Facebook sends "someone may have accessed your account" when it detects a login that does not match your normal pattern. Sometimes it is benign (new device, VPN, travel). Sometimes it is the first visible sign of a takeover attempt. Treat it as a containment trigger and verify through official paths, not through the email link.
| Situation | Do this now | What you are trying to prevent |
|---|---|---|
| You can still log in | Change the password, sign out of other sessions, and review recovery email/phone. | Persistence through sessions and control-plane takeover. |
| You cannot log in | Use facebook.com/hacked to start Facebook’s recovery flow. | Lockout loops and phishing "recovery" scams. |
| You suspect the email is fake | Do not click anything in the message. Check recent emails in Facebook settings and compare domains. | Credential theft and one-time-code theft. |
Do not: enter your password or a one-time code after clicking an email link. If you need to act, open Facebook directly (app or typed URL) and work from there.
Step 1: Verify the email is real
Attackers copy Facebook security emails because they work. Before you do anything else, verify authenticity:
- Use Facebook’s guidance to check whether an email is really from Facebook and to review recent security emails: Check if an email is really from Facebook.
- If you are already logged in, check the account’s recent security emails and alerts inside Facebook rather than trusting your inbox.
If the email is fake, the correct response is still useful: lock down the account and the inbox it uses. Scammers send fake alerts because they expect reuse and weak recovery.
Step 2: Contain access (even if you are not sure)
Containment is reversible. Waiting is not. If you can log in, do these actions from a trusted device:
- Change your Facebook password to a unique one stored in a password manager.
- Sign out of other sessions and remove devices you do not recognize.
- Review recovery methods (email and phone). If either one is not yours, change it immediately.
- Review connected apps. Remove anything you do not recognize. Connected apps are a common persistence path.
If you cannot log in, start with facebook.com/hacked. If your email is also compromised, secure the email first, because that is the recovery channel for Facebook and everything else.
Step 3: Look for higher-signal evidence of compromise
Facebook warnings can be triggered by travel, VPNs, or new devices. The evidence that matters is whether something changed that you did not change.
| Evidence | Why it matters | What to do |
|---|---|---|
| New devices/sessions you do not recognize | Indicates real access, not just an attempted login | Sign out everywhere, rotate password, and re-check sessions |
| Email/phone changed | Control plane takeover. Attacker can lock you out. | Reverse changes and review recovery options immediately |
| Posts, messages, or friend requests you did not send | Account is being used to scam others | Delete malicious content, warn contacts via a separate channel, and secure sessions |
| New admins on Pages, new ad accounts, or billing changes | Monetization and persistence path for attackers | Review business settings and remove unknown roles/payment methods |
For a deeper evidence checklist, use how to tell your Facebook has been hacked.
Why this warning often appears
Facebook security detection is largely pattern-based. Common benign triggers include:
- Logging in from a new phone or browser profile
- Traveling or switching networks
- Using a VPN
Common malicious triggers include:
- Someone trying a reused password (credential stuffing)
- Phishing that harvested your password and a one-time code
- Stolen sessions from malware or browser compromise
If you keep getting alerts
Repeated alerts usually mean the attacker still has a path. The three most common causes are password reuse, a compromised email inbox, or persistent sessions and connected apps.
- Change the email password, not just Facebook’s password.
- Revoke sessions and remove connected apps you do not recognize.
- Enable stronger sign-in on your email and Facebook account where available.
If you received a password change email you did not request, handle it as a separate containment trigger: received Facebook password change.
If you are already locked out
Lockouts turn into scams because victims search for help and click the first "recovery" result. Use only official Meta entry points.
- Start with facebook.com/hacked.
- If your primary email was changed, see received Facebook primary email changed.
- If you need a full recovery playbook, use how to recover a hacked Facebook account.
This warning is useful because it is early. Treat it as an invitation to harden the control plane: secure email, rotate passwords, and remove unknown sessions. That is what prevents the next alert from becoming a lockout.
If you can prove you have removed attacker options (email recovery is yours, sessions are clean, connected apps are reviewed), the warning becomes a closed event instead of an open loop.
Most Facebook account incidents are not solved by one step. They are solved by sequence: verify, contain, remove persistence, then harden. That sequence holds even when the exact UI labels change.
Build an evidence pack once
During account incidents, people chase symptoms and forget to preserve proof. Evidence is not only for law enforcement. It is also for you, because memory drifts under stress.
- Screenshot the email subject line, sender domain, and timestamp.
- Screenshot the Facebook security alert inside the app/site if it appears there.
- Record unknown device names, locations, and times from session history.
- If messages were sent from your account, screenshot a few examples.
Once you have the evidence pack, stop collecting and move to containment. Endless screenshotting becomes a loop. Containment changes outcomes.
Hardening that prevents the next alert
After you contain access, the goal is to reduce the likelihood that the same attacker can come back through the same path.
Secure the inbox that resets Facebook
If your email account is weak, Facebook security is weak. That is true even if your Facebook password is strong. Secure the inbox with a unique password, stronger sign-in where possible, and alerts for new logins.
Reduce phone-number risk
If your phone number is used for login or recovery, protect it. SIM swapping is not the most common attack, but when it happens it can bypass SMS-based verification. If you suddenly stop receiving calls or texts, treat it as urgent and contact your carrier.
Treat one-time codes like passwords
Most Facebook takeovers that begin with an email alert end with someone asking for your code. The social trick is always the same: "I just sent you a code by accident" or "I need you to verify". If you provide it, you are giving them the key.
Common mistake: thinking that a one-time code is safe to share because it expires. It only needs to be valid for a few seconds to be weaponized.
If you run Pages or ads, check for monetization abuse
Attackers target accounts with access to Pages, ad accounts, or connected payment methods because they can monetize quickly. If you have any business assets attached, add an extra verification pass:
- Check for new admins on Pages and remove unknown roles.
- Review ad accounts for active campaigns you did not create.
- Review payment methods and remove anything you did not add.
If you find business asset abuse, containment is still the same: remove access, revoke sessions, rotate passwords, and tighten recovery. Then keep a close watch for a few days because attackers often try again.
What not to do
Most harm after a Facebook alert comes from panic clicks and side-channel help.
- Do not hire a "recovery" person in DMs. Many are scams.
- Do not install remote access apps to "prove" you are the owner.
- Do not keep trying passwords repeatedly. Use the official recovery flow instead.
The warning is not a verdict. It is a prompt. If you verify the email, revoke sessions, and secure recovery methods, you reduce the chance that this becomes a lockout or a friend-scam cascade.
When you can explain why the alert happened (new device vs unknown session) and you can prove the control plane is yours (email, phone, sessions), the incident becomes a closed event. That is the outcome to optimize for.
If you already clicked the email link
Clicking a link is not automatically a compromise. The compromise usually happens when you enter credentials, enter a one-time code, or approve a push prompt in response to the link.
| What you did | Risk level | What to do next |
|---|---|---|
| You clicked but did not enter anything | Lower | Close the tab, then verify the alert inside Facebook. Still rotate the password if you are unsure. |
| You entered your password | Higher | Change the password immediately and sign out of other sessions. Assume the password is known to an attacker. |
| You entered a one-time code or approved a push | Highest | Contain immediately: rotate password, revoke sessions, review recovery methods, remove connected apps, and monitor for changes. |
If you are seeing multiple account alerts across services, treat it as broader compromise and work from the control plane down. Start with been hacked.
A practical sequence when you have limited time
Most people fail here because they switch tasks too often. Use a sequence that collapses attacker options fast.
- First 5 minutes: verify the email inside Facebook settings, change password, sign out everywhere.
- Next 15 minutes: confirm recovery email and phone are yours, remove unknown connected apps, enable stronger sign-in where available.
- Next 30 minutes: check business assets (Pages, ads, payment methods) and warn contacts if messages were sent.
This works because it focuses on what attackers use to persist: sessions, recovery channels, and monetization surfaces.
Security alerts are noisy by design. The disciplined response is not to panic. It is to reduce attacker options until the alert becomes irrelevant.
When the control plane is clean, you can treat future alerts as a signal to investigate, not as a signal that you are already lost.