Protect Facebook From Hacking: Complete 2026 Security Guide

Facebook account security and protection from unauthorized access

Last updated: July 1, 2026

Facebook security is no longer only about protecting a profile. The same login may expose years of Messenger conversations, personal photographs, Marketplace activity, Pages, advertising accounts, saved payment methods, groups, and business assets that other people trust.

A strong password is important, but it cannot stop every takeover route. Modern Facebook compromises commonly begin with a fake Page-violation notice, a Marketplace payment link, a message from a hacked friend, a reused password, a stolen browser session, a compromised recovery email, a malicious extension, an exposed authentication code, or access to a device that is already logged in.

This guide explains how to protect a Facebook account in 2026 using passkeys, two-factor authentication, recovery codes, Meta Account or Accounts Center reviews, login alerts, session checks, phishing verification, Messenger and Marketplace precautions, Page-access controls, device security, and a practical recovery plan.

For a defensive explanation of the techniques criminals commonly use, read our guide to Facebook hacking methods and how those attacks work.

2026 interface note: Meta announced in April 2026 that Accounts Center will gradually evolve into Meta Account. The rollout is expected to continue over time, so your menus may still say Accounts Center, or they may show Meta Account. Labels can also differ by country, device, application version, account type, and whether Facebook, Instagram, Messenger, or other Meta profiles are connected.

Quick Facebook Security Plan

If you have only ten minutes, begin with the controls that close the most common takeover routes:

  1. Create a Facebook passkey on a private, trusted mobile device if the option is available.
  2. Replace any reused Facebook password with a unique password stored in a reputable password manager.
  3. Enable two-factor authentication with an authenticator app or hardware security key.
  4. Generate Facebook recovery codes and store them somewhere other than the phone used for authentication.
  5. Secure the associated email account with a different password and strong authentication.
  6. Review every email address and phone number connected to Facebook.
  7. Open Where you’re logged in and terminate unfamiliar sessions.
  8. Enable alerts for unrecognized logins and investigate any alert you cannot explain.
  9. Review Meta Account or Accounts Center for unfamiliar profiles and cross-account login options.
  10. Remove old apps, games, websites, browser extensions, Page administrators, business partners, and agencies that no longer need access.
Security layer What it helps stop Priority
Passkey Phishing, password guessing, and reuse of a stolen password Very high when available
Unique password Credential stuffing after another service is breached Very high
Authenticator app or security key Logins attempted with a stolen password Very high
Recovery codes Lockout after losing the normal authentication device Very high
Secure recovery email Unauthorized password resets and hidden security alerts Very high
Session review Stolen or forgotten active sessions High
Recent Emails verification Fake Meta warnings, support messages, and appeal links High
Page and business-access audit Rogue administrators, partners, ad campaigns, and payment abuse Very high for businesses
Connected-app review Old third-party permissions and compromised integrations High
Device and browser security Malware, malicious extensions, keylogging, and session theft High

How Facebook Accounts Get Compromised

An attacker normally does not break into Facebook’s central systems to target one ordinary account. The easier route is to exploit the account owner, a recovery channel, a trusted device, a connected service, or a person who manages the same Page or business.

Common takeover paths include:

  • Fake policy or copyright warnings: A Page administrator is told to “appeal within 24 hours” through an external login page.
  • Credential stuffing: A Facebook password reused on another website is exposed and tested automatically.
  • Compromised recovery email: The attacker reads alerts, resets the password, or deletes evidence from the inbox.
  • Stolen authentication codes: A scammer persuades the victim to send a login, recovery, or two-factor code.
  • Session theft: Malware or a browser extension copies an authenticated session, allowing access without typing the password again.
  • Trusted-device access: Someone uses an unlocked phone, a shared computer, or a browser that remained signed in.
  • Messenger impersonation: A compromised friend sends a voting page, video link, file, money request, or account-recovery story.
  • Marketplace fraud: A buyer or seller moves the conversation off Facebook, sends a fake payment page, or requests a security code.
  • SIM swapping: A criminal transfers the victim’s number and intercepts SMS-based security messages.
  • Connected applications: An old game, website, scheduling tool, or service retains access that is no longer needed.
  • Page or business access abuse: A rogue administrator, partner, contractor, or compromised colleague adds another user, changes permissions, or launches ads.
  • Recovery scams: Someone claiming to work for Meta promises to restore the account in exchange for money, codes, identity documents, or remote device access.

This is why “I have a difficult password” is not a complete security plan. Facebook protection must cover the login, recovery email, phone number, active sessions, trusted devices, connected Meta profiles, and any Page or advertising assets controlled by the account.

1. Create a Facebook Passkey

A passkey replaces password entry on supported devices with the same trusted method used to unlock the device, such as a fingerprint, facial recognition, device PIN, or device password. Because a passkey is created for the legitimate service, it is considerably more resistant to conventional phishing than a reusable password.

Facebook currently supports passkeys on mobile devices, although availability can vary. A computer login may still require another method, and fallback password or recovery routes can remain active.

How to create a Facebook passkey

  1. Open the Facebook mobile application on a private device.
  2. Open Menu.
  3. Select Settings & privacy, followed by Settings.
  4. Open Accounts Center or Meta Account.
  5. Select Password and security.
  6. Select Passkey.
  7. Choose the Facebook account.
  8. Follow the device prompts to create and save the passkey.

Read Facebook’s official passkey setup instructions

Do not create a passkey on a shared device

A passkey relies on the security of the device and the Apple, Google, Microsoft, or other account that may synchronize it. Do not create one on a work computer you do not control, a family tablet shared without separate profiles, a borrowed phone, or a public device.

Also protect the account that stores or synchronizes your passkeys. An excellent Facebook passkey is weakened if someone can enter the cloud account that holds it, reset the device lock, or use an already unlocked phone.

A passkey does not remove every takeover route

Even with a passkey, an attacker may still exploit:

  • An already authenticated Facebook session.
  • A compromised recovery email.
  • An unlocked or infected device.
  • A malicious connected application.
  • A weaker fallback password or recovery method.
  • A connected Meta profile or business administrator.

Use a passkey as one strong layer, not as permission to ignore sessions, email security, Page access, or device hygiene.

2. Use a Unique Password and Password Manager

Even after creating a passkey, maintain a strong Facebook password because a password may remain available on unsupported devices or during recovery.

The decisive property is uniqueness. A password can look complicated and still be dangerous if the same credential is used for email, a forum, an online shop, a game, or an old application. After one of those services is breached, criminals can automatically test the exposed email-and-password pair against Facebook.

What a secure Facebook password looks like

  • It is used only for Facebook or the relevant Meta login.
  • It is long, randomly generated, or built from several unrelated words.
  • It does not contain information visible on your profile.
  • It is stored in a reputable password manager rather than a message, note, or spreadsheet.
  • It is not shared with employees, relatives, agencies, or collaborators.

Avoid names, birthdays, phone numbers, pet names, favorite teams, keyboard patterns, predictable substitutions, and an old password with the current year added to the end.

How to change your Facebook password

  1. Open Settings & privacy > Settings.
  2. Select Accounts Center or Meta Account.
  3. Open Password and security.
  4. Select Change password.
  5. Choose the Facebook account.
  6. Enter the current password and a new unique password.
  7. Save the change.

Read Facebook’s official password instructions

Do not rotate a strong unique password into predictable variations every month merely to satisfy a schedule. Change it when it is reused, weak, shared, exposed in a breach, entered into a suspicious page, or connected with signs of compromise.

3. Enable Two-Factor Authentication

Two-factor authentication adds another verification step when Facebook detects a login from a device or browser it does not recognize. A stolen password should therefore be insufficient on its own.

Facebook may offer:

  • Hardware security key: A physical USB, NFC, or compatible security device. This is a strong option for Page owners, advertisers, public figures, and anyone facing targeted phishing.
  • Authentication app: An application that generates temporary time-based codes. This is the most practical strong option for many users.
  • SMS: A temporary code sent to a mobile number. It is better than password-only access, but it depends on the security of the mobile-provider account.

How to enable Facebook two-factor authentication

  1. Open Settings & privacy > Settings.
  2. Select Accounts Center or Meta Account.
  3. Open Password and security.
  4. Select Two-factor authentication.
  5. Choose the Facebook account.
  6. Select a security key, authentication app, or SMS.
  7. Complete the setup.
  8. Test the method before signing out of all trusted devices.

Read how Facebook two-factor authentication works

Set up the authenticator app for the day your phone fails

The common mistake is enabling an authenticator app and assuming recovery is finished. Before replacing, resetting, selling, or repairing the phone:

  • Understand whether the authenticator data is backed up or synchronized.
  • Protect the cloud account used for synchronization.
  • Add a second supported authentication method where appropriate.
  • Generate Facebook recovery codes.
  • Confirm that the recovery email is current and secure.

Never read a two-factor code to someone who contacted you. A real support process should not require a private login code through Messenger, WhatsApp, Telegram, email, or a phone call.

4. Save Facebook Recovery Codes

Facebook can provide ten single-use recovery codes for accounts protected by two-factor authentication. Each code can help you regain access when the normal authentication device is lost, damaged, reset, or unavailable.

How to generate recovery codes

  1. Open Accounts Center or Meta Account.
  2. Select Password and security.
  3. Open Two-factor authentication.
  4. Choose the Facebook account.
  5. Open Additional methods.
  6. Select Recovery codes.
  7. Generate and securely store the codes.

Read Facebook’s recovery-code instructions

Treat each recovery code as a temporary password. Do not send it to “Meta support,” an agency, a friend helping with the account, or a person promising recovery.

Where to store recovery codes

Good options include:

  • An encrypted password manager.
  • An encrypted offline document.
  • A printed copy in a private, physically secure location.

Do not keep the only copy as an ordinary screenshot on the same phone that generates the authentication codes. Screenshots may synchronize to a cloud-photo library, appear in previews, or remain in the recently deleted folder.

Generate a new set if anyone else may have seen the current codes. Creating new codes invalidates the old set.

5. Secure the Recovery Email and Phone Number

A Facebook account can be protected by a passkey and two-factor authentication yet remain vulnerable through a neglected recovery inbox. Someone who controls the email account may read security alerts, initiate password resets, hide evidence, or interfere while you try to recover Facebook.

Secure the email account as seriously as Facebook

  • Use an email password that is different from the Facebook password.
  • Enable a passkey or strong multi-factor authentication.
  • Review active email sessions and trusted devices.
  • Remove unknown forwarding rules, filters, recovery addresses, and phone numbers.
  • Review connected applications and application-specific passwords.
  • Save the email provider’s recovery codes securely.

An unfamiliar forwarding rule is particularly important: an attacker can quietly copy Facebook alerts to another address even after you change the inbox password.

Review the contact information Facebook can use

  1. Open Accounts Center or Meta Account.
  2. Select Personal details.
  3. Open Contact info.
  4. Review every email address and mobile number.
  5. Remove details you no longer control.
  6. Add and verify a current email address when needed.

Manage email addresses connected to Facebook

Manage mobile numbers connected to Facebook

Do not depend exclusively on an employer-controlled inbox, a temporary address, a number you may soon lose, or an email account shared with another person.

6. Review Meta Account or Accounts Center Connections

Facebook may be connected with Instagram, Messenger, WhatsApp, Meta Horizon, and other Meta experiences through Accounts Center or the newer Meta Account. Central management is convenient, but it also means the connection itself deserves a security review.

Meta’s 2026 transition can introduce a more unified login experience, passkeys across supported Meta apps, personalized Security Checkup recommendations, and centralized management of passwords, two-factor authentication, and contact information.

Read Meta’s announcement about Meta Account

Review these connection settings

  • Which Facebook, Instagram, Messenger, WhatsApp, and Meta profiles are present.
  • Whether one account can log in to another.
  • Which email addresses and phone numbers are shared.
  • Whether a single Meta Account password is being used.
  • Which connected experiences you actually use.
  • Whether an unfamiliar profile, device, or recovery method has appeared.

A practical warning sign is not merely “an unknown Facebook device.” It may be an unfamiliar Instagram profile, Meta Account connection, or login method that gives the attacker another route back after the Facebook password is changed.

Remove connections you do not recognize, then secure every remaining account separately. One weak inbox or connected profile can undermine the stronger settings on the main Facebook account.

7. Run Facebook Security Checkup

Facebook Security Checkup brings several important controls into one guided review. Depending on the account and rollout, it may cover the password, two-factor authentication, login alerts, recovery details, and other personalized recommendations.

Use it after:

  • Receiving an unfamiliar login or password-reset alert.
  • Changing the password.
  • Adding a new phone, computer, passkey, or authentication method.
  • Removing malware or a suspicious browser extension.
  • Recovering a compromised Facebook account.
  • Changing the primary email address or phone number.
  • Removing a Page administrator, agency, or business partner.

Open Facebook Security Checkup

Security Checkup is useful, but it is not a substitute for reviewing business assets, Page access, ad campaigns, Marketplace conversations, and the recovery email. Those areas may require separate checks.

8. Review Every Active Login Session

The Where you’re logged in area lists active or recent Facebook sessions. A session can include the device type, browser or application, approximate location, and time of activity.

How to review Facebook sessions

  1. Open Settings & privacy > Settings.
  2. Select Accounts Center or Meta Account.
  3. Open Password and security.
  4. Select Where you’re logged in.
  5. Choose the Facebook account.
  6. Inspect each device and session.
  7. Log out individual sessions or select multiple devices to remove.

Read Facebook’s instructions for logging out other devices

Do not judge a session by the city alone

Facebook estimates location from network information. A mobile carrier, internet-provider gateway, VPN, travel connection, or nearby city can make a legitimate session look unfamiliar. Compare:

  • Device and operating system.
  • Browser or Facebook application.
  • Date and time.
  • Your recent travel and network use.
  • Whether posts, messages, settings, or ads changed at the same time.

An unfamiliar city on your usual phone is less conclusive than an unfamiliar browser, a time when you were asleep, and a new Page administrator appearing together.

If a session is clearly not yours

  1. Terminate it.
  2. Secure the recovery email.
  3. Change the Facebook password.
  4. Review two-factor authentication and contact information.
  5. Generate new recovery codes.
  6. Inspect connected Meta profiles.
  7. Check Pages, ads, payment methods, and business partners.
  8. Scan the devices and remove suspicious browser extensions.

Changing the password without cleaning an infected device can create a loop: the new password or session may be stolen again immediately.

9. Enable and Investigate Login Alerts

Login alerts can warn you when Facebook detects access from a browser or device it does not recognize. Depending on your settings, the alert may appear as a Facebook notification, email, or SMS.

Do not ignore an alert just because the password still works. Some attackers avoid changing credentials immediately because continued quiet access is more useful than locking the owner out.

When an unfamiliar alert appears

  1. Do not use a link in the alert message.
  2. Open Facebook through the official app or type the address yourself.
  3. Review Where you’re logged in.
  4. Select This wasn’t me when Facebook offers the option.
  5. Change the password if the access is not yours.
  6. Review recovery details, authentication methods, Pages, ads, and connected accounts.

A login alert does not always mean access was completed. It may represent an unsuccessful attempt, a newly installed browser, cleared cookies, a new phone, or a legitimate login through a different network. The correct response is verification, not panic or dismissal.

10. Verify Facebook and Meta Emails Inside Facebook

A sender name, logo, and familiar-looking address are not enough to prove that a security email is genuine. The safer method is to check whether Facebook records sending it.

Facebook’s current Recent Emails area can show security emails from the previous year in the main security tab and other Facebook emails from the previous two days in a separate tab. Sensitive links or codes may be hidden from that record for security reasons.

How to verify a Facebook email

  1. Do not click the message link.
  2. Open Facebook directly.
  3. Open Accounts Center or Meta Account > Password and security > Recent emails, or visit Facebook’s Recent Emails security page.
  4. Check whether Facebook records sending the message.
  5. Review the claimed problem inside Facebook or Meta Business Support Home.

Read Facebook’s official email-verification instructions

Meta currently identifies official correspondence as coming from domains or subdomains associated with:

  • fb.com
  • facebook.com
  • facebookmail.com
  • instagram.com
  • meta.com

Even an official-looking domain should not be the only test. Misspelled domains, misleading link text, compromised inboxes, and abusive business invitations can create convincing messages.

Facebook states that it will not request your password by email or send the password as an attachment. Suspicious messages can be forwarded to [email protected], but never forward private codes or sensitive account-recovery links to unrelated people.

11. Recognize Facebook Support and Phishing Scams

Facebook phishing usually creates urgency, fear, curiosity, or a valuable opportunity. The message attempts to move you from a familiar Meta interface to a page, file, extension, or conversation controlled by the attacker.

Common Facebook-specific stories

  • Your Page will allegedly be unpublished within 24 hours.
  • A post supposedly violated copyright or trademark rules.
  • An advertising account requires immediate verification.
  • You have been selected for Meta Verified or a special business program.
  • A “Meta employee” needs a code to confirm ownership.
  • A friend asks you to vote in a contest or recover their account.
  • A video or photograph allegedly shows you.
  • A business invitation or policy notice contains an external appeal page.
  • A recovery specialist promises direct access to an internal Meta employee.
  • A scammer claims you must pay in cryptocurrency, gift cards, or a “verification fee.”

Use the three-part verification test

Before acting on a warning, ask:

  1. Where did it arrive? A comment, Messenger chat, tagged post, or unsolicited WhatsApp message is not an official support channel.
  2. Where does it send me? Do not trust a page merely because the design copies Facebook. Inspect the actual domain and preferably open Facebook independently.
  3. Can I confirm it inside Meta? Check Recent Emails, notifications, Account Status, Page settings, or Meta Business Support Home rather than following the supplied link.

The most dangerous messages often contain a small amount of real information—your Page name, ad-account number, recent post, or public business details. Personalization makes a scam more convincing; it does not make it official.

Read Facebook’s guidance for avoiding scams

Never provide a password, passkey approval, two-factor code, recovery code, password-reset link, email password, or remote-control access to someone claiming to be support.

12. Treat Unexpected Messenger Links and Files as Untrusted

A Messenger message can appear to come from a real friend while actually being sent from a compromised account. Attackers exploit the existing relationship because “your friend sent it” lowers suspicion.

Common examples include:

  • “Is this you in this video?” followed by an external link.
  • A request to vote for a friend through a Facebook-looking login page.
  • A claim that the sender needs your phone number and a code to recover their account.
  • An urgent request for money, gift cards, or help with a payment.
  • A compressed archive, executable file, browser extension, or “document viewer.”
  • A Page-policy warning sent through Messenger by an account using a Meta logo.

Reading ordinary text is not normally enough to surrender the account. The greater risk begins when you open an external page, download a file, install software, approve a login, or disclose a code.

When a familiar person sends an unusual request, verify it through a different channel. Call them, use an existing phone number, or ask a question an impersonator is unlikely to answer. Do not verify through a new number supplied in the suspicious conversation.

If the sender’s account is compromised, tell them through another channel and report the message. Do not reply with screenshots of your security settings or codes.

13. Protect Marketplace Conversations and Payments

Marketplace introduces risks that ordinary profile-security guides often overlook. A scammer may not initially want the Facebook password; the first goal may be moving the conversation to a place where Facebook cannot easily review the exchange.

Warning signs include:

  • A buyer or seller immediately asks to continue through WhatsApp, text, email, or Telegram.
  • A “courier,” “payment service,” or “shipping company” sends an external confirmation page.
  • The other person asks for your email address or phone number and then requests a code.
  • A payment screenshot replaces verifiable payment inside the real service.
  • You are asked to pay an insurance, upgrade, release, or verification fee.
  • The person overpays and asks you to return the difference.
  • A link claims you must sign in again to receive money.

Keep early communication inside Facebook or Messenger. Meta specifically warns that moving a conversation outside Facebook makes suspected scams harder to track. If something looks wrong, stop communicating and report the buyer, seller, listing, or conversation.

Read Facebook’s Marketplace scam guidance

A buyer knowing your phone number or email address does not automatically grant access. The danger is what happens next: a password-reset attempt, fake payment email, or request for the security code that arrives on your device.

Never use a code received from Facebook to “confirm a Marketplace payment,” “prove you are a real seller,” or “release funds.” Facebook login codes authenticate the account, not a sale.

14. Remove Unnecessary Apps, Games, and Websites

Applications, games, websites, and services connected through Facebook Login may retain permissions granted months or years earlier. A forgotten quiz, game, social dashboard, scheduling tool, or website integration can outlive the reason it was authorized.

Review connected services

  1. Open Facebook Settings.
  2. Find Apps and websites.
  3. Review active, expired, and removed connections.
  4. Remove anything you no longer use, recognize, or trust.
  5. Inspect individual permissions where available.

Review Facebook’s connected-app privacy guidance

Removing a connection stops future access according to Facebook’s current controls, but it may not delete information the developer collected previously. Contact the developer separately when you want retained data removed.

Also inspect business integrations and browser extensions

A service may not appear only as a consumer “app.” Review:

  • Meta Business integrations.
  • Advertising and analytics tools.
  • Customer-support dashboards.
  • Social scheduling platforms.
  • Browser extensions that can read or change data on Facebook.
  • Former agencies or contractors with business access.

An extension with permission to read and change website data may be able to observe more than a normal Facebook-connected app. Remove extensions you do not actively need rather than leaving them installed but forgotten.

15. Protect Browsers, Devices, and Logged-In Sessions

A secure Facebook configuration cannot fully protect an infected or unlocked device. Session-stealing malware may copy authenticated browser data, allowing an attacker to enter without repeatedly requesting a password or two-factor code.

Essential device protections

  • Install operating-system, browser, Facebook, and security updates promptly.
  • Use a strong screen lock and enable device encryption where supported.
  • Install applications only from official or trusted sources.
  • Remove browser extensions you no longer use.
  • Review extensions permitted to read and change data on websites.
  • Use reputable security software where appropriate.
  • Do not install cracked applications, cheats, “account tools,” or supposed Facebook-hacking software.
  • Do not grant remote-control access to an unknown support worker.
  • Enable remote location and erasure features on phones and laptops.

Signs that the device—not only Facebook—may be compromised

  • Unknown applications, extensions, or remote-access tools.
  • Unexpected administrator, accessibility, or device-management permissions.
  • Security software being disabled without your action.
  • Browser redirects or changed search settings.
  • Facebook sessions returning after you remove them.
  • Another compromise immediately after changing the password.
  • Unexplained clipboard changes, pop-ups, or login pages opening in unusual windows.

If session theft or malware is suspected, stop using the device for sensitive logins. From a clean device, secure the recovery email, terminate Facebook sessions, change credentials, and review business assets. Then scan, reset, or reinstall the affected system as appropriate.

Changing the password first on the infected device may simply hand the new password to the same attacker.

16. Protect Your Mobile Number From SIM Swapping

A SIM-swap attack occurs when a criminal persuades or tricks a mobile provider into transferring your phone number to another SIM or eSIM. The attacker may then receive SMS authentication or recovery messages intended for you.

Reduce the risk by:

  • Using a strong, unique password for the mobile-provider account.
  • Adding a carrier PIN, port-out lock, or account-change restriction where available.
  • Removing unnecessary personal information used for identity verification from public profiles.
  • Preferring a passkey, security key, or authenticator app over SMS where practical.
  • Investigating an unexplained loss of mobile service immediately.

You may also want to know how cellphone activity can be monitored without the user noticing.

If your phone suddenly loses service while nearby phones remain connected:

  1. Contact the carrier using an official number or visit a physical store.
  2. Ask whether the SIM, eSIM, or porting settings changed.
  3. Secure email, Facebook, banking, and other important accounts from a trusted device.
  4. Review recovery details and active sessions.

Loss of service can have innocent causes, but the combination of lost signal, unexpected password-reset messages, and unfamiliar Facebook activity requires immediate investigation.

17. Avoid Unsafe Shared and Public Devices

The safest approach is not to access Facebook from an internet café, hotel terminal, public kiosk, school computer, workplace device you do not control, or an untrusted borrowed computer.

Private or incognito browsing can reduce locally saved history and cookies after the window closes, but it does not protect against:

  • Keyloggers.
  • Screen-recording software.
  • Malicious browser extensions.
  • Remote administration.
  • A compromised operating system.
  • A fake login page.
  • Someone physically observing the screen.

If there is no safe alternative:

  1. Use a private-browsing window.
  2. Do not save the password.
  3. Do not create a passkey or mark the device as trusted.
  4. Do not enter recovery codes or change high-value security settings.
  5. Sign out manually when finished.
  6. Close every private window.
  7. Review active sessions from your own device afterward.

A public device is especially inappropriate for managing a Page, advertising account, payment method, or business portfolio.

18. Reduce Social-Engineering Opportunities

Attackers collect public information to make a message feel credible. They may mention a family member, workplace, Page name, current trip, birthday, recent Marketplace listing, or business partner—not because they have already hacked the account, but because those details help them persuade you.

Review the visibility of:

  • Date of birth.
  • Email addresses and phone numbers.
  • Home address and workplace.
  • Family relationships.
  • Travel plans and live location.
  • Answers that resemble account-verification questions.
  • Page administrators and agency relationships.
  • Public posts revealing which devices or services you use.

Privacy settings do not directly stop password theft, but limiting unnecessary exposure makes targeted phishing, impersonation, and mobile-carrier fraud more difficult.

Read our broader Online Fraud Prevention Guide for additional scam-prevention measures.

Do not trust a request only because it came from a friend

A friend’s account may already be compromised. Verify through another communication channel when someone asks for:

  • A login or recovery code.
  • Your phone number followed by a code.
  • Money, gift cards, cryptocurrency, or an urgent transfer.
  • A vote in a contest.
  • Help recovering their Facebook account.
  • Opening an unexpected photograph, video, archive, or document.
  • Adding them as a Page administrator or business partner.

The request may sound exactly like the person because the attacker can read older Messenger conversations and imitate their normal language.

19. Protect Facebook Pages, Ads, and Business Assets

For a business owner, the personal Facebook profile can be the key to Pages, groups, advertising accounts, pixels, catalogs, datasets, payment methods, Messenger inboxes, and Meta Business Suite. A profile takeover can therefore become a financial and operational incident rather than a private-account inconvenience.

Understand Page access before granting it

Facebook distinguishes between different levels of Page access. A person with full control can manage settings, add or remove other people, remove the owner, connect accounts, manage ads, or potentially delete the Page. Task access can be more appropriate when someone only needs to work through Meta business tools.

Review Facebook’s explanation of Page access

Use the least privilege necessary:

  • Give every worker an individual account; never share the owner’s password.
  • Require two-factor authentication for every administrator and collaborator.
  • Reserve full control for the smallest practical number of trusted people.
  • Use task or partial access when full control is unnecessary.
  • Remove former employees, agencies, freelancers, and vendors immediately.
  • Review people, partners, system users, and business portfolios regularly.
  • Maintain at least two trusted administrators where appropriate, without giving broad access to convenience accounts.

Verify business warnings inside Meta—not through the supplied link

A typical Page-targeted scam says that content violated policy and the Page will be deleted unless an appeal form is completed. The form may copy Meta branding and ask for the Facebook password, an authentication code, or a downloadable “case document.”

Instead:

  1. Open Meta Business Suite or Business Support Home independently.
  2. Check Account Status, Page Quality, support cases, notifications, and Recent Emails.
  3. Inspect the actual Page access and business-partner lists.
  4. Do not add an unknown “Meta partner” to resolve the warning.

Audit advertising and payment activity

An attacker may keep the profile looking normal while using the connected ad account. Review:

  • Active, scheduled, and recently edited campaigns.
  • Daily and account spending limits.
  • Payment methods and billing activity.
  • New advertisers, partners, agencies, or system users.
  • Pixels, catalogs, datasets, domains, and linked Instagram profiles.
  • Rules or automated campaigns that could restart spending.

If a Page was taken over, use Facebook’s official recovery route rather than paying a third-party “Page recovery expert.”

Recover a hacked Facebook Page you manage

20. Enable Advanced Protection If Available

Facebook Protect was renamed Advanced Protection. It is intended for eligible accounts that may face elevated risk and can require stronger login and account-security measures.

Availability is not universal. If Facebook invites you to enable it:

  1. Do not rely only on the email link.
  2. Open Facebook directly.
  3. Check whether Advanced Protection appears in the account’s security settings.
  4. Verify the invitation through Recent Emails.
  5. Complete the required security review.

Read Facebook’s Advanced Protection guidance

Even when Advanced Protection is enabled, continue reviewing recovery details, active sessions, business permissions, connected applications, and trusted devices.

Signs Your Facebook Account May Be Hacked

A takeover does not always begin with the password failing. Quiet changes may appear first.

Warning signs include:

  • Your password no longer works.
  • Facebook reports an email, phone number, password, passkey, or authentication change you did not make.
  • An unfamiliar authenticator app, security key, or recovery method appears.
  • Unknown devices appear under Where you’re logged in.
  • Messages, posts, comments, reactions, friend requests, or group activity appear without your action.
  • Your name, profile image, biography, or personal details change.
  • Friends receive voting links, investment offers, money requests, or recovery stories from you.
  • An unfamiliar Instagram, WhatsApp, or Meta profile appears in Accounts Center or Meta Account.
  • Unknown applications, websites, or business integrations are connected.
  • A Page gains a new administrator, partner, or person with full control.
  • You lose access to a Page while the personal profile still works.
  • Unexpected advertising campaigns, invoices, spending, or card charges appear.
  • Marketplace listings or conversations appear that you did not create.
  • You receive login, password-reset, or recovery codes you did not request.
  • Removed sessions reappear soon afterward.

One unfamiliar approximate location does not prove compromise. A combination of device, browser, time, activity, setting changes, and business events provides stronger evidence.

You Might be Interested to Learn:
>> How Instagram Accounts Get Hacked

What to Do If Your Facebook Account Is Hacked

If you can still access the account

The order matters. Do not spend ten minutes deleting spam while the attacker still controls the recovery inbox or an active session.

  1. Move to a clean, trusted device. Avoid changing credentials on a device that may contain malware.
  2. Secure the recovery email. Change its password, remove unknown sessions and forwarding rules, and review recovery details.
  3. Terminate unfamiliar Facebook sessions. Use Where you’re logged in.
  4. Change the Facebook password. Create a new unique password.
  5. Review contact information. Remove email addresses and phone numbers you do not recognize.
  6. Review authentication methods. Remove unknown authenticator apps, security keys, passkeys, or phone numbers.
  7. Configure your own strong authentication. Use an authenticator app or security key where practical.
  8. Generate new recovery codes. Store the replacement set securely.
  9. Review Meta Account or Accounts Center. Remove unfamiliar profiles and cross-account login connections.
  10. Review apps and business integrations. Remove anything suspicious or obsolete.
  11. Audit Pages and business assets. Check access, partners, system users, ads, spending limits, payment methods, and linked accounts.
  12. Pause unauthorized advertising. Preserve evidence before deleting campaigns or billing records.
  13. Warn contacts and customers. Tell them not to trust recent links, payment requests, Marketplace messages, or investment offers.
  14. Clean affected devices. Remove malware, suspicious extensions, and unknown remote-access tools; reset the system if necessary.

If you cannot access the account

  1. Use a device, browser, and internet connection previously used with Facebook where possible.
  2. Type facebook.com/hacked directly into the browser.
  3. Follow the prompts to identify and recover the account.
  4. Check the original email inbox for a legitimate Facebook message about an unauthorized email or password change.
  5. Complete Facebook’s identity-confirmation process when offered.
  6. After regaining access, perform the complete session, recovery, app, Page, and advertising audit above.

Do not pay someone on Facebook, Instagram, Telegram, WhatsApp, Reddit, or another platform who guarantees recovery or claims to bypass Meta’s ownership checks. A legitimate professional can help secure devices, preserve evidence, and guide you through the official process, but cannot promise secret access to Meta’s internal systems.

If a Page or advertising account was affected

In addition to recovering the personal profile:

  • Check who has full, partial, and task access.
  • Remove rogue people, partners, agencies, and system users.
  • Inspect recently changed Page settings and linked accounts.
  • Pause unauthorized campaigns and review automated rules.
  • Document unexpected charges and contact the payment provider when necessary.
  • Use Meta Business Support Home and the official Page-recovery process.

Preserve evidence before cleaning everything

Save:

  • Security-alert emails.
  • Dates, times, and unfamiliar session details.
  • Messages and links sent by the attacker.
  • Changed Page-access and business-partner records.
  • Advertising campaign IDs, invoices, and payment charges.
  • Marketplace listings and conversations.
  • Transaction identifiers.
  • Relevant screenshots.

Evidence can support payment disputes, business investigations, platform support cases, insurance claims, or law-enforcement reports.

Facebook Security Checklist

  • Create a Facebook passkey on a private trusted device when available.
  • Use a unique password stored in a reputable password manager.
  • Enable two-factor authentication with an authenticator app or security key.
  • Save all recovery codes securely away from the authentication phone.
  • Protect the recovery email with a different password and strong authentication.
  • Review email addresses and mobile numbers connected to Facebook.
  • Review Meta Account or Accounts Center for unfamiliar profiles and login connections.
  • Run Security Checkup after important account or device changes.
  • Enable alerts for unrecognized logins.
  • Review active sessions regularly and terminate unfamiliar ones.
  • Verify urgent messages through Recent Emails or Business Support Home.
  • Never send a password, authentication code, recovery code, or login approval to support.
  • Verify unusual Messenger requests through another channel.
  • Keep Marketplace conversations inside Facebook or Messenger when possible.
  • Never use a Facebook security code to “confirm” a Marketplace payment.
  • Remove old apps, games, websites, integrations, and browser extensions.
  • Keep phones, computers, browsers, and Facebook updated.
  • Protect the carrier account with a PIN or port-out lock.
  • Avoid sensitive account management on public or shared computers.
  • Minimize public personal information that supports targeted scams.
  • Give Page users only the access they need.
  • Require two-factor authentication for Page and business administrators.
  • Remove former employees, agencies, contractors, and partners promptly.
  • Review ad campaigns, spending limits, payment methods, and business assets.
  • Know how to reach facebook.com/hacked before an emergency.

Frequently Asked Questions

Why might the Facebook passkey option be missing?

Passkeys may not yet be available for every account, device, or region. Facebook currently supports them on mobile devices, and Meta’s transition from Accounts Center to Meta Account is gradual. Keep the app and operating system updated, but do not install a third-party application promising to “add Facebook passkeys.”

Is a Facebook passkey better than a password?

A passkey is more resistant to password guessing, password reuse, and conventional phishing because it is associated with the legitimate service and verified through the device. It does not remove the need to secure fallback passwords, recovery channels, active sessions, connected accounts, and the device itself.

Should I use a passkey and two-factor authentication together?

Yes, when Facebook and your devices allow it. A passkey strengthens primary login, while two-factor authentication, recovery codes, and a secure email provide additional protection and alternative recovery routes.

Can Facebook still be hacked when two-factor authentication is enabled?

Yes. Two-factor authentication substantially improves security, but an attacker may steal an active session, compromise the recovery email, trick the owner into sharing a code, access an unlocked device, abuse a connected application, or compromise a Page administrator.

Is an authenticator app safer than SMS?

An authenticator app is generally less exposed to SIM swapping because its codes are generated on the device rather than delivered to the phone number. SMS remains better than password-only access when stronger methods are not practical.

What happens if I lose the phone containing my authenticator app?

Use a Facebook recovery code, another configured authentication method, a trusted logged-in device, or Facebook’s official account-recovery process. Prepare before losing the phone by saving recovery codes and understanding whether the authenticator data is backed up.

How many Facebook recovery codes are provided?

Facebook currently provides ten single-use recovery codes. Generating a new set invalidates the previous set.

I received a Facebook code that I did not request. Am I already hacked?

Not necessarily. Someone may have entered your email address or phone number during a login or recovery attempt. Do not share the code. Review Recent Emails, active sessions, recovery information, authentication methods, and Page or business activity. Change the password if other suspicious signs appear.

What should I do if Facebook asks for an authenticator code I never configured?

Treat it as a possible compromise. Try recovery from a familiar device, visit facebook.com/hacked, and follow the official prompts. Do not pay someone who claims to remove the unknown authentication method manually.

Why does Facebook show a login location where I have never been?

The location is estimated from network information and may reflect an internet-provider gateway, mobile carrier, VPN server, or nearby city. Compare the device, browser, date, time, and account activity instead of relying only on the city.

Is an email from facebookmail.com always safe?

facebookmail.com is an official Meta email-domain family, but a visible sender should not be your only test. Verify sensitive messages through Facebook’s Recent Emails area and open the claimed account issue directly inside Facebook.

Will Facebook ever ask for my password by email?

Facebook states that it will not request your password by email or send your password as an attachment. Treat such a request as phishing.

Can a Facebook employee ask me for a two-factor or recovery code?

A legitimate support process should not require you to send a private authentication or recovery code through email, Messenger, WhatsApp, Telegram, a comment, or another chat service.

Does changing my Facebook password log every attacker out?

Do not rely on the password change alone. Explicitly review Where you’re logged in and terminate unfamiliar sessions. Secure the recovery email, remove unknown authentication methods, inspect connected apps and Meta profiles, audit business assets, and clean compromised devices.

How often should I change my Facebook password?

Change it when it is weak, reused, exposed, shared, entered into a suspicious page, or connected with signs of compromise. A long unique password does not need arbitrary frequent changes that produce predictable variations.

Can someone hack my account by sending a friend request?

A friend request alone does not provide login access. A fake profile can still use the connection to send phishing links, collect personal information, impersonate support, or build trust for a later scam.

Can opening a Messenger message hack Facebook?

Reading ordinary text does not normally provide account access. Risk increases when you open an external link, download a file, install an application or extension, approve a login, enter credentials into a fake page, or disclose a security code.

Can a hacked friend’s Messenger account endanger mine?

Yes, through social engineering rather than automatic access. The attacker may read older conversations, imitate your friend’s writing style, and send a convincing link or money request. Verify unusual requests through another channel.

Can a Marketplace buyer hack me using only my phone number?

A phone number alone is not normally enough to access Facebook. It can be used for password-reset attempts, targeted phishing, or a scam in which the buyer asks you to send back a code. Never share a Facebook login or recovery code to confirm a sale.

Why should Marketplace conversations remain in Facebook or Messenger?

Keeping communication on the platform preserves context and makes suspicious activity easier to report. Meta warns that moving early conversations to email, text, WhatsApp, or another service can make scams harder to track.

Does incognito mode protect Facebook from hackers?

No. Incognito mode mainly limits local history and cookies after the window closes. It does not stop phishing, keyloggers, malicious extensions, screen recording, remote administration, or a compromised operating system.

Can antivirus prevent Facebook phishing or session theft?

Security software can block some known malicious websites, files, and malware, but it cannot guarantee protection when a user willingly enters credentials into a convincing page or sends a code to a scammer. Technical protection and careful verification are both necessary.

Should I remove my phone number from Facebook?

A phone number can support recovery and login alerts, but it also depends on mobile-provider security. Keep only numbers you control, restrict unnecessary visibility, protect the carrier account, and maintain a secure email recovery route.

Can a connected Instagram or Meta profile create additional risk?

Yes. Connected profiles, shared contact information, and cross-account login options can create additional recovery or impersonation routes. Review every profile in Accounts Center or Meta Account and secure each one.

Does removing a connected Facebook app delete all data held by the company?

Not necessarily. Removing access stops the connection according to Facebook’s current platform controls, but the developer may retain information collected previously. Contact the developer to request deletion where appropriate.

How do I protect a Facebook Page from being stolen?

Require two-factor authentication, give each person an individual account, reserve full control for a small number of trusted people, use task or partial access where possible, remove former workers promptly, verify business invitations, and review Page access, ads, partners, and payment methods regularly.

What should I do if an unknown person has full control of my Page?

Remove the person immediately if you still have authority, review every other access level and business partner, secure the personal profiles of legitimate administrators, inspect ads and payment methods, and use Facebook’s official hacked-Page recovery process if you were removed.

What is Facebook Advanced Protection?

Advanced Protection is the newer name for Facebook Protect. It applies stronger security requirements to selected accounts that may face elevated risk. It is not available to every user.

Can a “recovery hacker” restore my Facebook account?

A legitimate cybersecurity professional may help inspect devices, remove malware, preserve evidence, secure email, and guide you through Meta’s official process. A third party cannot legitimately guarantee restoration or secretly bypass Meta’s ownership verification.

What is the official Facebook hacked-account address?

Type facebook.com/hacked directly into the browser. Where possible, use a device, browser, and internet connection previously associated with the account.

Final Verdict

The strongest Facebook protection is layered. A passkey and unique password protect the main login; two-factor authentication and recovery codes make a stolen password less useful; a secure email prevents the recovery route from becoming the weakest point; session reviews expose access that already exists; and careful Page, Marketplace, Messenger, and business controls protect the parts of Facebook that generic security advice often ignores.

The most important habit is verification through a separate route. When a message threatens to delete a Page, a Marketplace buyer sends a payment link, or a friend asks for a code, do not continue inside the story created by the sender. Open Facebook yourself, check Recent Emails, Security Checkup, Account Status, Business Support Home, active sessions, or Page access, and confirm what is actually happening.

For personal users, this approach protects private messages, identity, photographs, and contacts. For Page owners and advertisers, it also protects customer conversations, ad budgets, payment methods, business relationships, and brand reputation.

To secure the connected Instagram side with the same depth, read our Instagram Hacking Protection Guide.

Owners of websites, hosting plans &/or domains, check out how to protect website from hackers.

Thanks for reading!