How to recover a hacked Facebook account

Cybercriminals may hack your Facebook account to scam your friends and contacts, spread spam, or steal your personal information. The good news is that you may be able to get the hacked account back, but the exact process will depend on how far the hack has advanced.

This article will show you how to tell if your Facebook account has been hacked, what to do if you still have access or if you’ve been locked out of Facebook, and how to keep yourself safe from future occurrences.

What does it mean when your Facebook account has been hacked?

Your Facebook account has been hacked when someone gains unauthorized access to your Facebook profile or page using your login credentials. Once inside your account, a cybercriminal can see important details such as your date of birth, email address, phone number, sensitive private messages, and even limited payment information like your billing address or ​​the last four digits of any payment card you may have stored on Facebook.

Scammers and cybercriminals may contact you to negotiate a fee for getting your account back, and they may leverage sensitive information found in your Facebook account (such as intimate photos in your private messages) to convince you to pay up. However, paying doesn’t guarantee that you’ll get your account back, so it’s best to try other methods.

If your Facebook account ever gets hacked, the first thing to remember is to stay calm. It might be a frustrating experience, but approaching it with a clear mind will give you a better chance of success in recovering the account.

How to tell if your Facebook account has been hacked

The signs below are indicators that your Facebook account might be hacked:

• You can’t log into your account using your current email or phone number and password combination.
• You find posts, direct messages, comments, friend requests, and other activity you didn’t authorize coming from your account.
• Friends and family contact you (outside of Facebook) about strange messages you’re sending them or other account updates (reels, posts, etc.).
• You find unfamiliar devices listed in your Facebook “Where you’re logged in” section.
• You get a password reset email without requesting a password change.
• There are unauthorized changes to your Facebook profile information (such as extra email addresses, phone numbers, etc.).

You’re unlikely to experience all of these signs all at once, so stay on the lookout for any one of them. Just one is enough to indicate that an unauthorized user has access to your account, which should prompt you to take immediate action.

What to do if you still have access to your Facebook account

You may still have access to a compromised Facebook account if the unauthorized user hasn’t changed your login credentials. In this case, act fast by following the steps below before the attacker changes your credentials or adds their own multi-factor authentication to lock you out.

Step 1: Change your password immediately

Generate a random and secure password that you won’t use anywhere else. A cybercriminal may find a weaker or reused password easier to guess (or brute force), and they may just breach your account again.

Here’s how to change your password on Facebook:

1. Log into your Facebook account.
2. Click the account icon in the top right corner, then Settings & privacy.
   
3. Click Settings.
   
4. Click See more in Accounts Center.
   
5. Click Password and security.
   
6. Click Change password.
   
7. Click the account for which you’d like to change your password.
   
8. Enter your current password.
   
9. Then, enter your new password twice and tick the box to log out of all other sessions. This will sign your account out of every device currently logged in, including any used by the unauthorized person.
10. Click Change password to complete the process.

You should also change the compromised Facebook login password on any other account where you’ve used it. That’s to prevent credential stuffing attacks, where scammers may try your compromised Facebook account login combination on other sites to breach another one of your online accounts.

Step 2: Check where you’re logged in

Facebook allows you to see other devices where your account is logged in. You can find this information by going to your Accounts Center > Password and security (following steps 1–5 above), then:

1. Click Where you’re logged in under Security checks.
   
2. Choose the Facebook account you want to check. If you have multiple accounts at this login, you’ll need to repeat the steps below for each account.
   
3. Review the listed devices to identify any that you don’t recognize.
   
4. Scroll to the bottom of the list to click Select devices to log out.
   
5. Select devices you don’t recognize, and click Log out to end your sessions on those devices.
   
6. Confirm your choice by clicking Log out on the pop-up prompt.
   

Step 3: Review your posts and messages for unauthorized activity

Cybercriminals could have impersonated you and sent spam, malware links, or phishing messages to your contacts. They might also have modified your account info, like adding a phone number or email to regain access. Here’s how to clean things up:

• Direct messages: Let anyone who received strange messages from your account know about the breach and tell them not to click any links or open attachments.
• Profile details: Check your account settings to make sure no unfamiliar phone numbers, emails, or recovery options have been added.
• Your posts/page: Look over recent posts or page updates. Remove or hide any you didn't create.
• Activity timeline: Check recent likes, comments, follows, or other activity you didn’t perform. You might not always be able to delete everything, but you can often hide or reverse it.

You should also check for any unauthorized purchases in Meta Pay and change your payment details as necessary.

Step 4: Report the incident to Facebook

Even after changing your password and removing unknown devices, you should still report the incident to Facebook. Besides simply notifying Facebook, a report prompts the social media platform to scan your account for recent changes.

Here’s how to report an account hack to Facebook.

How to recover your Facebook account if you’ve been locked out

Cybercriminals may change your Facebook account login details once they gain access to your account, and they may even add their own two-factor authentication (2FA) method. This can lock you out of your Facebook account and frustrate recovery efforts, but it doesn’t make recovery impossible.

Follow the steps below to recover your Facebook account if you no longer have access.

Step 1: Try using your original login device

Try opening your Facebook account from devices (smartphones or computers) on which you’re usually logged in, as the unauthorized user might not have logged you out of all active sessions yet. If you can still access the account on one of your devices, you can remove the 2FA and restore the account login to your own email and phone number.

Otherwise, keep reading for further steps.

Step 2: Set up new login credentials

If the scammer or cybercriminal has only changed your account password, you should be able to regain access and lock them out by setting up new login credentials.

All you have to do is visit Facebook to request a password change:

1. Go to Facebook.
2. Click Forgot password.
   
3. Enter the email address or phone number associated with your account.
   
4. You may be offered new ways to log into your account (such as via your Google account, if enabled), or you’ll get a password reset link at your account email or phone number.
5. Follow the rest of the prompts to reset your password.

For this to work, though, you need to be confident that your email hasn’t been compromised too. Otherwise, the cybercriminal may see the password change request and intercept it or use other tactics (such as adding 2FA to your Facebook account) to frustrate your account recovery attempts.

Step 3: Use Facebook’s recovery process

Facebook’s support recovery process is set up to help you recover your account in cases where you can no longer log in. However, the process can be somewhat frustrating. You must have access to one of your 2FA methods (like your email account or phone number) and a device on which you’ve logged into Facebook before. This is by design, since scammers could also use this approach to steal Facebook accounts from legitimate owners if it were easier.

Here’s what to do:

1. Visit www.facebook.com/hacked.
2. Enter an email or phone number associated with the account. If the threat actor has changed these, you can enter a backup email (Facebook allows you to add more than one email address to your account, which the hacker may not have remembered to remove) or your Facebook username.
   
3. You’ll see your account (even if details such as the name and profile photo have been changed). Click Recover.
   
4. Choose your desired recovery option from the list and click Continue. You’ll receive a code via your chosen email, phone number, or Whatsapp account.
   
5. Enter the code you received and select Continue.
   
6. You’ll then be offered the option to change your password, and from here you should be able to recover your account.
   

Report a hacked Facebook account after recovering your account

Once you’ve regained access to your account, it’s a good idea to report the hack and secure your account immediately.

1. Go to www.facebook.com/hacked.
2. Choose an option that describes why you believe your account has been hacked, and click Continue.
   
3. Click Get Started on the next page.
   
4. Facebook will check your personal information (such as name, email, connected apps, and birthday) to find recent changes to your account.
5. If it finds any changes, it informs you of what they are. Click Continue to secure your account.
   
6. Follow the rest of the prompts, such as changing your password and reviewing your latest activity.

When to report to Facebook

It’s best to report to Facebook the moment you believe someone else has access to your account. Even if you’ve changed your login information (such as your password), informing Facebook via its dedicated page may help you find other changes the unauthorized user might have made.

What happens after you report

Once you’ve reported a hack to Facebook, it scans your account to check for recent changes. This may include password changes, the addition of extra contact details, or authorization of some connected apps.

This is handy, as you may miss one or more of these if you were checking by yourself. Once the scan is done, Facebook prompts you to make security changes to your account. Depending on your specific situation, this may include changing your password and adding 2FA to your account.

How long recovery typically takes

Recovering a Facebook account can take anywhere from a few minutes to weeks (or even months), depending on the severity of the hack, how long it took you to discover it, and what personal information the scammer or cybercriminal has already changed.

For context, you may be quickly alerted to someone posing as you to send spam Facebook messages by concerned family and friends. If this person has yet to change your password, you can kick them out in minutes by changing your login information and logging out of sessions on unknown devices.

However, if the unauthorized user has already changed your login information (email and password) and added their own 2FA, it may take much longer to get your account back. It might get even worse if they change your account name completely, too, making it harder to find your Facebook account to begin the recovery process in the first place.

Can I recover a Facebook business page that was hacked?

You can recover a hacked Facebook business page if you act fast enough, but this may not be possible in all cases.

Oftentimes, a Facebook business page hack means that at least one Facebook account linked to that page has also been compromised. So, one of the best and fastest ways to regain access to a hacked Facebook page is to recover the linked Facebook account.

You can also recover your Facebook page by asking someone who has admin access to restore your admin privileges, after which you can kick out the unauthorized user.

If none of these approaches work, it’s time to file a report with Facebook:

1. Log into your Facebook account.
2. Go to Facebook’s dedicated help page for page access issues.
3. Select the page(s) you’ve lost access to.
   
4. Click Send. Facebook will then review your request.

How to keep your Facebook account secure

You shouldn’t wait until your Facebook account is breached before taking extra steps to secure it. And if you’ve been a victim of a Facebook account hack in the past, these measures can help you prevent a repeat occurrence.

Step 1: Use a strong, unique password

You should always set strong and unique passwords for your Facebook and all associated accounts. When choosing a password, never use personal details (such as your name, date of birth, favorite pet, mother’s maiden name, etc.). Doing so makes life easier for any cybercriminals trying to hack your account.

Instead, you can use a free online password generator to come up with a random, complex password. You can also use a good password manager like ExpressVPN Keys to store your logins securely and sync them across your devices.

Step 2: Enable two-factor authentication (2FA)

Two-factor authentication (2FA) makes it impossible to hack into your Facebook account using your password only, as the scammer or cybercriminal will also require an extra login factor (such as a one-time password or code).

Facebook offers various 2FA options, which you can set up by following the steps below:

1. Log into your Facebook account and go to your account settings dashboard. Then, click Meta’s Account Center and go to Password and security.
   
2. Click Two-factor authentication.
   
3. Choose the account for which you want to set up 2FA. If you have multiple accounts, you can repeat the process for each one.
   
4. You may be prompted to confirm your identity (usually via a code sent to your primary email address or phone number). Do so and continue.
5. You may also be prompted to re-enter your password. Do so and continue.
6. Choose a preferred 2FA method.
   
7. Follow the rest of the on-screen prompts to finish setting up your 2FA.

Any 2FA is often better than no 2FA, but some methods are less secure than others. For example, 2FA via SMS may be undermined by SIM swapping attacks.

Authenticator apps are a better option since the confirmation codes are generated on-device. Also, authentication apps aren’t carrier-dependent, so you can keep using them while traveling, unlike SMS.

ExpressVPN Keys supports 2FA via authentication codes, so you can set the password manager up with Facebook to improve your account security against cybercriminals.

Step 3: Remove unused third-party app connections

Some third-party apps require integration with your Facebook account for a seamless login process or to deliver other types of personalized experiences.

However, you may no longer use some of these apps, and keeping them around just increases the possibility of exploits. After all, cybercriminals may breach a connected account and obtain sensitive personal account information you’ve shared with those apps, such as your email address, full date of birth, and address.

Here’s how to remove unwanted third-party app connections:

1. Go to your Facebook security settings dashboard, and click Apps and websites.
   
2. Review connected apps and remove those you no longer need.
   

Step 4: Set up login alerts

Login alerts instantly let you know when someone accesses your Facebook account. If it’s a login you didn’t authorize, then you know that a cybercriminal may be at work, and you can quickly change your credentials.

Here’s how to set up login alerts:

1. Go to your Facebook Account Center and click Password and security.
2. Click Login alerts.
   
3. Click the account for which you’d like to set up login alerts, and choose the type of login alerts you want to receive.
   
4. Follow the rest of the on-page prompts, if any, to confirm your selections.

Once enabled, you can test this setup by logging into your account from another trusted device or from your browser’s incognito mode. If you get an instant notification, then the login alert setup works.

Step 5: Limit visibility of personal info

You should limit the kind of personal information you share publicly on social media or even privately in messages. Information like your email, phone number, home address, and other personal data can be used to steal your account, because a scammer or cybercriminal with this information may be able to convince Facebook support that they’re you.

So, practice general social media privacy hygiene by not posting personal data online, and consider restricting who views your posts to family and friends only. Even then, you should be careful, as a breached account in your social circle exposes your personal data to cybercriminals.

If you’ve been a victim of a hack or you want to be extra secure, consider identity theft monitoring services. ExpressVPN’s Identity Defender (available for U.S. users) features ID Alerts, which scan the dark web to instantly notify you of personal data leaks (including emails and passwords), and a data broker removal tool to remove sensitive personal data from the web.

Step 6: Remove saved payment methods

The good news is that Facebook securely stores your payment information (such as credit card numbers), so cybercriminals can’t get that information from your account. The bad news is that scammers and cybercriminals can still make fraudulent purchases or buy and run ads using your saved payment information.

But why would anyone break into your account just to run ads?

• They don’t want to spend their own money on the ads.
• Running ads (mostly phishing-related or scams) from an established account like yours would most likely pass Facebook spam checks, compared to a new account.
• They can reach a wider audience and a new demographic from your account, starting from your social circle.

You can remove your saved payment details by going through your Facebook account settings to Accounts Center > Meta Pay > Payment methods.

Step 7: Add a backup email address

A backup email address could be your saving grace in an account takeover attempt where someone changes your primary login email address but forgets to disable your backup email.

Here’s how to add one to your Facebook account:

1. Go to your Accounts Center in Facebook settings, and click Personal details.
   
2. Click Contact info.
   
3. Click Add new contact > Add email.
   
4. Enter the backup email address, and choose the Facebook account to which you’d like to add the backup email.
   
5. Click Next to confirm the change.
6. You’ll be prompted to enter a confirmation code sent to the backup email address. Do so, then click Next to finalize the process.
   

The backup email address will now be added to your account.