Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why Am I Getting “We Received a Request to Reset Your Facebook Password”?

What to do about resets you didn’t ask for.

Why they happen, and what to do about them.
Question Facebook
(Image: canva.com)
Question: I received this message: “We received a request to reset your Facebook password.” (To two different e-dresses.) at 2:30 something am. I was not up at that hour. The links in the email, I believe, lead to an actual FB page to reset my password. Does this mean that someone was trying to hack me?

All I can really say is maybe.

I might even go so far as to say probably, but I can’t say yes, since there are other possible explanations.

Let’s review what’s going on.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

A request to reset your Facebook password

Confirmation messages with a link or code to confirm a change prevent others from changing your password. You might get a notification if someone is trying to break into your account, or if they mistype your email address instead of their own when trying to reset their own password. As long as your associated email accounts are secure, you can ignore the notification. Enable two-factor authentication for even more Facebook account security.

Facebook password recovery

If you forget your Facebook password, the first step is to click the “Forgot password?” link on the Facebook log-in screen.

Facebook's Forgot Password? link
Facebook’s Forgot Password? link. Click for larger image. (Screenshot: askleo.com)

That walks you through the process of account recovery, using information you know about the account to prove that you are the rightful owner.

One of those pieces of information is your email address, and in the case of a lost password, you’ll enter the email address of your account and Facebook will send an email to that email address.

Facebook Recovery Code email
Facebook recovery code email. (Screenshot: askleo.com)

Since you don’t know your password, and a secure system won’t tell it to you, the option is simply to set a new password. You prove that you are the rightful owner of the Facebook account by proving your access to the account’s email address. You do that by clicking on a link in that email or typing in the one-time password reset code provided in that email.

Two emails?

That you got two notifications sent to two different accounts is a good thing. It means you have an alternate or additional email address associated with your account. When a password reset notification is sent, it’s sent to all the email addresses associated with your account.

Facebook account with two email addresses.
Facebook account with two email addresses. Click for larger image. (Screenshot: askleo.com)

That way, if one of those email accounts gets hacked, you’ll still get notifications on the others that something is going on.

I strongly recommend everyone have at least one alternate email address associated with their Facebook account, and make sure to keep them up to date.

Now let’s look at how those notification emails might be triggered.

Scenario #1: intentional

Say someone knows your email address and they want to hack into your Facebook account. One approach — at least to start — is for that someone to enter your email address into the account recovery process and see if Facebook will let them set a new password for your account.

Naturally, Facebook sends an email to all the email addresses on your account, so you know what’s going on. As long as that hacker-wannabe doesn’t have access to one of your email accounts, they can’t get in. They won’t be able to receive the email message. They won’t be able to fool Facebook that they’re you.

You can safely ignore the message; your account is secure.  Technically you don’t need to change your password, though there’s no harm in doing so if it makes you feel safer.

Scenario #2: accidental

This one isn’t really a hack, since the person doing it isn’t trying to get into your account. They probably have no idea what they’re doing.

They’re trying to log in and getting their own password or email address wrong. Facebook isn’t letting them in. As a result, they try account recovery. They enter in their email address, and once again the account-recovery email is sent to all email addresses associated with the account.

The problem? They typed their email address in wrong. What they typed was your email address, not their own. That’s probably why they couldn’t log in in the first place.

It sounds far-fetched, but it’s amazing how often people get their own email address wrong.1 Repeatedly. Or they just don’t use it often enough to remember exactly what it is — and exactness counts.

They may try several times before giving up or realizing their mistake.

Scenario #3: spam

It’s uncommon, but spam can mimic a password reset request or confirmation.

The spammers are counting on you to panic and quickly click the “it’s not me” or similar link in the notification. That link takes you to a fake website where you’re prompted to sign in to Facebook. Even though it might look like Facebook’s sign-in page, it’s not, and you’ll have handed over your Facebook credentials to a hacker.

As long as your email accounts are secure — you have proper security in place, including two-factor authentication when offered — it’s safe to ignore these notifications.  If you choose to click on the “it’s not me” link,2 then take extra care to confirm that the link truly goes to Facebook, and not a scammer: hover over the link and make sure it goes to who you think it does.

This happens to me often

Don’t let this scare you too much. As you can see, Facebook has a security system in place. As long as your email accounts are secure, your Facebook account is likely to be secure.

This happens to me all the time. When it happens, I choose to click the “let us know” link to let Facebook know that, no, this was not me trying to change my password. My assumption is that they use this method to identify repeat offenders.

I’ll admit, it’s all a little unnerving, but I try not to sweat it — mostly because I have a not-so-secret weapon.

Two-factor authentication

Facebook supports two-factor authentication, and I have it turned on.

Facebook Two-Factor Authentication.
Facebook two-factor authentication setting. Click for larger image. (Screenshot: askleo.com)

Facebook supports several different forms of two-factor. In my case, even if someone managed to get my password, they’d have to also enter a code texted to my mobile phone.

Without that second factor, they can’t log in.

As you might imagine, enabling some form of two-factor authentication is something I recommend for all your important accounts that support it. Facebook certainly qualifies as important for most people.

Hacking attempt or not?

Ultimately, there’s no way to know whether the attempt to reset your account password was deliberate or accidental. Perhaps you’re a target, or perhaps your email address is similar to that of others.

We’ll never really know.

Do this

Maintain the security of your email accounts, and consider adding two-factor authentication. You can rest easy and safely ignore these unexpected notifications.

Get more security tips and reassurances by subscribing to Confident Computing! More confidence & less frustration — solutions, answers, & tips — in your inbox every week.

Podcast audio

Play

Footnotes & References

1: This is exactly why so many forms asking for your email address have you enter it twice.

2: I’ll be honest: I usually do.

References

I got an email saying I requested a new Facebook password but I didn’t make this request. – Facebook

58 comments on “Why Am I Getting “We Received a Request to Reset Your Facebook Password”?”

  1. i have only a landline. nothing mobile. FB`s two factor auth won`t let me use a landline. it has to be mobile or nothing.
    i`ve written FB more than a few times because they keep asking me to enable it.
    nothing ever changes.

    Reply
  2. My rule of thumb is common sense. If you didn’t ask for it, it wasn’t real. Even if you did it by mistake, ALWAYS go directly to the site, don’t use email links. Find out there, acknowledge it was/wasn’t you, or it was a mistake and make sure they know.

    Another thing, one that is kind of annoying sometimes, especially if you got a new computer running or installed a new browser, is that some sites will email you and ask if it was you (Google is a prime example). I have more than two machines and having to prove I’m me at least once a month because of that always seems silly. Oh well, at least you know they are made aware that you are not John Hacker.

    Reply
  3. for some time ive told ssus, google help my 1st key on lphebet didn’t respond when sign in p/wd I seen on smart tv how to but I hd to give p/wd with out success found out with settings go to on screen lphebet found success full. why they cnt inform me of slusion. without the 1st vowel it’s impossible on keybord for signing & emils. I know this is not english hope one makes sense of this comment.

    Reply
  4. Good to point it out because the article don’t mention it and is something that is happening a lot. Is important that people do not click in a hurry if they see something strange or have not request a password change.

    Reply
  5. I don’t have any of the problems above but I do have a very strange problem with Face book. They keep sending me emails telling me that I have a friend request for “my facebook page.” I do not have a Facebook account and never have. I’ve had my wife check for me and she can not find the email page in question. however I get an average of 3 invites a quarter. A lot of them state I saw your profile “on Facebook.” how do I handle this problem? I have tried to contact Facebook aboutthis problem but never receive an answer.

    Reply
  6. I can cite a fourth scenario: You access Facebook while your computer or mobile device is using a Virtual Private Network (VPN) and Facebook’s security system flags your log-in as potentially fraudulent or a hack attempt and forcing me to change my password.

    That happened to me quite often after I subscribed to a VPN. After the seventh time, I had had enough and filed a formal complaint with Facebook, demanding that the social network stop flagging my log-ins. In my complaint, I pointed out that millions of Facebook users employ VPNs for added online security above and beyond their device’s security software. — and the use of VPNs have become de rigeur on mobile devices.

    Since I filed my complaint, I’ve had no further problems with my Facebook logins.

    Reply
  7. I recently lost my phone but i did a sim swap in order to keep my old number. Now I keep getting facebook verification messages to my sms inbox. How do i stop someone from getting access to my facebook account?

    Reply
  8. Im having a problem : someone hacked into my Facebook account I believe they changed my phone number and turned on the two factor authentication I can’t get into my Facebook account because it’s asking for these codes … I’m able to still receive emails and was able to change password but can’t get in. Do you have any advice?

    Reply
    • Honestly, if you are not just making all that up and just never set your 2-factor or any authentication settings up and somebody did manage to get in and did that? Well, Facebook very easily has another Authentication function that is exactly meant for such reasons, at least, I know this because it happened to me but it was my own fault. They asked me and offered a chance for me to snap a digital photo of my license and just blacking out all the personal information. They use that solely to identify your “face” because well, it’s “Face”book. But, many people don’t have photos of their-selves. They also use it to identify then, aside from the photo, your “name” “birthdate” and overall, if it’s a real license OR State I.D. It doesn’t have to be a license. So, in the end, even if you come to a situation like you’re in, all you have to do is Google Facebook’s Security Tech Support or w/e, and follow the steps to email them your drivers’ license and stuff. You’ll be fine. I forgot how long it took but it was fairly quick. Hope that helps!

      Reply
  9. That’s right, bro! 2-Factor! Word up. I love it. It’s pointless, you ain’t gettin’ it, bro! Try another Facebook lol. I love those fake profile friend requests, too. It’s just like back on AOL, they did the same thing. And it still occurs in e-mail, different scams but they all resemble one another and are easy to spot. I love this article. I appreciate your knowledge and personality in computer/internet and mostly security-based situations. Thank you for the experience, the knowledge, the help, and also the entertainment.

    Reply
    • If it says your password has been reset, then your account may just have been hacked. If it’s saying that an attempt failed (which I suspect is the case), then someone’s trying to change the password — either maliciously, or by mistake. Make sure your account is properly secured!

      Reply
      • I get a email at least3x daily in spam saying my FB has been reset ! Yet I have no problem getting into FB ! This has been going on off and on for months ! I can’t ask THEM anything since when I get frustrated and ask THEY NEVER BOTHER TO
        ANSWER !

        Reply
        • So, ignore those messages. As long as you can access your Facebook account normally and you have your security set appropriately it’s very likely that they’re nothing more than spam. Facebook CAN’T do anything about spam, since it’s not something they’re sending.

          Reply
  10. * Have changed my e-mail address to something you definitly won’t type in by mistake.
    * Have removed the old e-mail address.
    * Have enabled two-factor authentication

    Bur still get these messages (not e-mails) on facebook, from facebook that someone is trying to login and I must change password.
    Happens very, very often, and is driving me crazy.

    Reply
    • Do you use a VPN? That can cause that message sometimes as it looks like logins are being attempted from different countries or regions. Logging in from different computers and sometimes from different computers can also trigger that warning.

      Reply
  11. what if i can’t find my code generator? i go through all the steps and it asks for a code. once or twice i was able to enter a code. Now it does not show onscreen.

    Reply
  12. Hello sir, just wanted to ask about a serious problem i’m having with my mothers facebook account. So my mother has passed away due to a terminal illness and she wanted me to take over her facebook account. So a couple days ago, i signed into the account and I was just going through my mothers posts etc, so the next day, i log into the account and suddenly it says “Someone may have logged into your account – In order to keep your information secure, we’ve locked your account. Before we can unlock it, please verify your identity and change your password.
    Your account will remain hidden until you complete this process.” So i clicked continue and it brings me to two verification options. “1. Text a security code to your phone
    2. Confirm your identity on another phone or computer” so i chose the first option because i have my mothers sim card with the same number the verification code was allocated to. I can clearly see its the exact same number where its supposed to send me a 6 digit code to verify that the account is “mine”. No matter how many times i’ve tried, it just isn’t working. Please help me with this problem as the account has been secured from public view, i was supposed to download pictures from what my mom has uploaded here for her memorial that is coming soon. Please help me.

    Reply
    • I have tried the 2nd verification option it gave me, but instructions were vague and it said “Login was not approved” but after failing both options, the 3rd option pops up which is “Upload a photo ID”. Very strange request but I can’t really do this option.

      Reply
      • Cannot receive verification code on my mobile number is there something I need to set up in order to receive this code?

        Reply
        • You shouldn’t need to, generally. Depends on the kinds of verification, but generally if you can receive text messages you should be able to get the codes. Make sure that the phone number is configured correctly.

          Reply
  13. Google recently notified me that my someone who “knew my password” tried to hack my gmail account. Within a week, facebook contacted me telling that someone other than me logged into my account. BOTH instances were traced to Charlotte, NC, but I have DIFFERENT email addresses associated with my Gmail and FB accounts. Was this likely someone who knew me (my old login information saved on their computer)?

    Thank you so much for the insight.

    Reply
  14. Please help someone tried to login on my Facebook, I ended up deactivating my account, now I’m trying to activate it and it says I’m trying to login with an older password. Then when I try to have a new password I cant because my username is an email address which I no longer have access to.

    Reply
  15. Good morning sir………..someone hacked my facebook account yesterday by changing my login password and my email.please help me to recover my password .This is my Facebook name,{name and phone number removed}

    Reply
  16. I’ve been talking to this guy on Hangouts. He did ask me my phone number and I give it to him. Then another day he told me that I was going to get some codes andFacebook was sending me the code so. I was suspicious but I did not give this guy the codes he’s waiting on for me to do that I wonder I wonder if the I guess there are the codes for my for my Facebook right? Am I supposed to change my password now

    Reply
  17. Hi Leo,

    I have received the exact email you mentioned above on th 14th October…in fact two of them, and I was the one wanting to change my password in Facebook. Sadly i have a hit of whom might be the person, who tried doing it. However, i do not have concrete proofs but I would like to make an official complaint.
    Would an investigation bring up, from where the access took place?

    I am truly not expert and I would really appreciate some help with this.

    Looking forward to hearing from you.

    Best

    Reply
  18. I had the scenario #1 , most of the time they actually dont know your personal email address (strangers) but they type your facebook username instead which is username@facebook.com , this happens often to people with common usernames ( your first name only or a popular word), I got tired of receiving emails in 2016 so I started pressing the option saying I wasn’t the one requesting them and around 2-3 months later after doing so for the 1000th time facebook asked me to login which I thought was weird but they then brought me to a page allowing me to disable the option of resetting my password through emails linked to my account, I havent got a facebook password reset link since

    Reply
  19. Is there a way to verify that the email reallly came from Facebook? I noticed mine says it was from security{at}facebookmail.com, wouldn’t all email from facebook be from @facebook.com?

    I have two factors authentifications on, and I do not wan’t to click on any of the link in that email, until I am sure it is from Facebook.

    Reply
  20. There is a simpler way to address this: what is the sender address? I just received this message from: Facebook

    Does facebook ever send from this address or not?

    If facebook had any kind of decent support service, we could get help. But Facebook support is virtually non-existent.

    Reply
  21. Bro can you log in my account to help me bro my account is hacked someone is log my accunt without my permission

    Pls pls pls dilado account

    Reply
  22. “As long as that hacker-wannabe doesn’t have access to one of your email accounts, they can’t get in…”

    Might be mentioned in some of the many comments, but of equal (actually greater) importance is of course also to secure the associated mail accounts. They will need good passwords, two-factor authentication, good recovery addresses (that are also secured), updated phone numbers, etc.

    I’m not sure how many times – per week – I see someone losing access to their own data because they have not secured an account, and have not kept recovery information up to date, and hence have no way of actually getting their “free” account back.
    Account might be free, but the data stored in an account often represents years of “work” and a real loss for most.

    Reply
  23. They managed to hack my account! I had been getting the same emails saying someone is trying to get in my facebook account and 2 days ago they actually did it! I don’t know how because I had recently changed my password to a new, strong & unique one that I don’t use anywhere else and I also had 2-factor-authentication turned on. Yet I didn’t receive a prompt asking me for a code or to confirm that it is me trying to log in. Instead I just got an email informing of a login from an unusual location (Vietnam). After that everything happened very quickly – before I was able to react. They changed my password, removed both my email addresses and phone numbers and replaced them with their own, so I can’t log in or recover my account in any way. And then in less than an hour I saw that my account has been deactivated due to ‘violating the community standards’.

    Now I’ve been desperately trying to get in touch with someone from Facebook to help me recover my account, but there’s been no response whatsoever.

    I don’t understand how they did it. I thought I had a good protection. That’s 18 years of my life shared on Facebook with friends & family – down the drain within minutes!

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.