attacker out
A remaining session on a phone, tablet, or desktop can be your leverage. If you can still open Facebook without re-authenticating, move fast and do these in order:
- Change the Facebook password to a new, unique password (not used anywhere else).
- Remove any email addresses and phone numbers you do not control. Attackers often add a second email or phone before changing the primary.
- Log out unknown sessions so an attacker cannot ride a stolen session cookie.
- Enable 2FA and store backup codes safely.
- Help reference for logging out of other sessions: Log out of Facebook on another device.
- Help reference for how Facebook 2FA works: Two-factor authentication on Facebook.
When facebook.com/hacked does not work
Recovery can fail for reasons that are not obvious: you are on a new device, the attacker changed multiple signals (email, phone, password), or Meta is trying to avoid giving attackers an easy identity bypass.
When the flow stalls, the most reliable moves are operational, not clever:
- Try from a known device and browser profile where you previously used Facebook. Avoid private browsing and VPNs during recovery.
- Fix your email inbox and phone number first and wait for those changes to settle, then retry. Some recovery prompts depend on those signals being stable.
- Search for old Facebook security emails in the original inbox (password resets, login alerts). Attackers sometimes delete alerts. Check the trash and spam folders too.
- Look for additional affected accounts because the same email password reuse often impacts Instagram and other services linked through Accounts Center.
If you suspect broader compromise, start from been hacked? what to do first to contain access across your accounts.
After recovery: make the takeover expensive to repeat
Most Facebook takeovers repeat because the underlying weakness is still present: reused passwords, weak email security, or a compromised device. Hardening should be short, targeted, and tied to the control plane.
1) Make passwords un-reusable
- Use a password manager and rotate any password that was reused anywhere.
- Prioritize the email account password first, then Facebook, then everything else that uses the same email.
2) Prefer strong 2FA methods
Enable 2FA on Facebook and on the email account that controls resets. If you have a choice, an authenticator app or security key is harder to hijack than SMS.
3) Reduce the recovery surface
- Remove old phone numbers and email addresses that you no longer control.
- Keep your recovery options up to date, but avoid using an email address that is itself lightly protected.
4) Watch for retaliation attempts
Some attackers try to regain access by triggering repeated password resets or by impersonating support. If you get a burst of security emails or login prompts, treat it as an active attack and tighten the control plane again.
For a broader Facebook-specific containment and hardening flow, use what to do if your Facebook account is compromised. When your email inbox and Facebook recovery options are secured, an email-change alert becomes a recoverable incident rather than a permanent lockout.