My Facebook Was Hacked: How to Recover & Protect It in 2026

Updated on Oct 17, 2025 by Shauli Zacks

Your Facebook account holds personal information, private conversations, and even access to other apps and services. So when it gets hacked, it can be a major invasion of your privacy. Cybercriminals can steal your data, run Facebook ads with your credit if it’s linked to your account, and potentially gain access to your off-Facebook activity, like your browsing habits, purchases, and app usage.

If you’re noticing strange activity on your Facebook account, it might be a hacker – or just someone close to you, like a spouse, using your account. In this guide, we’ll show you how to identify a hack, what to do if your account has been compromised, and provide tips to help protect your account from a Facebook breach (before or after a hack!)

How to Tell If Your Facebook Account Has Been Hacked

It’s not uncommon for people to mistakenly claim their Facebook account was hacked. More often than not, they’re referring to someone impersonating them by using the same profile picture and sending friend requests to their contacts.

If an account truly is hacked, more often than not, it will probably be obvious. You might see an update you didn’t post, asking all your friends to send you money via a link that won’t lead to your account.

However, other times, hackers are more subtle. Maybe you’re suddenly logged out of your account for no reason, or you notice that some messages have been read even though you haven’t opened them.

If the hacker kicked you out of your account and you can no longer access it, you’ll need to follow the steps to recover your Facebook account.

Here’s a simple way to check if someone else has been logging into your account:

Log into your Facebook account and click on your account icon in the top right corner of the page.

Select Settings & Privacy.

Click Settings.

On the left-hand side is the Meta Accounts Center. Open the Password and Security section.

Facebook's Settings & privacy section, showing the Meta Accounts Center on the left-side menu with the "Password and security" option highlighted.

Click on the Password and Security option and then open the Where you’re logged in section.

The password and security section in Meta Accounts Center, with the "Where you're logged in" option highlighted.

From the list of all your Meta-run social media accounts, select Facebook.

Here, you can see all your login activity, including the location and device. If you see something that you don’t recognize, it means that someone else was able to log in to your account.

Facebook account login activity page, showing your current login device and all other login devices.

What to Do If Your Facebook Account Was Hacked

Once you’ve confirmed that someone hacked your Facebook account, you need to take back control.

The first thing to do is sign out of every device other than the one you’re using. This is done from the Where you’re logged in section. Scroll to the bottom of the list, and you’ll see a link to Select Devices to Log Out. When you click it, you can remove any device. Otherwise, even when you change your password, the hacker will still be logged in.

Facebook Login activity screen showing a list of devices signed in, with a "Select devices to log out" bottom at the bottom highlighted.

Next, you need to change your password to prevent the hacker from simply logging back in. We recommend creating a very strong password so it’s not susceptible to brute force attacks.

Go back to the Password and Security section, and under Login & Recovery, click Change Password.

The Password and security tab in the Meta Accounts Center showing the "Change password" option highlighted.

Facebook will send a link to your email with a code. Click on the link, and you’ll have to provide your old password and answer the security questions. Then, enter your new password to secure your account.

How to Recover Your Facebook Account

If you can no longer access your Facebook account, there are a couple of things you need to do — depending on what the hacker changed.

Hacker Changed Your Password

If all the hacker did was change your password, you’re in luck. When you go to the login page follow these two simple steps:

Go to the Facebook login page and click Forgot Password

Facebook login page with fields to enter email or phone number and password, with the option for "Forgotten password?" highlighted.

Facebook will email you a 6-digit code. Enter it in the provided space and then reset your password.

Facebook's Enter security code pop-up with a field to enter a code and a blurred email account to which the code was sent to.

Hacker Changed Your Email Address

However, if the hacker changed your email address, the process is more complex and time-consuming. The first step is to go to https://www.facebook.com/hacked where you can confirm your identity and see if Meta can do anything for you.

Facebook's hacked page that shows a list of potential scenarios in which the user's account was compromised.

Facebook will first try to identify your account using whatever info you remember: your name, an old email, or phone number.

Even if the hacker changed the email, you can enter your old email address or phone number that was originally tied to the account, even if you no longer use them. Because it can help Facebook identify you.

If you’ve set up trusted contacts before (people you’ve chosen to help recover your account in case of emergencies), Facebook will give you the option to use them for recovery.

If that doesn’t work, Facebook may ask you to upload a photo ID or submit a video selfie so it can confirm you’re the real owner. Once verified, Facebook will contact you with further instructions if your identity is confirmed.

It can be a slow process and there’s no guarantee Facebook will give you back your account — but it’s the only option when everything else has been taken over.

Expert Tip: Let everyone know you were hacked. It’s nothing to be ashamed of. Ask your family, partner, children, and friends to write a post, tagging your hacked account, saying you were hacked and to ignore all posts from your account. While it won’t get you your account back, hopefully your contacts will see it and avoid getting scammed by the person running your account.

How to Secure Your Facebook Account to Prevent Hacks

An infographic showing 4 ways to secure your Facebook account to prevent unauthorized access and hacks.

Whether you’ve just recovered your account or want to make sure this never happens to you in the first place, the next step is to secure your Facebook account so it doesn’t happen again. Here are some key steps to protect your account and keep cybercriminals out:

Enable Multi-Factor Authentication

Two-factor authentication (2FA) adds an extra layer of protection by requiring a special code to be sent to your phone, email, or an authentication app every time you log in. Even if someone steals your password, they won’t be able to access your account without this code. Just follow these steps:

Go to Settings & Privacy.

Select Settings.

Click Password and Security.

Click Two-Factor Authentication to turn it on.

The password and security section in Meta Accounts Center, with the "Two-factor authentication" option highlighted.

Use a Secure Password

Avoid easy-to-guess passwords like birthdays, pet names, or favorite songs. These passwords are easy to guess, especially on Facebook, where people give away this kind of information with viral trends or memes all the time. Best practice is to use a long, unique password with a mix of letters, numbers, and symbols. It’s also really important not to reuse passwords across multiple accounts. Try using a password manager to store your passwords and log you in securely without having to remember complex strings of characters.

Be Careful with Third-Party Apps

Many hacks happen because users unknowingly give access to suspicious third-party apps. To review the apps connected to your Facebook account, follow these steps:

1. Open the Settings & Privacy menu.

2. Select the Settings option.

3. Scroll down the menu bar and select Apps and Websites.

Facebook's Settings & privacy section, showing the Activity log on the left-side menu with the "App and websites" option highlighted.

4. Remove access to any app or service you no longer use or don’t recognize.

Facebook Settings & privacy page under Apps and websites, showing a list of connected apps. Each app has options on the right to "View and Edit" or "Remove" that are highlighted.

Secure Other Meta-Owned Platforms

If you use Instagram, WhatsApp, Threads, or other Meta-owned platforms, apply the same security steps there. Enable 2FA, use strong passwords, and regularly check which apps and devices have access. A weak point on one platform can put your entire Meta account ecosystem at risk.

What Is Off-Facebook Activity?

Even if you’re careful about what you post or like on Facebook, Meta still tracks you in ways you might not expect. Off-Facebook Activity, or what’s not called Off-Meta, is the data Facebook and other Meta platforms collect about you from external websites and apps.

For example, if you make an online purchase, play a game, or use a fitness app that shares data with Meta, that activity gets linked to your Facebook account. This information helps Facebook target ads, recommend content, and build a detailed profile about you.

How to Turn Off Off-Facebook Activity

Facebook does let you turn this off, and once you do, it’ll no longer track your interactions with other websites and apps for that account.

Go to Settings & Privacy.

Open the Settings menu.

In the Meta Account Center, click See More in Accounts Center.

Facebook Settings & privacy page under Apps and websites. On the left, the Meta Accounts Center menu is shown, with the highlighted "See more in Accounts Center" option

Click Your Information and Permissions.

The Facebook Account settings under the Meta Accounts Center, with the option "your information and permissions" highlighted.

Select Your Activity Off Meta Technologies.

The Meta Accounts Center with a "Your activity off Meta technologies" pop-up, showing options to manage or clear activity data shared with Meta.

Here, you can review and disconnect specific activities, clear all past activity, and manage how future activity is handled. If you want to prevent third-party sites from sharing your data with Meta going forward, click Manage Future Activity and select Disconnect Future Activity.

Meta Accounts Center "Manage future activity" pop-up, showing two options: "Connect future activity" and the highlighted "Disconnect future activity."

Keep in mind, though, that turning off Off-Meta activity doesn’t stop those third-party sites from sending data. All it does is tell Facebook not to connect it to your personal profile.

How to Deactivate or Delete Facebook Messenger

Here’s something you might not realize: you can’t just delete Facebook Messenger. To fully deactivate Messenger, you first need to deactivate your Facebook account.

If you’ve already deleted your Facebook account, you can open the Messenger app on your phone.

Tap the menu (three lines) in the bottom right.

Messenger app home screen showing the Menu option at the bottom navigation bar highlighted.

In the menu, tap Settings.

Messenger menu showing the "Settings" option highlighted.

Scroll to the bottom of the page and under the Meta Accounts Center, select Personal Details.

The Meta Accounts Center in Messenger Settings, showing the "Personal details" option highlighted.

Scroll to the bottom again, and select Accounts.

The "Accounts" option in the Meta Accounts Center highlighted.

From here, select Remove and follow the steps to deactivate.

Accounts settings page in Meta Accounts Center, showing a Facebook and an Instagram account, with the option to "Remove" the Facebook account highlighted.

If you only deactivate Messenger but keep Facebook active, your Messenger profile will disappear from search, but your old messages and comments will still show up in friends’ chats. Even if you deactivate both Facebook and Messenger, your past messages won’t be deleted and will still be visible in other people’s inboxes. If you want your chats to disappear after a certain time, you can turn on Vanish Mode inside Messenger before deactivating.

If you’re not going to delete your Facebook account, you can log out of Messenger or change your status from Active to Away so you appear offline. That way, you can step away without shutting things down completely.

Major Facebook Data Breaches from 2018 – 2025

For a company that has access to personal data for billions of people around the world, Facebook has an immense responsibility to invest in top-tier cybersecurity. However, no system is perfect, and it’s been the target of some high-profile data breaches over the past several years.

Here’s a breakdown of the biggest ones and how they could have impacted you:

Cambridge Analytica (2018): A political data firm harvested data from 87 million profiles using a quiz app, exploiting a privacy loophole. Personal info like likes, friends, and interests was collected without clear user consent. It is one of the most infamous Facebook data leak scandals to date.
Massive Data Exposures (2019): Over 530 million user records (IDs, phone numbers) were found on an unsecured cloud server. That same year, 419 million more records appeared on another server, and 267 million profiles were discovered on the dark web, mainly due to poorly secured third-party databases.
533 Million User Leak (2021): A vulnerability allowed scraping of 533 million Facebook accounts (names, emails, phone numbers, and locations). Even though Facebook fixed the issue in 2019, the stolen data was published online in 2021.
500 Million Scraped Records (2022): Regulators reported that around 500 million scraped user records from 2019 were circulating on forums, leading to a €265 million GDPR fine for Meta.
No New Breaches, But Big Fines (2023): No fresh leaks, but Meta faced a record $1.3 billion fine for violating EU data transfer rules under GDPR.
2FA Code Leak & Marketplace Data (2023): A text-routing company’s flaw exposed millions of two-factor authentication (2FA) codes on Telegram. Separately, a Facebook contractor’s server was hacked, leaking 200,000 Marketplace records (including 77,000 unique emails and some hashed passwords).

How to Check if Your Facebook Data Was Compromised

There are several tools that can scan the web to see if your data was stolen or leaked. HaveIBeenPwned.com is one of the most reputable options. Just enter your email address or phone number, and the free tool scans known breach databases to see if your information was compromised.

If it finds your data, the odds are good they’re circulating on hacker forums or even the dark web, where stolen data is often bought and sold. You should change your Facebook password right away, enable 2FA, and monitor your accounts closely for suspicious activity. Taking quick action can help protect you from further harm.

If you use PIA VPN, you can do this directly from your account. PIA includes Identity Guard, a feature that lets you check if your email has been exposed in a breach. Just log into your PIA account, go to the Identity Guard section, verify your email, and you’ll see any breach history. You can also turn on alerts to get notified about future breaches.

FAQ

Has Facebook experienced any major data breaches recently?

Due to its size and the amount of data it has, Facebook is a common target of hackers. The most recent event was in June 2025, when it was reported by Cybernews that 16 billion login credentials, including Facebook accounts, were leaked online. While this wasn’t a direct Facebook breach of Meta’s servers, it still exposed millions of users. Earlier incidents include the 2018 Cambridge Analytica facebook breach of privacy, the 2019 cloud server exposures, and the 2021 leak of 533 million accounts.

How can I find out if my Facebook data was leaked in a breach?

You can use tools like HaveIBeenPwned.com or Identity Guard to check if your email or phone number was exposed in a Facebook breach. Enter your info, and the tool will scan known breach databases to see if your data is circulating online.

What personal information is typically exposed in a Facebook breach?

Depending on the incident, leaked data has included names, phone numbers, email addresses, locations, interests, and even hashed passwords. In the Cambridge Analytica Facebook breach of privacy, likes and friend networks were exposed. In the 2021 breach, contact details for over 500 million accounts were published online.

What should I do if my Facebook account was affected by a data breach?

Take immediate steps: change your password, enable two-factor authentication, and review connected apps. If you spot unusual activity, report it at facebook.com/hacked. In some cases, Meta may contact you directly about a Facebook breach settlement if you’re eligible.

How can I protect my Facebook account from future breaches?

Use strong, unique passwords and turn on 2FA for all Meta platforms. Be cautious about third-party apps, and regularly review where your account is logged in. Staying proactive reduces the risk of your data being caught in the next facebook breach.