Much like email, it’s not uncommon for someone, somewhere, to gain access to someone else’s Facebook account, and use it to post spam or worse. Sometimes, the account password is changed; sometimes not. Sometimes traces are left; sometimes not.
Sometimes the entire account is destroyed, and you can lose your account permanently.
If you think that has happened to you, here’s what you need to do next.
Become a Patron of Ask Leo! and go ad-free!
If you suspect your Facebook account has been hacked:
- Recover access to your account
- Change your password
- Check or set your account recovery information
- Let your contacts know
- Learn from the experience
- Get help if you need it
1. Recover your account
Log in to your Facebook account right away. If you can, consider yourself very lucky and proceed to step 2.
Proceed to my article, How Do I Recover My Facebook Password? Facebook includes several recovery options — provided you set them up beforehand. As long as you did, these may allow you to regain control of your account and reset your password.
If that recovery method doesn’t work — perhaps because the hacker has altered all the recovery information, you don’t recall the answers, you no longer have access to a recovery email or phone, or you never set up any recovery information in the first place — Facebook has a couple of additional approaches to try.
Get Help from Friends is a technique where you tell Facebook the names of a few friends with whom you’re connected on Facebook. Facebook sends them the recovery information, which you collect from them and provide to Facebook to recover your account.
If your account really is hacked and you’re unable to regain access, you should report it to Facebook as being hacked by visiting this URL: facebook.com/hacked. That will also access additional steps to attempt to regain access to your account.
VERY important: If you cannot recover access to your account, it is now the hacker’s account. Unless you backed it up, everything in it is gone forever, and you can skip the next two items. You’ll need to set up a new account from scratch.
2. Change your password
When you regain access to your account, or if you never lost it, immediately change your password.
As always, make sure it’s a good password: easy to remember, difficult to guess, and long. In fact, the longer the better. While I couldn’t find a definitive answer on the maximum length allowed by Facebook, I’ve seen anecdotal evidence that passwords of at least 50 characters work.
But don’t stop here. Changing your password is not enough.
3. Change (or set) your recovery information
While the hacker has access to your Facebook account, they may elect to leave your password alone. That way, you may not notice the account has been hacked for a while longer.
But whether they changed your password or not, they may go in and change the recovery information.
The reason is simple: when you finally get around to changing your password, the hacker can follow the “I forgot my password” steps and reset the password out from underneath you and hack your account again, using the recovery information they set.
Check the email addresses associated with your Facebook account and remove any you don’t recognize or no longer have access to. The hacker could have added his own. Make sure all the email addresses belong to you and that you will continue to be able to access those accounts.
Check any phone numbers associated with the account. The hacker could have set their own. Remove any you don’t recognize, and make sure that if a phone number is provided, it’s yours and no one else’s.
Overlooking information entered for account recovery could allow the hacker to hack back in. And, of course, failing to set any recovery information dramatically lessens the chances of recovering a hacked account. Take the time to carefully review and/or set up this information.
4. Let your contacts know
Some people may disagree with me, but I recommend letting your friends know your account was hacked, particularly if your account was posting spam while out of your control.
I believe it’s important so they know not to pay attention to posts or messages made while the account was out of your control. They can also be on the lookout for phishing attempts using information the hacker may have gathered from your account while they had access to it.
5. Learn from the experience
One of the most important lessons to learn from this experience is to consider all the ways your account could have been hacked and take appropriate steps to protect yourself from a repeat occurrence.
- Use long passwords that can’t be guessed. Use a password vault so you can set truly secure passwords.
- Don’t share your password with anyone.
- Don’t fall for phishing attempts. If they ask for your password, they are bogus.
- Don’t click links in email or private messages you aren’t 100% certain of. Many phishing attempts lead you to bogus sites that ask you to log in, and steal your password when you try.
- If you’re using WiFi hotspots, learn to use them safely.
- Keep the operating system and other software on your machine up to date, and run up-to-date anti-malware tools.
- Learn to use the internet safely.
- Consider enabling Facebook two-factor authentication, where simply knowing the password is not enough to gain access .
If you are fortunate enough to be able to identify exactly how your password was compromised (and that isn’t common), absolutely take measures so it never happens again.
6. If you’re not sure, get help
If you’re having difficulty with the process, you can ask Facebook for help. It’s unclear how responsive they are, and I wouldn’t expect a fast answer by any means, but it may serve as a last resort.
While you’re at it, find someone who can help you set up a more secure system for your account, following the steps above.
The reality is, you and I are ultimately responsible for our own security. That means taking the time to learn and set things up securely. Yes, additional security can be seen as an inconvenience. In my opinion, dealing with a hacked account is significantly more than inconvenient. It’s worth the trouble to do things right in the first place.
If that’s still too much … well … expect your account to get hacked again.