Hacked Facebook account: how to get it back

The short version: use facebook.com/hacked, not the normal password reset, and use it from a device that has logged into Facebook before. If the hacker changed the account email, check your old inbox: Facebook sends the previous address a link that can reverse the change outright. Then let the guided flow reset the password and unwind what the attacker touched.

Start here: the official recovery path

Facebook's hacked flow is specifically built for taken-over accounts, and it can identify you by more than the email the attacker now controls:

  1. Go to Facebook's hacked-account flow. Open facebook.com/hacked and choose the option that matches what happened. This flow works even when the password has been changed.
  2. Identify the account. Search for it with the email address or phone number you originally used, or your name and a friend's name. Use a device you have logged in on before if you possibly can, Facebook weighs recognised devices heavily.
  3. Check your old inbox for the change alerts. When an attacker changes the email on a Facebook account, Facebook sends a notice to the old address with a link to reverse the change and secure the account. That single email can undo the takeover, so search your inbox for mail from Facebook before assuming the address change is final.
  4. Follow the guided security steps. The hacked flow walks you through resetting the password and reviewing recent activity. Let it finish, it unwinds attacker changes as it goes.
  5. Review sessions and linked accounts. In Settings, check where you are logged in and log out everything you do not recognise. If your Instagram is linked in Accounts Centre, check it too, takeovers travel across linked accounts.

If the hacker changed your email or phone on the account

Two things work in your favour. First, the reversal email: when the contact address on a Facebook account changes, the old address gets a notice with a secure-your-account link that undoes the change. It is time-limited, so search the old inbox now. Second, the hacked flow identifies accounts by phone number, name and recognised devices, so the attacker owning "the email on the account" does not end the story. What you should not do is fire password-reset codes at the masked address the normal reset shows you, that address is likely the attacker's.

Back in? Lock it down before you do anything else

  • Log out every session you do not recognise in Settings, Security and login.
  • Remove contact details that are not yours. Any email or phone the attacker added is a way back in.
  • Turn on two-factor authentication with an authenticator app, not SMS. See our 2FA setup guide.
  • Check what attackers monetise: ad accounts, pages you manage, marketplace listings and saved payment methods. Remove anything you did not add, and check for ad campaigns you did not run.
  • Check Accounts Centre for linked accounts, especially Instagram, and secure those too.
  • Warn your contacts if the attacker messaged anyone, those messages are usually scams in your name.

If you cannot get back in

If the official process keeps looping, do not pay anyone who cold-calls or advertises instant recovery, and never pay a ransom for your own account. In Australia, report the takeover through ReportCyber at cyber.gov.au, and if money or identity documents are involved, IDCARE provides free, government-funded support. If the account matters too much to gamble on, our assisted recovery works the provider's process for you: verified identity first, then patient, documented escalations. Start here.

Stop the next one before it starts

Getting the account back is the urgent half. The lasting half is closing the back door that let this happen: account recovery. A strong password and two-step verification guard the login, but a "forgot password" flow aimed at a weak recovery channel walks straight past both. Our guide to the recovery gap explains the mechanics, and the email security guide covers the five moves that actually matter. If you want the back door watched for you, that is exactly what SAFE2RECOVER does: we hold and guard the recovery mail for your important accounts, so a reset you did not ask for gets stopped before it lands. Get protected, there is no card required to start.

Frequently asked questions

The hacker changed the email on my Facebook account. Can I still get it back?

Usually yes. Facebook emails the old address when the account email changes, and that notice contains a link to reverse the change and secure the account. Search the inbox of your old address for recent mail from Facebook and act on it quickly. Separately, facebook.com/hacked can identify the account by your name, phone number or friends even after the email was swapped.

Why does Facebook keep showing me someone else's partial email during recovery?

That masked address is the attacker's, now set as the account's contact. Do not send codes to it. Back out and use facebook.com/hacked instead of the plain password reset, and identify the account by your own phone number, your name, or from a device you previously used with Facebook.

What should I check after getting my Facebook account back?

Log out all sessions you do not recognise, remove any email address or phone number that is not yours, and turn on two-factor authentication with an authenticator app. Then check things attackers monetise: pages you manage, ad accounts and saved payment methods, and remove anything they added. Finally check linked accounts in Accounts Centre, especially Instagram.

Someone made a fake account pretending to be me. Is that the same problem?

No. Impersonation is a separate report, you can report a fake profile from that profile's page. The hacked flow is for when your real account is accessed or controlled by someone else. If both happened, deal with the takeover first, the real account is the more valuable target.