What to do about resets you didn’t ask for.
All I can really say is maybe.
I might even go so far as to say probably, but I can’t say yes, since there are other possible explanations.
Let’s review what’s going on.
Become a Patron of Ask Leo! and go ad-free!
A request to reset your Facebook password
Confirmation messages with a link or code to confirm a change prevent others from changing your password. You might get a notification if someone is trying to break into your account, or if they mistype your email address instead of their own when trying to reset their own password. As long as your associated email accounts are secure, you can ignore the notification. Enable two-factor authentication for even more Facebook account security.
Facebook password recovery
If you forget your Facebook password, the first step is to click the “Forgot password?” link on the Facebook log-in screen.
That walks you through the process of account recovery, using information you know about the account to prove that you are the rightful owner.
One of those pieces of information is your email address, and in the case of a lost password, you’ll enter the email address of your account and Facebook will send an email to that email address.
Since you don’t know your password, and a secure system won’t tell it to you, the option is simply to set a new password. You prove that you are the rightful owner of the Facebook account by proving your access to the account’s email address. You do that by clicking on a link in that email or typing in the one-time password reset code provided in that email.
That you got two notifications sent to two different accounts is a good thing. It means you have an alternate or additional email address associated with your account. When a password reset notification is sent, it’s sent to all the email addresses associated with your account.
That way, if one of those email accounts gets hacked, you’ll still get notifications on the others that something is going on.
I strongly recommend everyone have at least one alternate email address associated with their Facebook account, and make sure to keep them up to date.
Now let’s look at how those notification emails might be triggered.
Scenario #1: intentional
Say someone knows your email address and they want to hack into your Facebook account. One approach — at least to start — is for that someone to enter your email address into the account recovery process and see if Facebook will let them set a new password for your account.
Naturally, Facebook sends an email to all the email addresses on your account, so you know what’s going on. As long as that hacker-wannabe doesn’t have access to one of your email accounts, they can’t get in. They won’t be able to receive the email message. They won’t be able to fool Facebook that they’re you.
You can safely ignore the message; your account is secure. Technically you don’t need to change your password, though there’s no harm in doing so if it makes you feel safer.
Scenario #2: accidental
This one isn’t really a hack, since the person doing it isn’t trying to get into your account. They probably have no idea what they’re doing.
They’re trying to log in and getting their own password or email address wrong. Facebook isn’t letting them in. As a result, they try account recovery. They enter in their email address, and once again the account-recovery email is sent to all email addresses associated with the account.
The problem? They typed their email address in wrong. What they typed was your email address, not their own. That’s probably why they couldn’t log in in the first place.
It sounds far-fetched, but it’s amazing how often people get their own email address wrong.1 Repeatedly. Or they just don’t use it often enough to remember exactly what it is — and exactness counts.
They may try several times before giving up or realizing their mistake.
Scenario #3: spam
It’s uncommon, but spam can mimic a password reset request or confirmation.
The spammers are counting on you to panic and quickly click the “it’s not me” or similar link in the notification. That link takes you to a fake website where you’re prompted to sign in to Facebook. Even though it might look like Facebook’s sign-in page, it’s not, and you’ll have handed over your Facebook credentials to a hacker.
As long as your email accounts are secure — you have proper security in place, including two-factor authentication when offered — it’s safe to ignore these notifications. If you choose to click on the “it’s not me” link,2 then take extra care to confirm that the link truly goes to Facebook, and not a scammer: hover over the link and make sure it goes to who you think it does.
This happens to me often
Don’t let this scare you too much. As you can see, Facebook has a security system in place. As long as your email accounts are secure, your Facebook account is likely to be secure.
This happens to me all the time. When it happens, I choose to click the “let us know” link to let Facebook know that, no, this was not me trying to change my password. My assumption is that they use this method to identify repeat offenders.
I’ll admit, it’s all a little unnerving, but I try not to sweat it — mostly because I have a not-so-secret weapon.
Facebook supports two-factor authentication, and I have it turned on.
Facebook supports several different forms of two-factor. In my case, even if someone managed to get my password, they’d have to also enter a code texted to my mobile phone.
Without that second factor, they can’t log in.
As you might imagine, enabling some form of two-factor authentication is something I recommend for all your important accounts that support it. Facebook certainly qualifies as important for most people.
Hacking attempt or not?
Ultimately, there’s no way to know whether the attempt to reset your account password was deliberate or accidental. Perhaps you’re a target, or perhaps your email address is similar to that of others.
We’ll never really know.
Maintain the security of your email accounts, and consider adding two-factor authentication. You can rest easy and safely ignore these unexpected notifications.
Get more security tips and reassurances by subscribing to Confident Computing! More confidence & less frustration — solutions, answers, & tips — in your inbox every week.
Footnotes & References
1: This is exactly why so many forms asking for your email address have you enter it twice.
2: I’ll be honest: I usually do.