A compromised Facebook account is usually an identity problem, not a Facebook-only problem. Attackers use Facebook access to run scams, hijack Pages, buy ads, and pivot into your email or other accounts through password resets.
Start by stabilizing the control plane: your email inbox and the devices where you are already logged in. Then remove the attacker’s sessions and change what they can use to get back in.
Immediate steps (choose your path)
| Situation | Do this first | Then do this |
|---|---|---|
| You can still log in | Secure your email account from a separate, trusted device | Change Facebook password, log out unknown sessions, enable 2FA |
| You cannot log in | Use facebook.com/hacked on a device you’ve used before | Try facebook.com/login/identify if you cannot find the account |
| You got an email saying your primary email changed | Confirm the email is real, then reverse the change if possible | Follow the full containment steps below |
Safety note: Do not share login codes or recovery links with anyone. "Support" scammers often ask for codes to finish the takeover.
1) Secure your email first
If an attacker controls your email inbox, they can usually reset Facebook again even after you change your password. From a separate, trusted device:
- Change your email password and sign out of other sessions.
- Enable strong sign-in protection on email (2FA, passkeys, or security keys where available). See two-factor authentication (2FA) if you need a quick model.
- Check your email forwarding rules and recovery email/phone settings for anything you did not add.
2) Verify and use Meta’s official recovery flow
Meta’s first-line recovery flow for hacked accounts is the dedicated portal. Use a device and browser you’ve used to log into Facebook before when possible:
- Hacked account recovery: facebook.com/hacked
- If you cannot find your account by email or phone, try: facebook.com/login/identify
If you receive a security email from Facebook, confirm it is legitimate before acting on it. Meta publishes the domains it uses and a way to review recent security emails inside your account: Check if an email is really from Facebook.
3) Remove the attacker’s access
Once you can access the account again, assume the attacker still has an active session somewhere. End those sessions, then change credentials.
- Log out of sessions you do not recognize using Accounts Center: Log out of Facebook on another device.
- Change your Facebook password to a strong, unique password not used anywhere else.
- Enable two-factor authentication and save recovery codes somewhere safe: How two-factor authentication works on Facebook.
4) Fix contact info and reversals (email, phone, recovery)
Attackers commonly add their own email or phone number so they can recover the account later. In Accounts Center, review contact information and remove anything you do not control.
If you received a "primary email changed" alert, treat it as urgent. Meta notes that email changes can often be reversed using a special link sent to the previous email address. For a focused response sequence, see received Facebook primary email changed.
5) Clean up damage (posts, messages, Pages, ads)
After you regain control, check for actions that can create ongoing harm:
- Messages sent to friends or groups that you did not send (scam distribution).
- New Pages, ad accounts, or payment methods you did not add.
- Profile or name changes that could trigger additional verification.
A Facebook compromise often turns into a long recovery loop when the attacker controls the recovery channels. If you secure email first, end all sessions, and move sign-in away from SMS wherever possible, the compromise usually becomes a one-time event instead of a recurring incident.