Most Facebook “hacks” are not a technical break-in. They are an identity failure: an attacker gets your password, your session, or your recovery channel, then uses Facebook as a platform for scams, impersonation, or monetization.
Recovery is durable only when you remove the access path that caused the takeover. A password reset alone often fails because the attacker still controls the email inbox, the phone number, or an active session.
Start here: stop the repeat takeover
- Secure your email first: email controls password resets. Change the email password, enable strong authentication, and remove unknown sessions.
- Change your Facebook password: make it unique and long. Do it from a trusted device.
- Log out other sessions: end sessions on devices you do not recognize.
- Enable two-factor authentication: use an authenticator app where possible and store backup codes safely.
- Audit recovery info and connected apps: remove unknown phone numbers, emails, and third-party access.
- Warn contacts if scams were sent: attackers often message friends for money or codes.
If you only do one thing: secure the email inbox tied to Facebook. If an attacker still has your email, they can usually retake the account.
How Facebook accounts usually get compromised
| Cause | What it looks like | Why it keeps happening | Fix that changes outcomes |
|---|---|---|---|
| Password reuse | You never clicked anything, but you are locked out | Old passwords from other breaches still work | Unique password + 2FA on the control plane |
| Phishing | “Meta support” or “account disabled” messages with a login link | Urgency makes you bypass verification | Never sign in from links, verify inside the app |
| Email compromise | Password reset emails were read or deleted | Email is the reset authority for many accounts | Secure email, remove forwarding rules, rotate passwords |
| Session hijack | You changed your password, but suspicious activity continues | Attacker still has a live session token | Log out other devices, revoke sessions and connected apps |
| Phone number takeover | You lose service, then accounts start resetting | SMS resets and verification codes get intercepted | Carrier protection + move away from SMS where possible |
| Device compromise | Strange browser extensions, pop-ups, unknown apps | Credentials and sessions get captured again | Clean the device, then rotate credentials from a trusted device |
Prove the access path before you “fix” it
Guessing is how people get stuck in a loop. Aim for a minimal factual picture:
- Did your email get compromised? Look for unexpected login alerts, new devices, and new forwarding rules.
- Was your password reused? If you used the same password on other sites, assume credential stuffing.
- Did you click a login link? If yes, assume phishing and rotate from a trusted device.
- Is there a live attacker session? If activity continues after a password change, you likely need to end sessions.
- Did your phone number fail? Loss of service can be a sign of SIM swapping.
Common mistake: changing the Facebook password on the same device and browser that was used to get phished. If the device or browser is compromised, the new password is captured too.
Password reuse and credential stuffing
This is the quietest path. You do not need to click anything. Attackers take email and password pairs from older breaches and try them across major platforms. If your Facebook password was reused, “hacked” can mean “your old password still works”.
Fix:
- Use a unique, long password for Facebook.
- Stop predictable patterns (season+number, keyboard walks, slight variations). See common password mistakes.
- Enable two-factor authentication (2FA) and keep backup codes in a safe place.
Phishing and fake support
Phishing is not about “being dumb”. It is about channel control. Attackers create a situation where you feel you must act quickly, then route you to a fake login page or a fake “appeal” form.
Common pretexts:
- “Your account will be disabled”
- “Copyright violation”
- “We detected suspicious login, verify now”
- “Your Business Page is at risk”
Fix:
- Do not sign in from links in messages. Navigate to the app or a known official domain.
- Learn the practical tells in how to identify scam emails.
- Use a password manager. Autofill failures on lookalike domains are a strong warning signal.
Email compromise is the control-plane failure
If an attacker controls your email inbox, they can often retake Facebook through password resets, even if you set a strong password on Facebook. Email compromise also allows stealth persistence through forwarding rules and session tokens.
What to check in your email account
- Unknown devices or sessions
- Mailbox forwarding rules you did not create
- New recovery email or phone numbers
- Security alerts that were marked as read or archived
If you need a structured sequence for securing multiple accounts, use Been hacked? What to do first.
Session hijacking and “I changed my password but it keeps happening”
Attackers do not always need your password if they have an active session token. That is why suspicious activity sometimes continues even after you reset credentials.
Fix:
- End sessions on other devices and logins you do not recognize.
- Revoke connected apps you do not need.
- Re-check your recovery email and phone number inside Facebook settings.
Facebook’s Help Center has guidance on how to log out of Facebook on another computer, phone, or tablet: Help Center: log out of another device.
Phone number takeover and SIM swapping
If your phone suddenly stops receiving calls or texts, treat it as a security incident. Attackers can use phone number access to intercept SMS codes and abuse account recovery.
Fix:
- Contact your carrier using the official number and ask whether your SIM changed or your number was ported.
- Add a carrier account PIN and additional protections where available.
- Move away from SMS for 2FA where possible. Keep SMS as a fallback only if needed.
Related: SIM swapping and how it leads to account takeover.
Device or browser compromise
Sometimes the issue is not Facebook. It is the device you use to sign in. Browser extensions, unwanted apps, and fake “security” tools can capture credentials and sessions.
Signals:
- New browser extensions you do not recognize
- Persistent pop-ups, redirects, or login pages that look slightly wrong
- New device management profiles or “helper” apps
Fix:
- Remove unknown extensions and reset browser notification permissions.
- Update OS and browser, then reboot.
- Change critical passwords from a different trusted device first if you suspect compromise.
Companion: how to check if your phone is hacked.
Connected apps and persistent third-party access
Facebook accounts often have third-party apps connected for login, games, quizzes, scheduling tools, or marketing. If an attacker compromises a connected app, they can sometimes maintain access even after you change passwords.
Fix:
- Review connected apps and remove anything you do not recognize or no longer use.
- Prefer “sign in with” only where you trust the service and need the convenience.
- After removing access, end sessions and rotate passwords.
Business assets make compromises more profitable
If your Facebook account has access to Pages, ad accounts, or Business Manager assets, attackers have more ways to monetize: fraudulent ad spend, scam ads, or asset lockouts designed to force payment.
If you see unexpected ads, billing changes, or new admins, treat it as a business continuity incident, not just a personal account problem.
Deep playbook: Recover a Facebook Business Page or Business Manager.
After you regain access: the audits that prevent a second lockout
Most repeat incidents come from one of two problems: the attacker kept a session, or the recovery channel was not repaired. Do these audits even if the account “looks fine”.
| Surface | What to review | Why it matters | Safer end state |
|---|---|---|---|
| Sessions and devices | Unknown logins, locations, and devices | Session tokens bypass password changes | Only trusted devices remain, all others logged out |
| Recovery email and phone | Anything you did not add | Attackers retake accounts through recovery | Only your controlled email/phone are present |
| 2FA methods | Authenticator app, SMS, backup codes | Weak 2FA becomes a pivot for resets | App-based 2FA with stored backup codes |
| Connected apps | Third-party access you do not need | Persistence through OAuth connections | Minimal connections, reviewed periodically |
| Pages and ad accounts | New admins, new payment methods, unusual campaigns | Monetization is a primary motive | No unknown roles, billing locked down |
If you want a focused recovery flow that matches your current state, use Facebook account hacked: how to regain control.
Scams attackers run from hijacked Facebook accounts
Once an attacker controls a real account, the social graph becomes the asset. Common plays:
- “Friend in trouble” cash requests: urgent money transfers or gift cards.
- Verification-code theft: asking friends to “send a code” to help recover an account.
- Fake Marketplace listings: collecting deposits or payment details.
- Crypto and investment lures: using trust to move victims to WhatsApp or Telegram.
Practical response:
- Post one clear warning telling people not to send money or codes.
- Message close contacts through a separate channel if you can.
- If a friend was scammed, tell them to contact their bank immediately and preserve evidence.
Do not: try to “prove” the attacker is real by continuing the conversation. The goal is to cut access and warn others, not to negotiate.
How to confirm if a Facebook security email is real
Attackers often send fake “security alert” emails. A safer approach is to verify whether Facebook actually sent it. Facebook’s Help Center describes how to check whether an email is really from Facebook: Help Center: check if an email is from Facebook.
Regardless of what the email says, do not click links to sign in. Navigate to Facebook directly, then review security settings and alerts in the app.
Rule of thumb: Verification beats detection. You do not need to “spot scams” perfectly if you always verify through known channels.
A simple time-window hardening plan
Hardening works best when it is staged. Do the high-impact items first, then make the account boring to attack.
| When | Actions | Why it matters |
|---|---|---|
| Today | Secure email, change Facebook password, log out unknown sessions, enable 2FA | Stops the most common retake paths |
| This week | Remove unused connected apps, review Pages/ad accounts, review carrier protections | Removes persistence and reduces monetization risk |
| Monthly | Review login activity and connected apps, rotate weak passwords you still reuse | Prevents slow re-compromise through drift |
If you are locked out right now
Use Facebook’s official hacked flow as the starting point: facebook.com/hacked. Facebook also has Help Center guidance on what to do if you think your account was hacked: Help Center: hacked account guidance.
If you still cannot regain access, use the structured recovery workflow in Facebook account hacked: how to regain control and keep the focus on the control plane: email access, phone number access, and ending unknown sessions.
Facebook’s Help Center has guidance on how to log out of Facebook on another computer, phone, or tablet: Help Center: log out of another device.
If your account was disabled after the takeover, the recovery path is different. Use recover a disabled Facebook account after a hack.
If you are being pressured to pay a stranger to “recover” your account, pause. This is a common scam pattern. See do not hire a hacker for safer alternatives.
Most successful recoveries follow a predictable pattern: you stabilize your email and phone recovery channels first, you regain session control second, and only then do you rebuild the security baseline. If you reverse that order, you often reintroduce the attacker during cleanup.
That is also why so many people feel stuck. They keep changing passwords, but they never remove the persistence layer. Once you make the control plane trustworthy and end unknown sessions, the incident becomes smaller and recovery becomes repeatable.
After that, prevention becomes simple. Unique passwords stop credential stuffing. 2FA stops most password-only takeovers. Verification habits stop phishing. Those three together reduce both how often you get targeted and how expensive it is for an attacker to keep access.
When you treat Facebook as one account in a larger identity system, the question “why was I hacked” becomes answerable. You can trace the path, close it, and move on without guessing. That is the real win: fewer repeat incidents, faster recovery, and less fear the next time a security alert shows up.