Some Facebook takeovers persist because the attacker links additional identities inside Accounts Center. That can look like an unfamiliar account or an unfamiliar "Meta" identity attached to your Facebook profile. The practical risk is persistence: even after you change your password, the attacker can return through a linked account, a saved session, or a recovery method they control.
Rule of thumb: if an attacker can reset your email or keep an active session, they can usually come back. Secure the control plane first, then remove linked access.
Immediate steps (choose the situation)
| Situation | Do this first | Then do this |
|---|---|---|
| You can still log in to Facebook | Secure your email inbox from a clean device | Remove unknown linked accounts in Accounts Center and sign out unknown sessions |
| You cannot log in | Use the official hacked flow once your inbox is secure | After recovery, review linked accounts and contact info immediately |
| You see an unknown account in Accounts Center | Capture screenshots and the account identifiers | Remove it if possible, then rotate credentials and harden recovery |
| You keep getting re-compromised | Treat it as persistence and audit recovery methods and sessions | Repeat containment until the attacker loses all re-entry paths |
For a broader Facebook containment sequence, use what to do if your Facebook account is compromised. If you received an email that your primary email changed, use received Facebook primary email changed.
1) Secure the control plane (email and devices)
Before you try to remove linked accounts, make sure the inbox that can reset Facebook is stable. If the attacker controls email, they can re-link accounts and reverse your changes.
- Change the email password and enable strong sign-in on the email account.
- Check email forwarding rules, filters, delegates, and recovery methods for anything you did not add.
- Update devices and browsers, and remove suspicious extensions before re-entering passwords.
2) Remove unknown linked accounts in Accounts Center
Accounts Center is where Meta manages cross-account linking. If you see an account you do not control, remove it as soon as you can. Meta documents how to remove an account from Accounts Center here: remove an account from Accounts Center.
Labels and menus vary by device and region. The stable goal is to ensure that only accounts you control are linked to your Facebook profile.
Common mistake: changing your Facebook password but leaving an attacker-controlled linked account in Accounts Center. That keeps a re-entry path open.
3) End unknown sessions and rotate credentials
Assume the attacker has an active session somewhere. After you remove unknown links:
- Sign out of sessions you do not recognize (or sign out everywhere if available).
- Change your Facebook password to a strong, unique password.
- Enable two-factor authentication and store backup codes safely.
For the official hacked recovery flow when you cannot log in, use facebook.com/hacked. If you cannot find your account, try facebook.com/login/identify.
4) Fix recovery methods and contact information
Attackers commonly add their own email or phone number to regain access later. Review:
- Primary email and phone number on the Facebook account.
- Recovery email and phone methods associated with Meta accounts.
- Any new devices or trusted browsers added during the compromise window.
5) When removal fails or the attacker keeps returning
If you cannot remove the unknown account, or it reappears, treat it as a persistence problem, not a one-time password problem. Persistence often involves:
- Session hijacking (stolen cookies/tokens).
- Compromised email recovery control.
- Linked account persistence in Accounts Center.
Use how to recover a hacked Facebook account for the full recovery sequence and how to secure your Facebook account for hardening after you regain control. If the compromise keeps recurring, the term references for session hijacking and account takeover can help you reason about why the attacker keeps re-entering.
Accounts Center linking is useful when you control it. It is dangerous when an attacker does. The strategic fix is not complicated: secure the inbox, remove linked attacker access, end sessions, and harden recovery.
Once those layers are stable, re-compromise becomes harder and easier to detect. The takeover stops being a loop and becomes a bounded incident.
That is the outcome to optimize for: fewer re-entry paths, fewer sessions you cannot see, and a recovery channel that belongs to you again.