Someone Accessed My Facebook: Your Emergency Action Plan

It’s a deeply unsettling moment: you notice a post you didn’t write, messages you didn’t send, or you’re suddenly logged out. Even if the “damage” looks small, treat it like a real security incident. Social accounts are identity. Attackers use them to scam your friends, steal other accounts, and lock you out.

This guide is designed for action, not panic. Move through it in order. The first 15 minutes matter most.

If you can’t log in right now

Start with the official recovery flow: facebook.com/hacked. Use a browser (not a random link from email or SMS) and follow the prompts.

Step 1: Regain access (fast)

Your goal is simple: get back into the account and force a logout on every other device.

1. Go directly to facebook.com/hacked.

2. If it asks you to review recent activity, take your time. If it offers a “secure account” flow, complete it.

3. Change your password to something unique and long.

4. Once you are in, immediately review where you are logged in and sign out of everything you don’t recognize.

Do not rely on “I changed my password, I’m done.”

Many account takeovers persist through recovery email changes, phone number changes, connected apps, or a compromised email inbox. You want to remove every alternate path back in.

Step 2: Check for recovery takeover (email + phone)

Attackers love a quiet win: they add their email or phone as recovery, then come back later.

In Facebook’s Accounts Center (or Settings), look for:

• Recovery email: confirm it is yours.
• Recovery phone number: confirm it is yours.
• Any unfamiliar contact details: remove them.

If you see a new email you do not recognize, treat this as an urgent escalation: your attacker is trying to make the takeover permanent.

Step 3: Enable 2FA the right way

Two‑factor authentication (2FA) is how you stop “password-only” attacks from repeating.

Preferred options, in order:

1. Authentication app (strong default)
2. Security key (best if you can use it)
3. SMS (better than nothing, but not the strongest)

After enabling 2FA:

• Save your recovery codes somewhere safe.
• Make sure you still have access to the 2FA method (for example, the authenticator app on your current phone).

Step 4: Review “Where you’re logged in” and active sessions

Go to the “Where you’re logged in” section and look for:

• Devices you don’t recognize
• Locations you weren’t in
• Browsers you don’t use

Sign out of everything suspicious. If Facebook offers “log out of all devices,” use it.

This step matters because some attackers keep a session alive for weeks. Even after a password change, an existing session can sometimes remain active.

Step 5: Remove persistence (connected apps and business access)

Account takeovers often involve “persistence” via connected apps or page/business roles.

Check these areas:

1. Apps and websites

• Remove any app you don’t recognize.
• Remove anything you don’t use anymore.

2. Pages you manage / Business assets

• If you manage a Page, check roles/admins.
• Remove unknown admins.
• Review any changes to ad accounts, payment methods, or business settings.

Even if you “just use Facebook socially,” it is worth checking: attackers sometimes add ad spend or set up scams using your identity.

Step 6: Inspect what the attacker did (posts, messages, profile changes)

Now that you’ve closed the doors, review the timeline and message inbox.

Look for:

• Messages sent to friends asking for money
• Unfamiliar posts, stories, or links
• Profile changes (name, birthday, profile picture)
• New groups joined or pages followed

If you find scam messages, tell your friends directly (a short post like “Ignore the last messages, my account was compromised” helps). This reduces damage and prevents your friends from getting pulled into the incident.

Keep the communication simple

You don’t owe anyone a long explanation. The goal is to warn contacts so they don’t click malicious links.

Step 7: Secure the root cause (email, device, and password reuse)

Most social account compromises come from one of these causes:

1. Password reuse (same password on another site that leaked)
2. Compromised email (attacker can reset passwords)
3. Malware or browser extensions (session theft)
4. Phishing (you typed your password into a fake page)

7A) Secure your email first

If your email is compromised, nothing stays fixed.

• Change your email password.
• Enable 2FA on email.
• Review email forwarding rules and “filters” (attackers sometimes forward reset emails to themselves).
• Review “recent security activity” in your email provider.

7B) Check your device

If you suspect malware or a sketchy extension:

• Remove unknown browser extensions.
• Run a reputable malware scan.
• Update your browser and operating system.

If the compromise repeats after you change passwords and enable 2FA, device security becomes a priority.

7C) Stop password reuse

The safest path is to use a password manager and generate unique passwords.

If you don’t use one yet, start with the highest‑risk accounts:

• Email
• Banking
• Social accounts
• Apple/Google account

Step 8: Document what happened (for your future self)

This is a small step that makes future incidents faster.

Write down:

• The date/time you noticed the compromise
• What you changed (password, 2FA, recovery email)
• Any suspicious emails/messages you received

If you need to contact support later, this timeline helps.

Step 9: Prevent the “next time” incident

When things calm down, do these preventative upgrades:

• Turn on login alerts.
• Keep recovery info current.
• Use 2FA on every important account.
• Keep your browser lean (fewer extensions).

The real goal

You are not trying to be “unhackable.” You are trying to make your account expensive to take over and easy to recover.

Common scenarios (so you don’t get stuck)

Account recovery is rarely a straight line. Here are the situations that trap people most often.

Scenario A: You are logged out and the password reset emails are not arriving

This usually means one of three things: the attacker changed your recovery email, your inbox rules are filtering messages, or the reset emails are going to a different address.

What to do:

• Use the official flow at facebook.com/hacked and follow the prompts carefully.
• Check your email spam/junk folder.
• Check email rules/filters and forwarding settings. Attackers sometimes forward security emails away from your inbox.
• Search your inbox for “Facebook” and “security” rather than waiting for new mail.

Scenario B: The attacker enabled 2FA and you can’t complete login

This is one of the most frustrating cases because it turns a password reset into a lockout.

What to do:

• Stick to the hacked/recovery flow and look for options like “try another way” or account verification.
• If Facebook offers identity verification, follow the official steps inside the recovery flow (avoid third‑party “recovery services”).

Avoid recovery scams

If someone messages you saying they can “recover your Facebook” for money, it’s almost always a scam. Use only Facebook’s official recovery process.

Scenario C: You manage a Page or run ads

If your account is tied to a Page, business assets, or ad billing, treat this as higher risk. Attackers sometimes:

• add themselves as admins
• change page name or links
• create ads or change payment methods

What to do:

• Review Page roles/admins and remove unfamiliar users.
• Review recent posts and scheduled content.
• Review ad account activity and billing settings.

If money is involved, it’s worth doing this step before you sleep.

A quick anti-phishing checklist (because this is how most takeovers start)

If you clicked a link right before the incident, assume phishing until proven otherwise.

Use this checklist going forward:

• Never log in from a link in SMS/DM. Type the site address yourself.
• Be suspicious of “urgent” warnings that push you to act fast.
• If a page asks for your password again after you are already logged in, pause.
• Prefer using a password manager: it won’t autofill on look‑alike domains.

Phishing works because it turns your attention into a deadline. Your best defense is slowing down for 10 seconds.

Quick recap (the 15-minute plan)

If you only have time for the essentials:

1. Use facebook.com/hacked
2. Change password
3. Log out of other devices
4. Remove unknown recovery email/phone
5. Enable 2FA
6. Remove suspicious connected apps
7. Secure your email account

If you follow those steps, you’ll close the most common takeover paths and dramatically reduce the chance of a repeat incident.