Facebook Account Hacked & Email Changed: The 2026 Recovery Guide (Get Back In + Secure Your Ads)

If your Facebook account was hacked and the attacker changed your email (often password + 2FA too), you’re on the clock—especially if you manage Business Pages or ad accounts.

Meta doesn’t have a direct phone support line for most users, so following these official digital paths is your only reliable way back. Anyone offering a “Facebook Support” phone number is usually a scam—don’t call, don’t pay, don’t share codes.

Most cases come from:

  • Phishing / password reuse

  • Cookie hijacking (session theft) that keeps the attacker logged in even after resets

  • Recovery blockers like the 2FA infinite loop or “no access to email/phone”

Quick Checklist (do this in the next 5 minutes)

  • Go to facebook.com/hacked on a device you’ve used before.

  • Click “My account is compromised” (wording may vary slightly).

  • If you can’t access your email/phone, use the official no-access recovery path.

  • If you’re stuck in 2FA, use Meta’s 2FA troubleshooting steps (don’t brute-force codes).

  • If you run ads: prepare to report unrecognized ad activity right after you regain access.

Step 0: Diagnosis (jump to the right step)

Find your situation and go straight to the step.

  • You can still log in (even briefly)Go to 1, then 6

  • Email was replaced / password changedGo to 2, then 3

  • No access to email or phoneGo to 3

  • Stuck in a 2FA loopGo to 4

  • You manage Pages / Ads / payment methods → after recovery, Go to 8

1) Stop the attacker from re-entering (device + browser hygiene)

Do this

  • Update your browser, run a quick malware scan, and close any suspicious “Meta support” tabs you opened from DMs/emails.

Why it works
If the attacker still has a stolen session (cookie hijacking) or your device is compromised, password resets can get stolen immediately.

Watch out / Next
Now start the official recovery flow (2).

2) Use facebook.com/hacked (the correct entry point)

Do this

Why it works
This flow is designed for takeovers and routes you based on device history + risk signals, not just “Forgot password.”

Watch out / Next
If the attacker replaced your contact info, go to 3.

3) No access to the email/phone? Use Meta’s “no access” + ID verification path

Do this

  • Follow Meta’s official steps for when you can’t access the email address or mobile number on the account.

Optional but common: ID upload
Access Meta’s Identity Verification Help Center
[Source: Upload an ID to Facebook]

ID review time (what to expect)
Meta indicates ID review may take up to ~48 hours (and sometimes longer in busy periods).

Pro tip (reduces rejection)
Take the photo in natural light, avoid glare, fill the frame with the ID, and make sure all corners/text are readable.

Watch out / Next
If you hit a 2FA wall or endless code loop, go to 4.

4) The 2FA infinite loop fix (don’t keep guessing codes)

Do this

  • Use Meta’s official 2FA troubleshooting steps.

  • Confirm your phone’s date/time is automatic (time drift breaks authenticator codes more than people realize).

Why it works
When you’re routed into the wrong verification method (or you lost authenticator access), repeated attempts often make things worse.


👉 [VPN/Teams/Outlook keeps failing to sign in at home or at work — fix it in 10 minutes by correcting Windows time (Windows 10/11)]

5) Remove “backdoors” (connected apps + persistent sessions)

Do this

  • After you regain any access, remove unknown devices/sessions and connected apps.

Why it works
Attackers often keep persistence via a logged-in session or a connected app that can re-authorize access.

Watch out / Next
Now lock the attacker out for good (6).

6) Change password + force logout everywhere (the order matters)

Do this

  • Change your password to a unique one.

  • Log out of other sessions/devices.

Why it works
This is what ends an active takeover: new credentials + session eviction.

Watch out / Next
Re-enable 2FA safely (7).

7) Re-enable 2FA safely (and don’t lock yourself out)

Do this

  • Enable 2FA again (authenticator app or security key).

  • Save backup/recovery codes offline.

Why it works
2FA dramatically reduces repeat takeovers—if you keep a recovery path you control.

8) Business protection: secure Pages + Ads (stop the financial damage)

Do this (in order)

  • Remove unknown Page roles/admins immediately.

  • Audit ad accounts/payment methods for unrecognized spend, admins, or billing changes.

  • Report unrecognized ad activity through Meta’s Business Help flow:

Report Unauthorized Ad Account Activity to Meta Business Support
[Source: Troubleshoot Unrecognized Activity on Your Ad Account]

Why it works
For businesses, the hack rarely stops at the profile. Page access and ad accounts are the monetization targets.

Mid-guide trust note (important)

Note: We are not Meta support. This guide is based on official Meta recovery documentation and the standard security steps businesses use during account takeovers. l changed” alert vs scam

Safe rule: even if an email looks real, don’t click it. Type facebook.com/hacked directly.

Red flags it’s a scam

  • “Call this number now” urgency + payment requests

  • Link goes to a non-facebook/meta domain

  • Misspelled sender domain / weird attachments

FAQ

If my email was changed, can I still recover my account?
Often yes. Start at facebook.com/hacked, then use the no-access recovery path if you can’t receive codes.

How long does ID verification take?
Meta indicates it may take up to ~48 hours (sometimes longer depending on volume).

Why does the 2FA loop happen?
Time drift, lost authenticator access, or being routed into the wrong verification method. Use Meta’s official 2FA troubleshooting steps instead of brute-forcing.

I run ads—what should I do first after I’m back in?
Lock down Page roles/admins and report any unrecognized ad activity immediately through Meta Business Help.

Key Takeaways

[Tech Troubleshooting] Category