Facebook Hacked / Phished – Recover a Compromised Account – Facebook Help, Support & Troubleshooting
Unofficial guide

Facebook Hacked / Phished – Recover a Compromised Account

Your practical, plain‑English walkthrough to solve facebook hacked / phished – recover a compromised account — written for real people and small businesses.

Important: This website is not affiliated with Meta/Facebook. We cannot access your account. For sensitive actions (appeals, ID upload, billing), always use the official in‑app forms or the Meta Help Centers. Beware of anyone promising phone support or paid “unlock” services.

If your Facebook or Instagram was hacked, act fast. The goal is to kick the attacker out, lock your doors, and undo any damage. This playbook prioritizes speed and safety.

Red flags

  • Login alerts you don’t recognize
  • Password, email, or phone changed without your action
  • New friends, messages, or posts you didn’t send
  • Unknown ads running or Page roles added

Immediate actions

  1. Change your password; if locked out, start account recovery.
  2. End sessions you don’t recognize (Settings → Security & Login).
  3. Turn on 2FA with an authenticator app; generate backup codes.
  4. Remove suspicious apps and browser extensions.
  5. Check ad accounts, payment methods, and Page roles.

Secure your account now

  1. Reset password immediately. If your email was changed, use your phone number or username to start recovery.
  2. Review active sessions. In Security & Login close any device or location you don’t recognize.
  3. Turn on 2FA. Prefer an authenticator app or hardware key over SMS.
  4. Undo changes. Restore your email/phone, remove rogue admins from Pages/Business Manager, and cancel any ads you didn’t create.
  5. Scan devices. Run antivirus/anti‑malware, remove shady extensions, and update your OS/browser.
Never pay “recovery agents”. Only use official in‑app flows. Scammers target hacked users.

Phishing and fake support traps

Attackers mimic Meta emails, DMs, or Pages (“copyright strike”, “blue badge removal”, “security review”).

  • Check the sender domain and the URL after you click—phishing pages often use lookalike domains.
  • Don’t enter codes you receive unless you initiated the login.
  • Report the message and block the sender.

Businesses: protect Pages, ad accounts & Business Manager

Access & roles

  • Review People and Partners in Business Settings; remove unknowns.
  • Require 2FA for all admins and employees.
  • Verify your business and add a recovery admin.

Ad spend attacks

  • Pause all campaigns if you see unfamiliar ads.
  • Check payment methods for unauthorized charges; contact your bank if needed.
  • Audit Pixels, Conversions API, and API access tokens.

After recovery: harden your setup

  • Turn on login alerts; add a backup email.
  • Rotate passwords on other sites if you reused them.
  • Enable passkeys or security keys where supported.
  • Educate teammates on impersonation scams.

FAQs

I can’t log in to change my password—what now?
Use the account recovery flow with your phone number, email, or username. If prompted, submit ID to prove you are the owner.
The hacker changed my email and phone.
Start recovery with your username and complete identity checks. After regaining access, remove the attacker’s contact methods and add your own.
My Page is posting spam.
Remove suspicious Page roles, run a device malware scan, change your password, and turn on 2FA for all admins.
My ad account spent money I didn’t authorize.
Pause ads, remove suspicious users and apps, and contact your payment provider to dispute charges as needed.
Last updated: August 23, 2025. This guide reflects common patterns and public information; screens and policies may vary by country/account type.
Facebook support Meta Business Troubleshooting Safety