No need to panic.
All I can say is maybe.
I might even say probably, but I can’t say yes, since there are other explanations.
Let’s review what’s going on.
Become a Patron of Ask Leo! and go ad-free!
A request to reset your Facebook password
Confirmation messages with a link or code are sent to prevent others from changing your password. You might get a notification if someone is trying to break into your account, or if they mistype your email address instead of their own when trying to reset their password. As long as your associated email accounts are secure, you can ignore the notification. Enable two-factor authentication for even more Facebook account security.
Facebook password recovery
First, we need to understand how Facebook password recovery works.
If you forget your Facebook password, the first step is to click the “Forgot password?” link on the Facebook log-in screen.
That walks you through the process of account recovery, using information you know about the account to prove that you are the rightful owner.
One of those pieces of information is your email address. You enter the email address associated with your account, and Facebook emails a code to that address.
Since you don’t know your password and a secure system won’t tell it to you, the option is simply to set a new password. You prove you are the rightful owner of the Facebook account with your ability to access the account’s email address. You do that by clicking on a link in that email or typing in the one-time password reset code provided in that email.
Why two emails?
That you got two notifications sent to two different accounts is a good thing. It means you have an alternate or additional email address associated with your account. Facebook sends a password-reset notification to all email addresses associated with your account.
That way, if one of those email accounts gets hacked or you lose access to it for some other reason, you’ll still get notifications at the other account.
I strongly recommend everyone have at least one alternate email address associated with their Facebook account (and keep them up to date).
Now let’s look at how those notification emails might be triggered.
Scenario #1: intentional
Say someone knows your email address and they want to hack into your Facebook account. This happens to me frequently with the example accounts I use here on Ask Leo!1
One approach is for that person to enter your email address into the account recovery process and see if Facebook will let them set a new password for your account.
Naturally, Facebook notifies all the email addresses on your account so you know what’s going on. As long as that hacker doesn’t have access to your email accounts, they can’t get in. They won’t be able to receive the email message. They won’t be able to fool Facebook that they’re you.
You can safely ignore the message; your account is secure. Technically, you don’t need to change your password, though there’s no harm in doing so if it makes you feel safer.
Related
How Do I Recover My Facebook Password?
If you've lost your Facebook password, there are a couple of ways to recover: use the Facebook process for account recovery, or check your browser's remembered passwords.Scenario #2: accidental
This one isn’t really a hack, since no one is trying to get into your account. They probably have no idea what they’re doing.
They’re trying to log in and typing in their password or email address wrong. Facebook isn’t letting them in. As a result, they try account recovery. They enter their email address, and once again Facebook sends the account-recovery email to all email addresses associated with the account.
The problem? They typed their email address in wrong. What they typed was your email address, not their own. That’s probably why they couldn’t log in in the first place.
It sounds far-fetched, but it’s amazing how often people get their email address wrong.2 Repeatedly. Or they just don’t use it often enough to remember exactly what it is.
They may try several times before giving up or realizing their mistake.
You can safely ignore the message; your account is secure.
Scenario #3: spam
It’s uncommon, but spammers sometimes send a fake password reset request or confirmation.
The spammers are counting on you to panic and quickly click the “it’s not me” or “let us know” link in the notification. That link takes you to a fake website where you’re prompted to sign in to Facebook. Even though it might look like Facebook’s sign-in page, it’s not, and you mistakenly hand over your Facebook credentials to a hacker.
As long as your email accounts are secure — you have proper security in place, including two-factor authentication when offered — it’s safe to ignore these notifications. If you choose to click on the “let us know” link,3 take extra care to confirm that the link truly goes to Facebook, and not a scammer: hover over the link and make sure it goes where you think it does.
This happens to me often
Don’t let this scare you too much. As you can see, Facebook has a security system in place. As long as your email accounts are secure, your Facebook account is likely to be secure.
This happens to me all the time. When it happens, I choose to click the “let us know” link to let Facebook know that, no, this was not me trying to change my password. My assumption is that they use this method to identify repeat offenders.
I admit it’s all a little unnerving, but I try not to sweat it — mostly because I have a not-so-secret weapon.
Two-factor authentication
Facebook supports two-factor authentication, and I have it turned on. You should too.
Facebook supports several forms of two-factor. In my case, even if someone got my password, they’d have to also enter a code texted to my mobile phone.
Without that second factor, they can’t log in.
Enabling two-factor authentication is something I recommend for all your important accounts that support it. Facebook certainly qualifies as important for most people.
Hacking attempt or not?
Ultimately, there’s no way to know whether the attempt to reset your account password was deliberate or accidental. Perhaps you’re a target, or perhaps your email address is similar to that of others.
We’ll never know.
Do this
Maintain the security of your email accounts and consider adding two-factor authentication. Then you can rest easy and safely ignore these unexpected notifications.
Get more security tips and reassurances by subscribing to Confident Computing! More confidence & less frustration — solutions, answers, and tips — in your inbox every week.
Footnotes & References
1: I always envision some bored, immature child or tween in a basement somewhere trying to prove something.
2: This is exactly why so many forms have you enter your email address twice.
3: I’ll be honest: I usually do.
References
I got an email saying I requested a new Facebook password but I didn’t make this request. — Facebook
I had the scenario #1 , most of the time they actually dont know your personal email address (strangers) but they type your facebook username instead which is username@facebook.com , this happens often to people with common usernames ( your first name only or a popular word), I got tired of receiving emails in 2016 so I started pressing the option saying I wasn’t the one requesting them and around 2-3 months later after doing so for the 1000th time facebook asked me to login which I thought was weird but they then brought me to a page allowing me to disable the option of resetting my password through emails linked to my account, I havent got a facebook password reset link since
Is there a way to verify that the email reallly came from Facebook? I noticed mine says it was from security{at}facebookmail.com, wouldn’t all email from facebook be from @facebook.com?
I have two factors authentifications on, and I do not wan’t to click on any of the link in that email, until I am sure it is from Facebook.
That is a legitimate email address.
Why am I receiving email notifications from Facebookmail.com?
You can look for signs to determine whether an email is a phishing attempt.
Phishing: How to Know It When You See It
There is a simpler way to address this: what is the sender address? I just received this message from: Facebook
Does facebook ever send from this address or not?
If facebook had any kind of decent support service, we could get help. But Facebook support is virtually non-existent.
the system stripped the email from my reply. it was @facebookmail dot com. I am suspicious that is not a valid Fb email address.
Actually it is. You can see who owns it with a “who is” look up: https://whois.domaintools.com/facebookmail.com
“From:” addresses can be, and often are, faked. So a hacker could easily make it look like the email cam from a legitimate Facebook email address, when in fact it did not.
Lack of support is the one of the prices we pay for using a free service. Real support is expensive to provide.
That’s because it would cost Facebook millions to provide support. And remember, we are the product, not the customer. They probably provide support for their paying customers.
As an occasional advertiser on facebook (i.e. one of the “real” customers) … no, there’s not a lot of support there either. I’ll bet the big accounts get something, though.
I’m sure Putin gets support 🙂
Bro can you log in my account to help me bro my account is hacked someone is log my accunt without my permission
Pls pls pls dilado account
Bro, I cannot.
Please follow the account recovery steps as outlined in this article: https://askleo.com/how-do-i-recover-my-hacked-facebook-account/
If Facebook’s recovery process doesn’t work for you — maybe you don’t have the recovery email or phone — MAKE SURE to follow Facebook’s instructions CAREFULLY and COMPLETELY.
If the Facebook recovery process can’t be made to work, I know of no way to recover the account. If that’s your situation I’m very sorry.
“As long as that hacker-wannabe doesn’t have access to one of your email accounts, they can’t get in…”
Might be mentioned in some of the many comments, but of equal (actually greater) importance is of course also to secure the associated mail accounts. They will need good passwords, two-factor authentication, good recovery addresses (that are also secured), updated phone numbers, etc.
I’m not sure how many times – per week – I see someone losing access to their own data because they have not secured an account, and have not kept recovery information up to date, and hence have no way of actually getting their “free” account back.
Account might be free, but the data stored in an account often represents years of “work” and a real loss for most.
They managed to hack my account! I had been getting the same emails saying someone is trying to get in my facebook account and 2 days ago they actually did it! I don’t know how because I had recently changed my password to a new, strong & unique one that I don’t use anywhere else and I also had 2-factor-authentication turned on. Yet I didn’t receive a prompt asking me for a code or to confirm that it is me trying to log in. Instead I just got an email informing of a login from an unusual location (Vietnam). After that everything happened very quickly – before I was able to react. They changed my password, removed both my email addresses and phone numbers and replaced them with their own, so I can’t log in or recover my account in any way. And then in less than an hour I saw that my account has been deactivated due to ‘violating the community standards’.
Now I’ve been desperately trying to get in touch with someone from Facebook to help me recover my account, but there’s been no response whatsoever.
I don’t understand how they did it. I thought I had a good protection. That’s 18 years of my life shared on Facebook with friends & family – down the drain within minutes!
Good evening sir I get a problem with my account Facebook i can not login because i don’t have my pass word and even the number and email which are associated with my account i don’t have them, I would like to know if there is another way which can help me to recover my account please you can help with it me name of account olivier lusakila lusambya thank you….
(Sorry for the form response, but I get this question A LOT.)
Please follow the account recovery steps as outlined in this article: https://askleo.com/how-do-i-recover-my-hacked-facebook-account/
If Facebook’s recovery process doesn’t work for you — maybe you don’t have the recovery email or phone — MAKE SURE to follow Facebook’s instructions CAREFULLY and COMPLETELY.
If the Facebook recovery process can’t be made to work, I know of no way to recover the account. If that’s your situation I’m very sorry.
If you DO recover your account you’ll want to check the steps in this article to prevent losing it again: https://askleo.com/facebook-hacked/