A hacked Facebook account often becomes noticeable through unfamiliar posts or messages, or sudden problems logging in. In such cases, it’s important to secure your account immediately, change your password, and start the account recovery process.

What to do if your Facebook account has been hacked? Quick guide

  1. Check your inbox for emails from Facebook about password changes or security alerts. If you find a legitimate message about an account change, you can reverse it using the link provided in the email.
  2. You can then change your account password yourself, or, if you no longer have access, use the link in the email to undo the password change.
  3. Check if your email account is also affected by the hack and, if necessary, change the email address linked to your Facebook account.
  4. If you can no longer log in, start the recovery process at facebook.com/hacked or directly in the app via ‘Forgot Password?’.
  5. If you have set up trusted contacts, they might be able to help restore access, for example, by providing codes.
  6. Log into the Accounts Center, open ‘Password and security’, and check which devices are currently logged in and whether any unknown email addresses or phone numbers have been added.
  7. If these steps fail: Contact Facebook Support.

How do I know if my Facebook account has been hacked?

You can often recognise a compromised account by the following:

  • Posts, comments, or friend requests appear that you didn’t create yourself.
  • Your profile picture or name was changed without any action on your part.
  • You receive emails about password changes or security alerts, even though you made no changes.
  • You can no longer log in because the password or the associated email address has been changed.
  • Facebook shows logins from unknown devices or locations.

If you notice any of these warning signs, act immediately—the faster you respond, the better your chances of recovering the account. It’s also essential to change your password everywhere you’ve used it. Otherwise, attackers may quickly gain access to other services as well, and you could find that your Instagram account is hacked in addition to your Facebook account.

Common attack methods for hacking a Facebook account

There are various types of cyberattacks that hackers use to gain access to Facebook accounts. While the methods may differ, the result is usually the same, which is that once your Facebook account is compromised, you lose access to it and can no longer log in yourself.

Phishing

In this type of attack, criminals impersonate other people or even legitimate organisations in so-called phishing emails. By building trust, they trick users into revealing sensitive information via links or forms, such as Facebook login details. Another common tactic involves fake login pages that closely mimic the real Facebook sign-in page. Any credentials entered there are captured by the attackers. Increasingly, these messages are also being sent via SMS.

Protection measure: Always check the sender carefully and verify the URL before clicking on links or entering login details.

Keylogging

Programs that record the keyboard inputs of users and save them in a file are known as keyloggers. This file, in the case of malicious keylogging software often hidden unnoticed in email attachments, is forwarded directly to the hacker. This way, the hacker gains access to all inputs made, which can also include logins.

Protection measure: Use antivirus software, conduct regular scans, and do not open suspicious files.

Session hijacking

The aim of session hijacking is to intercept cookies that contain sensitive data. To do this, attackers monitor the connection between the user and the server and exploit weaknesses in unsecured networks. One well-known example of this type of attack is the Firefox extension Firesheep, which was often used in public, unsecured Wi-Fi networks to capture active login sessions.

Protection measure: Never log in over public hotspots and use encrypted connections (HTTPS).

Malicious QR codes

QR codes are increasingly being misused to direct users to phishing websites or to install malware without their knowledge. They often appear on fake giveaway pages or altered flyers. You may also see stickers in public places that look like ads for Spotify artists or similar content, but actually redirect to unsafe websites.

Protection measure: Always check where a QR code actually leads before opening it. Only scan the code if you trust the source or absolutely need to.

How to regain control of your Facebook account

If you suspect that your account has been compromised, the next step mainly depends on whether you still have access to the account or not.

You can still access your Facebook account

If you can still access your Facebook account, the email address and your password haven’t been changed yet. You should act immediately before the hacker makes further changes:

  1. Change password: Go to ‘Settings’ → ‘Security and Login’ → ‘Change Password’. Use a new, strong password that you do not use anywhere else.
  2. Check login activity: Under ‘Where you’re logged in’, you can see all active sessions. Immediately end any suspicious logins.
  3. Check email addresses and phone numbers: Remove unknown contacts under ‘Settings’ → ‘General’ → ‘Contact Information’.
  4. Enable two-factor authentication (2FA): This prevents someone from logging in again without your consent.
  5. Facebook may automatically prompt you to secure your account with ‘Meta Protect’. Follow the steps to put your account in a safe mode and confirm your identity.

You can no longer access your Facebook account

If you can no longer log in, start the recovery process via the Facebook Help page:

  1. Check email: Facebook may send you a message with a link to reset your password. Use it if it’s genuine.
  2. Use ‘Forgot Password?’ Enter the email address or phone number registered with Facebook.
  3. In-app verification & Meta Protect: If Meta Protect is active, your account will be placed in protection mode. You will then be guided through in-app verification for identity confirmation—such as via a security code, a selfie video, or confirming a known device. Once your identity is verified, you’ll regain access to your account and can reset the password.
  4. Trusted contacts: If your email account has also been hacked, you can use the ‘Trusted Contacts’ you may have previously set up to recover your account via security codes.
  5. Contact support: If all else fails, use the specially designed form on the Facebook page or the help options from Meta Support.

How to secure your Facebook account

In recent years, Meta has increasingly unified its platforms at a technical level. Facebook, Instagram, Threads, and Messenger are now connected through the Meta Accounts Center, a central hub for all accounts linked to a single Meta login. It brings together not only profile and privacy settings, but also key security and account recovery features in one place.

In the Accounts Center, you can take the following steps, among others:

  • Manage your linked accounts (Facebook, Instagram, Threads, Messenger)
  • Enable or disconnect login using a single Meta profile
  • Centrally manage all security and login options
  • Remove suspicious devices and browsers from the session list
  • Enable Meta Protect to monitor the account and receive automatic alerts

The most important section here is the ‘Password and security’ menu. This is where all protection functions are brought together.

Setting up two-factor authentication (2FA)

The two-factor authentication adds a second, dynamic layer of protection to your password. Even if an attacker knows your password, access remains blocked without the second factor.

Within the Accounts Center, you can enable multiple two-factor authentication (2FA) options:

  • SMS code: A six-digit code sent to your phone each time you sign in.
  • Authenticator app: Generates one-time codes independently of the mobile network and is the recommended option.
  • Security codes: Backup codes you can store safely and use to regain access if your device is unavailable.

Facebook and Instagram also display which devices are marked as trusted, meaning they won’t require an additional verification code after setup.

Adding security keys

For particularly sensitive accounts, such as those of businesses, creators, or public figures, Meta offers the use of security keys. These are physical security keys (e.g., YubiKey, Titan Key) that connect via USB, NFC, or Bluetooth. Only after this key is physically confirmed does Facebook allow login. This has several advantages:

  • Codes cannot be intercepted or copied.
  • Remains secure even if a phishing attempt succeeds, since the key is bound to the Meta domain.
  • Especially suitable for frequently used accounts as well as admins of pages and business accounts.

Protecting your account with passkeys

Starting in 2024, Meta has been gradually rolling out passkeys — a modern, password-free sign-in method already supported by Google and Apple. A passkey is a cryptographic credential that is stored locally on your device. When you log in, authentication happens via biometric methods such as a fingerprint or Face ID, or through your device PIN.

How passkeys work:

  • During setup, a unique key pair is created consisting of a public and a private key.
  • Only the public key is shared with Meta.
  • When signing in, your identity is verified locally on your device.
  • Meta validates the cryptographic signature without ever receiving or storing a password.

Passkeys are now being rolled out for Facebook on mobile devices and are expected to become available across more Meta apps as the feature expands.

Go to Main Menu