A compromised Facebook account is usually an account takeover problem, not a Facebook-only problem. Attackers use the account to run scams, hijack Pages, buy ads, and pivot into your email or other accounts through password resets.
Start with the control plane, not the symptoms. If you still control the inbox or a live Facebook session, use that leverage first. If you do not, use Meta's official recovery path before you try to clean up the profile.
| Situation | First move | Why it comes first |
|---|---|---|
| You can still log in somewhere | Secure email, then change the Facebook password and end unknown sessions. | A live session is the fastest way to remove attacker access. |
| You are locked out | Use facebook.com/hacked, then fall back to facebook.com/login/identify if needed. | Those are Meta's current self-service entry points for hacked or inaccessible accounts. |
| Your primary email changed | Check the alert, reverse it if possible, and route to the primary-email change branch. | The inbox controls the reset path. |
| Pages or ads were affected | Preserve billing evidence and move into the business-asset recovery path. | The blast radius is larger than the profile itself. |
If you only do one thing: secure the email inbox tied to Facebook before you retry any login or appeal flow. If the inbox is still exposed, every reset can be intercepted.
First 10 minutes
Use the path that matches your state instead of guessing. Labels and menus can vary by device and region, but the order does not change much.
If the account is disabled as well as compromised, switch to how to recover your disabled Facebook account after a hack. If the compromise started with a primary email change, use Facebook primary email changed to handle the inbox reversal first.
Do not: do recovery from a device that still looks compromised. A browser extension, stolen session, or infostealer can undo the reset as fast as you make it.
If you can still sign in
Act from the account and from the inbox at the same time. Facebook documents the current session and authentication flows in its help center, including logging out on another device and how two-factor authentication works on Facebook.
- Change the Facebook password to a unique password you do not use anywhere else.
- End sessions you do not recognize.
- Remove unfamiliar email addresses, phone numbers, and recovery methods from Accounts Center.
- Review the email inbox attached to the account for forwarding rules, filters, or recovery changes.
- Enable stronger sign-in protection, then store recovery codes somewhere offline and safe.
Common mistake: changing the Facebook password but leaving the email inbox open. That only delays the next takeover.
If you are locked out
Meta's current recovery surfaces are still the hacked-account flow at facebook.com/hacked and the account lookup path at facebook.com/login/identify. Use a device and browser you have used to log in before when possible, because that usually matches the account history better than a brand-new device.
If the account is disabled, do not keep cycling the same hacked-account steps. The disabled-after-hack article is the right branch because it separates recovery from enforcement review and evidence handling.
When Meta sends a security email, verify that it is real before acting on it. Meta's help center has a dedicated page for checking whether an email is really from Facebook: Check if an email is really from Facebook.
If Pages or ads were affected
Pages, ad accounts, and payment methods can keep causing damage after the profile itself is back. Save invoices, payment alerts, ad spend screenshots, and any role or admin changes before you clean anything up. Then route the incident into the page or business recovery branch instead of trying to solve it only inside the personal profile.
Use Recover a Facebook Business Page or a Facebook Business Manager if the attacker touched business assets. If the account was disabled after ad abuse or policy-violating posts, use the disabled-after-hack article first, then come back here for the containment work.
After recovery
Once the account is stable, clean up the slower risks: profile changes, messages sent to friends, linked devices, and recovery methods you no longer control. Then move the account into the hardening path so the same compromise does not repeat.
For the next step, use how to secure your Facebook account for the hardening sequence and how to recover a hacked Facebook account for the broader takeover playbook when you need the longer version.
A Facebook compromise becomes durable when the inbox, session state, and recovery methods all belong to you again. Until those three controls are clean, the account is still recoverable by the attacker. Once they are clean, the incident becomes a reset, not a recurring loop.