Facebook account hacked? How to get your account back

A hacked Facebook account often becomes no­tice­able through un­fa­mil­iar posts or messages, or sudden problems logging in. In such cases, it’s important to secure your account im­me­di­ate­ly, change your password, and start the account recovery process.

What to do if your Facebook account has been hacked? Quick guide

1. Check your inbox for emails from Facebook about password changes or security alerts. If you find a le­git­i­mate message about an account change, you can reverse it using the link provided in the email.
2. You can then change your account password yourself, or, if you no longer have access, use the link in the email to undo the password change.
3. Check if your email account is also affected by the hack and, if necessary, change the email address linked to your Facebook account.
4. If you can no longer log in, start the recovery process at facebook.com/hacked or directly in the app via “Forgot Password?”.
5. If you have set up trusted contacts, they might be able to help restore access, for example, by providing codes.
6. Log into the Accounts Center, open “Password and security,” and check which devices are currently logged in and whether any unknown email addresses or phone numbers have been added.
7. If these steps fail: Contact Facebook Support.

How do I know if my Facebook account has been hacked?

You can often recognize a com­pro­mised account by the following:

• Posts, comments, or friend requests appear that you didn’t create yourself.
• Your profile picture or name was changed without any action on your part.
• You receive emails about password changes or security alerts, even though you made no changes.
• You can no longer log in because the password or the as­so­ci­at­ed email address has been changed.
• Facebook shows logins from unknown devices or locations.

If you notice any of these warning signs, act im­me­di­ate­ly—the faster you respond, the better your chances of re­cov­er­ing the account. It’s also essential to change your password every­where you’ve used it. Otherwise, attackers may quickly gain access to other services as well, and you could find that your Instagram account is hacked in addition to your Facebook account.

Common attack methods for hacking a Facebook account

There are various types of cy­ber­at­tacks that hackers use to gain access to Facebook accounts. While the methods may differ, the result is usually the same, which is that once your Facebook account is com­pro­mised, you lose access to it and can no longer log in yourself.

Phishing

In this type of attack, criminals im­per­son­ate other people or even le­git­i­mate or­ga­ni­za­tions in so-called phishing emails. By building trust, they trick users into revealing sensitive in­for­ma­tion via links or forms, such as Facebook login details. Another common tactic involves fake login pages that closely mimic the real Facebook sign-in page. Any cre­den­tials entered there are captured by the attackers. In­creas­ing­ly, these messages are also being sent via SMS.

Pro­tec­tion measure: Always check the sender carefully and verify the URL before clicking on links or entering login details.

Key­log­ging

Programs that record the keyboard inputs of users and save them in a file are known as key­log­gers. This file, in the case of malicious key­log­ging software often hidden unnoticed in email at­tach­ments, is forwarded directly to the hacker. This way, the hacker gains access to all inputs made, which can also include logins.

Pro­tec­tion measure: Use antivirus software, conduct regular scans, and do not open sus­pi­cious files.

Session hijacking

The aim of session hijacking is to intercept cookies that contain sensitive data. To do this, attackers monitor the con­nec­tion between the user and the server and exploit weak­ness­es in unsecured networks. One well-known example of this type of attack is the Firefox extension Firesheep, which was often used in public, unsecured Wi-Fi networks to capture active login sessions.

Pro­tec­tion measure: Never log in over public hotspots and use encrypted con­nec­tions (HTTPS).

Malicious QR codes

QR codes are in­creas­ing­ly being misused to direct users to phishing websites or to install malware without their knowledge. They often appear on fake giveaway pages or altered flyers. You may also see stickers in public places that look like ads for Spotify artists or similar content, but actually redirect to unsafe websites.

Pro­tec­tion measure: Always check where a QR code actually leads before opening it. Only scan the code if you trust the source or ab­solute­ly need to.

How to regain control of your Facebook account

If you suspect that your account has been com­pro­mised, the next step mainly depends on whether you still have access to the account or not.

You can still access your Facebook account

If you can still access your Facebook account, the email address and your password haven’t been changed yet. You should act im­me­di­ate­ly before the hacker makes further changes:

1. Change password: Go to “Settings” → “Security and Login” → “Change Password”. Use a new, strong password that you do not use anywhere else.
2. Check login activity: Under “Where you’re logged in,” you can see all active sessions. Im­me­di­ate­ly end any sus­pi­cious logins.
3. Check email addresses and phone numbers: Remove unknown contacts under “Settings” → “General” → “Contact In­for­ma­tion”.
4. Enable two-factor au­then­ti­ca­tion (2FA): This prevents someone from logging in again without your consent.
5. Facebook may au­to­mat­i­cal­ly prompt you to secure your account with “Meta Protect.” Follow the steps to put your account in a safe mode and confirm your identity.

Business Email

Discover a new way to email

• Write perfect emails with optional AI features
• Add cred­i­bil­i­ty to your brand
• Includes domain, spam filter and email for­ward­ing

See plans

You can no longer access your Facebook account

If you can no longer log in, start the recovery process via the Facebook Help page:

1. Check email: Facebook may send you a message with a link to reset your password. Use it if it’s genuine.
2. Use “Forgot Password?” Enter the email address or phone number reg­is­tered with Facebook.
3. In-app ver­i­fi­ca­tion & Meta Protect: If Meta Protect is active, your account will be placed in pro­tec­tion mode. You will then be guided through in-app ver­i­fi­ca­tion for identity con­fir­ma­tion—such as via a security code, a selfie video, or con­firm­ing a known device. Once your identity is verified, you’ll regain access to your account and can reset the password.
4. Trusted contacts: If your email account has also been hacked, you can use the “Trusted Contacts” you may have pre­vi­ous­ly set up to recover your account via security codes.
5. Contact support: If all else fails, use the specially designed form on the Facebook page or the help options from Meta Support.

How to secure your Facebook account

In recent years, Meta has in­creas­ing­ly unified its platforms at a technical level. Facebook, Instagram, Threads, and Messenger are now connected through the Meta Accounts Center, a central hub for all accounts linked to a single Meta login. It brings together not only profile and privacy settings, but also key security and account recovery features in one place.

In the Accounts Center, you can take the following steps, among others:

• Manage your linked accounts (Facebook, Instagram, Threads, Messenger)
• Enable or dis­con­nect login using a single Meta profile
• Centrally manage all security and login options
• Remove sus­pi­cious devices and browsers from the session list
• Enable Meta Protect to monitor the account and receive automatic alerts

The most important section here is the “Password and security” menu. This is where all pro­tec­tion functions are brought together.

Setting up two-factor au­then­ti­ca­tion (2FA)

The two-factor au­then­ti­ca­tion adds a second, dynamic layer of pro­tec­tion to your password. Even if an attacker knows your password, access remains blocked without the second factor.

Within the Accounts Center, you can enable multiple two-factor au­then­ti­ca­tion (2FA) options:

• SMS code: A six-digit code sent to your phone each time you sign in.
• Au­then­ti­ca­tor app: Generates one-time codes in­de­pen­dent­ly of the mobile network and is the rec­om­mend­ed option.
• Security codes: Backup codes you can store safely and use to regain access if your device is un­avail­able.

Facebook and Instagram also display which devices are marked as trusted, meaning they won’t require an ad­di­tion­al ver­i­fi­ca­tion code after setup.

Adding security keys

For par­tic­u­lar­ly sensitive accounts, such as those of busi­ness­es, creators, or public figures, Meta offers the use of security keys. These are physical security keys (e.g., YubiKey, Titan Key) that connect via USB, NFC, or Bluetooth. Only after this key is phys­i­cal­ly confirmed does Facebook allow login. This has several ad­van­tages:

• Codes cannot be in­ter­cept­ed or copied.
• Remains secure even if a phishing attempt succeeds, since the key is bound to the Meta domain.
• Es­pe­cial­ly suitable for fre­quent­ly used accounts as well as admins of pages and business accounts.

Pro­tect­ing your account with passkeys

Starting in 2024, Meta has been gradually rolling out passkeys — a modern, password-free sign-in method already supported by Google and Apple. A passkey is a cryp­to­graph­ic cre­den­tial that is stored locally on your device. When you log in, au­then­ti­ca­tion happens via biometric methods such as a fin­ger­print or Face ID, or through your device PIN.

How passkeys work:

• During setup, a unique key pair is created con­sist­ing of a public and a private key.
• Only the public key is shared with Meta.
• When signing in, your identity is verified locally on your device.
• Meta validates the cryp­to­graph­ic signature without ever receiving or storing a password.

Passkeys are now being rolled out for Facebook on mobile devices and are expected to become available across more Meta apps as the feature expands.