It’s that cold, sinking feeling in your chest. You try to log in, but your password doesn't work. You check your email and see a notification from Meta saying your primary email address was changed to something ending in .ru or some gibberish string of letters. Your friends start texting you, asking why you’re suddenly posting about crypto scams or Ray-Ban sales on your timeline. You're locked out. Panic sets in. What to do if your account is hacked on Facebook isn't just a technical question—it's an emergency because your digital identity, your photos, and maybe even your business pages are currently in the hands of a stranger.
Stop. Breathe.
The clock is ticking, but frantic clicking makes it worse. Facebook’s recovery systems are notoriously difficult to navigate, often feeling like a circular maze designed to keep you trapped in a loop of "Identify this photo" or "Enter code" prompts that never arrive. But there are specific, documented paths to take.
The First Five Minutes: The Emergency Recovery Link
Most people don't know that Facebook has a "hidden" back door for exactly this situation. If the hacker changed your email, Facebook sends a notification to your old email address. That email contains a special link that says something along the lines of "If you didn't do this, secure your account here." Do not ignore this email. This link is often the only way to bypass the new security settings the hacker just put in place. It’s a one-time-use digital key.
If you can't find that email, your next stop is the official portal: facebook.com/hacked.
This isn't just a help page; it's a specific workflow. You'll be asked to enter your phone number or the email address associated with the account. Even if the hacker changed them, try entering your old ones. Facebook’s internal database keeps a history of your previous credentials for a short window of time specifically for recovery. Honestly, if you wait three days, this window might close. Speed is everything.
Why the "Hacked" Portal Fails and What to Do
Sometimes the portal just loops you back to the login screen. It’s infuriating. This usually happens because the hacker enabled Two-Factor Authentication (2FA) using their own device. Now, Facebook wants a code from an app you don't have.
When you hit the 2FA wall, look for an option that says "Having trouble?" or "Try another way." Eventually, you should see an option to upload a photo of your ID. This is the manual review process. You'll need a clear photo of your driver’s license or passport. A real human (or a very sophisticated AI auditor at Meta) will compare your ID name and photo against the photos on your profile. This takes 24 to 72 hours. It’s slow. It’s annoying. It works.
💡 You might also like: Why Is Google Biased? The Reality Behind Your Search Results
Understanding the "Session Hijacking" Nightmare
Ever wonder how they got in if you have a "strong" password? It’s probably not a brute-force guess. Most modern Facebook hacks happen through Session Hijacking or Cookie Theft.
You might have downloaded a "free" game or a "cracked" piece of software. That software contained a piece of malware called an Infostealer. Instead of stealing your password, it steals the "session cookie" from your browser. This cookie tells Facebook, "Hey, I've already logged in, don't ask for a password." The hacker simply imports that cookie into their browser, and boom—they are you. They don't even need your 2FA code because the cookie says the session is already authenticated.
Dealing with the Business Manager Fallout
If you run a business page, a hacked personal account is a catastrophe. Hackers love targeting people with attached credit cards. They will immediately run thousands of dollars in "Lead Gen" ads for their own scams.
- Call your bank immediately. Tell them to block all charges from "Meta" or "Facebook Ads."
- If you still have access to a coworker's account who is also an admin, have them remove your hacked personal profile from the Business Manager.
- Meta’s "Ad Support" chat is sometimes more responsive than their "User Support" because money is involved. If you can get into a secondary business account, use the commerce support chat.
The Role of Trusted Contacts (And Why You Can't Find It)
You might see old articles online telling you to use "Trusted Contacts." Here is the reality: Facebook deprecated the Trusted Contacts feature in 2022. You can no longer ask three friends to get codes for you. If you’re looking for that setting, stop searching. It’s gone.
Instead, Meta has moved toward a "Identity Confirmation" model. They want to see your face via a video selfie or a government ID. They are trying to move away from social-based recovery because hackers were actually using the "Trusted Contacts" feature to social-engineer their way into accounts.
Beyond the Recovery: Cleaning the Digital House
Once you get back in—and you likely will if you are persistent with the ID upload—the work isn't done. A common mistake is changing the password and logging out. That's not enough.
Go to your Security and Login settings. Look for the section "Where You're Logged In." See that list of devices? Hit "Log Out Of All Sessions." All of them. Even your own phone. This kills the hacker’s active session.
Next, check your Linked Accounts. Hackers often link their Instagram or a random Oculus/Meta Quest account to yours. If you don't unbind those, they can use the "Login with Instagram" feature to jump right back into your Facebook account five minutes after you "fixed" it. It's a revolving door. You have to lock every single entrance.
Audit Your Apps and Websites
Navigate to "Apps and Websites" in your settings. You'll likely see dozens of things you signed into years ago—random quizzes, old games, Tinder, Spotify. Delete anything you don't recognize or use. These are potential vulnerabilities. While you're there, check your "Contact Information" one more time. Hackers often add a secondary email address that you won't notice unless you look closely. They’ll wait a month, then use that email to "reset" the password again.
Why 2FA Isn't Bulletproof (But You Still Need It)
You've probably heard that SMS-based Two-Factor Authentication is "bad." It's not bad, it's just "okay." If a hacker does a SIM swap on your phone number, they get your codes.
The gold standard is an Authentication App like Google Authenticator or Authy. Or better yet, a physical security key like a Yubikey. If you’re a high-profile target or an admin of a large group, a physical key is basically the only way to sleep soundly. Facebook supports these now. Use them.
What to Do If Meta Won't Help
Sometimes, the automated systems fail. You upload your ID, and you get an automated "We couldn't verify you" email. It's soul-crushing.
In some regions, specifically the EU and certain US states, you have data privacy rights. If you are a resident of California, you can technically file a request under the CCPA regarding access to your data. Some users have had success getting a human response by filing a complaint with their State Attorney General’s office, specifically the consumer protection division. It sounds extreme, but for business owners losing thousands in revenue, it’s a valid path.
Another (though controversial) method is the "Meta Verified" route. Some people have paid for a subscription on a new account just to get access to the "Enhanced Support" chat, which they then use to plead the case for their old account. It’s a "pay-to-play" support model that many find distasteful, but when your memories are on the line, $15 might be worth the live chat agent.
Moving Forward and Protecting Your Digital Life
The aftermath of a hack is a mix of violation and chores. You have to tell your family you weren't actually asking for money via Zelle. You have to check your other accounts—if you used that same password for Netflix or your bank, change them now. Most hackers use "Credential Stuffing," where they take your Facebook password and try it on 500 other websites.
Actionable Next Steps
- Immediately check your primary email for a "Change of Email" notification from Facebook and click the "Secure Account" link.
- Go to facebook.com/hacked and follow the prompts, even if they seem repetitive.
- Prepare a high-quality, glare-free photo of your Government ID; you will likely need it for the manual bypass.
- Once recovered, remove all Recognized Devices and Linked Accounts that aren't yours.
- Switch from SMS 2FA to an Authenticator App to prevent SIM-swapping attacks.
- Download your Information Summary (a backup of your data) once you regain access, so you never lose your photos again if this happens a second time.
Getting hacked is a nightmare, but it’s usually a recoverable one. The key is persistence. Meta's support is a machine, and you have to keep feeding it the right inputs until the gears turn in your favor.