Much like email, it’s not uncommon for someone, somewhere, to gain access to a Facebook account and use it to post spam or worse. Sometimes, the account password is changed. Sometimes not. Sometimes, traces are left. Sometimes not.
Sometimes, the entire account is destroyed.
If you think it’s happened to you, here’s what you need to do next.
1. Recover your account
Log in to your Facebook account right away.
If you can, consider yourself very lucky and proceed to step 2.
If you can’t log in, even though you know you’re using the correct password, then the hacker has probably changed your password.
Proceed to my article: How Do I Recover My Facebook Password? Facebook includes several recovery options — provided you set them up beforehand. These may allow you to regain control of your account and reset your password.
If that recovery method doesn’t work – perhaps because the hacker has altered all the recovery information, you don’t recall the answers, or you never set up any recovery information in the first place — Facebook does have a couple of additional approaches to try.
Get Help from Friends is a technique where you tell Facebook the names of a few friends with whom you’re connected on Facebook. Facebook sends them recovery information, which you collect from them and provide to Facebook to recover your account.
If your account really is hacked and you’re unable to regain access, you should report it to Facebook as being hacked by visiting this URL: http://www.facebook.com/hacked. That will also access additional steps to attempt to regain access to your account.
Important: If you cannot recover access to your account, then it is now someone else’s account. It is now the hacker’s account. Unless you backed it up, everything in it is gone forever, and you can skip the next two items. You’ll need to set up a new account from scratch.
2. Change your password
Whether you regain access to your account (or you never lost it), immediately change your password.
As always, make sure it’s a good password: easy to remember, difficult to guess, and long. In fact, the longer the better. While I couldn’t find a definitive answer on the maximum length allowed by Facebook, I’ve seen anecdotal evidence that passwords of at least 50 characters work.
But don’t stop here. Changing your password is not enough.
3. Change (or set) your recovery information
While the hacker has access to your Facebook account, they may elect to leave your password alone. That way, you may not notice that the account has been hacked for a while longer.
But whether they changed your password or not, they may go in and changed the recovery information.
The reason is simple: when you finally get around to changing your password, the hacker can follow the “I forgot my password” steps and reset the password out from underneath you, using the recovery information he or she set.
Thus, you need to check all of it, and change much of it, right away.
Change the answer to your security question. The answer you choose doesn’t have to match the question (you might say that your mother’s place of birth was “constitution”, for example). All that matters is that the answer you give matches the answer you set if you ever need to recover your account.
Check the email addresses associated with your Facebook account, and remove any you don’t recognize or are no longer accessible to you. The hacker could have added his own. Make sure all the email addresses belong to you and that you will continue to be able to access those accounts.
Check the mobile phone number associated with the account. The hacker could have set their own. Remove any you don’t recognize and make sure that if a phone number is provided, it’s yours and no one else’s.
Overlooking information entered for account recovery could allow the hacker to hack back in. And, of course, failing to set any recovery information dramatically lessens the chances of recovering a hacked account — so take the time to carefully review and/or set up this information.
4. Let your contacts know
Some people may disagree with me, but I recommend letting your friends know your account was hacked, particularly if your account was posting spam while out of your control.
I believe it’s important to notify your contacts, so they know not to pay attention to posts made while the account was hacked. They can also be on the lookout for phishing attempts using information the hacker may have gathered from your account while they had access to it.
5. Learn from the experience
One of the most important lessons to learn from this experience is to consider all the ways your account could have been hacked, and take appropriate steps to protect yourself from a repeat occurrence.
- Use long passwords that can’t be guessed. Use a password vault so you can use truly secure passwords.
- Don’t fall for email phishing attempts. If they ask for your password, they are bogus.
- Don’t share your password with anyone.
- Don’t click links in email you aren’t 100% certain of. Many phishing attempts lead you to bogus sites that ask you to log in and steal your password when you try.
- If you’re using WiFi hotspots, learn to use them safely.
- Keep the operating system and other software on your machine up to date, and run up-to-date anti-malware tools.
- Learn to use the internet safely.
- Consider enabling Facebook login approvals, where simply knowing the password is not enough to gain access to an unrecognized computer. With this form of two-factor authentication, you associate a mobile device with your account. When you log in on a new or untrusted computer, you receive a special code on that device to enter into Facebook.
If you are fortunate enough to be able to identify exactly how your password was compromised (it’s not common), then absolutely take measures so it never happens again.
6. If you’re not sure, get help
If you’re having difficulty with the process, you can ask Facebook for help. It’s unclear how responsive they are, and I wouldn’t expect a fast answer by any means, but it may serve as a last resort.
While you’re at it, find someone who can help you set up a more secure system for your account, following the steps above.
The reality is, you and I are ultimately responsible for our own security. That means taking the time to learn and set things up securely.
Yes, additional security can be seen as an inconvenience. In my opinion, dealing with a hacked account is significantly more than inconvenient. It’s worth the trouble to do things right.
If that’s still too much … well … expect your account to get hacked again.