All I can really say is maybe.
I might even go so far as to say probably, but I can’t say yes, since there are other possible explanations.
Let’s review what’s going on.
Become a Patron of Ask Leo! and go ad-free!
Facebook password recovery
If you forget your Facebook password, the first step is to click the “Forgot account?” link on the Facebook log-in screen.
That walks you through the process of account recovery, taking whatever information you know about the account to prove that you are the rightful owner.
One of those pieces of information is your email address, and in the most common case of a lost password, you’ll enter the email address of your account and Facebook will send an email to that email address.
Since you don’t know your password, and a secure system won’t tell it to you, the option is simply to set a new password. You prove that you are the rightful owner of the Facebook account by proving your access to the account email address. You do that by clicking on a link in that email or typing in the one-time password reset code provided in that email.
That you got two notifications sent to two different accounts is a good thing. It means you have an alternate or additional email address associated with your account. When a password reset notification is sent, it’s sent to all the email addresses associated with your account.
That way, if one of those email accounts gets hacked, you’ll still get notification on the others that something nefarious is going on.
I strongly recommend everyone have at least one alternate email address associated with their Facebook account. As you can see above, I have three.
Scenario #1: the intentional hack attempt
Say someone knows your email address and they want to hack into your Facebook account. One approach — at least to start — is to enter your email address into the account recovery process and see if Facebook will let them set a new password.
Naturally, Facebook sends an email to all the email addresses on your account, so you know what’s going on. As long as that hacker-wannabe doesn’t have access to one of your email accounts, they can’t get in. They won’t be able to receive the email message. They won’t be able to fool Facebook that they’re you.
Scenario #2: the accidental “hack” attempt
This one isn’t really a hack, since the person doing it isn’t trying to get into your account. They probably have no idea what they’re doing.
They’re trying to log in and getting their password wrong. Facebook isn’t letting them in. As a result, they try the account recovery path. They enter in their email address, and once again the account-recovery email is sent to all email addresses associated with the account.
The problem? They typed their email address in wrong. What they typed was your email address, not their own. That’s probably why they couldn’t log in in the first place.
It sounds far-fetched, but it’s amazing how often people get their own email address wrong. Repeatedly. Or they just don’t use it often enough to remember exactly what it is — and exactness counts.
They may try several times before giving up or realizing their mistake.
This happens to me often
Don’t let this scare you too much. As you can see, Facebook has a security system in place. As long as your email accounts are secure, your Facebook account is likely to be secure.
This happens to me all the time. Screenshots for this article were just a matter of me looking in my archived email. The image of the notification email is from last week. When it happens, I do click the “let us know” link to let Facebook know that, no, this was not me trying to change my password. My assumption is they use this method to identify repeat offenders.
I’ll admit, it’s all a little unnerving, but I try not to sweat it. Mostly because I have a not-so-secret weapon.
Facebook supports two-factor authentication, and I have it turned on.
Facebook supports several different forms of two-factor. In my case, even if someone gets my password, they’d have to also enter a code that’s displayed only by the Facebook app on my mobile phone.
Without that second factor, they can’t log in.
As you might imagine, enabling some form of two-factor authentication is something I recommend for all your important accounts that support it. Facebook most certainly qualifies for most people.
Hacking attempt or not?
Ultimately, there’s no way to know whether the attempt to reset your account password was deliberate or accidental. Perhaps you’re a target, or perhaps your email address is similar to that of others. We’ll never really know.
But by maintaining the security of your email accounts, and possibly adding two-factor authentication, you can generally rest easy — even when you get these unexpected notifications.