Has your Facebook account been “hijacked” and you can’t get in? Stay calm: the platform has a recovery process designed exactly for these situations, both from the mobile app and from the browser on your computer, and it works with a temporary six-digit code that arrives by SMS or email, plus it lets you log out of all open sessions to kick the intruder out immediately. In this guide we condense the official procedure and explain how to complete each step without getting lost, with some key reminders so everything flows smoothly. Ready to regain control and harden your profile as if you were enabling 2FA on your favorite service?
First steps: identify your account and choose how to verify
The first thing is to start the password reset process from the login screen. On mobile, open the Facebook app and tap the help option, then access ‘Forgot password?’, while on a computer you just need to go to facebook.com and click the ‘Forgot password?’ link located under the password field. In both cases, the system will ask you to enter the email address or phone number you use to sign in so it can find your profile; if you never added a phone number, use the email, and if you have both, either will work.
Once your account is detected, choose the recovery method: receive a code by email or SMS, and on a computer you can also verify by signing in with your Google account as an alternative that skips the code step. When you request the code, open your inbox or messages and find the Facebook message with the six-digit code; enter it in the corresponding field and confirm immediately, since it expires after a few minutes, and if it doesn’t arrive or too much time has passed, use the resend option to generate a new one as you would with any OTP on a cloud platform.
Step by step: mobile and desktop to reset your password
On mobile, after entering the code, the assistant will take you to the password change screen; set a new password and, when Facebook asks if you want to log out of other devices, accept so your account is logged out on any phone, tablet or computer where it was open, also ejecting the attacker. From that moment, you will sign in with the newly created password and can continue as normal.
On a computer, the flow is very similar: after clicking ‘Forgot password?’, enter your email or phone and confirm; choose whether you want to receive the code by email or SMS, or verify your identity with your Google account, which in practice acts as a federated login and lets you skip the code. If you choose the code, enter it and continue; the system will ask you to type the new password and, when you save it, will offer to log out of all active sessions so that access remains only on the device you are using. This global logout works like revoking sessions on other services: it clears old tokens and minimizes the risk that the intruder remains inside.
If you can’t get in or your information has been changed: use the compromised account tool
And if the attacker changed your email, phone or even your name? In that case, use Facebook’s compromised accounts tool, which guides you through a specific recovery flow. Start by identifying your account with the email or phone number you remember, enter the last valid password you have in mind and select the reason that describes your situation (for example, if you’ve seen posts or events you didn’t create or if someone accessed without permission). From there, Facebook will evaluate recent activity and allow you to set a new password, keep your current name or restore it if appropriate, and review changes to revert or delete settings and posts you don’t recognize.
If the attacker removed your recovery methods, provide any previous contacts (emails or numbers you used before) when you open the case, since that helps verify your identity. Keep in mind that, although Facebook takes these incidents very seriously, it can’t always guarantee immediate recovery, so it’s wise to be patient and follow up politely if days pass; if you feel ignored, insist firmly but kindly. Important: avoid turning to third parties promising ‘miracle’ fixes for your account; besides being a bad idea, it can complicate the problem. Finally, when you regain access, enable two-step authentication to add an extra code on each sign-in and consider changing your password regularly, because that extra layer is what really makes the difference against opportunistic attacks that rely on capturing credentials or brute-forcing weak passwords.
