Facebook Code Going to the Hacker’s Email? How to Take Back Control in 2026
Watching your verification code land in someone else’s inbox is the worst moment, but it is not the end of the road.
You’ll stay on this site.
Why your code is suddenly going somewhere else
When you ask Facebook to send a login code and it never reaches you, the reason is almost always the same: whoever broke in has already swapped the email address and phone number on the account for their own. From that point on, every reset link and every six-digit code is delivered to them, not to you. It feels like the door has been bolted from the inside.
The standard “Forgot password” screen is the wrong tool now, and this is where people lose time. It only ever sends the code to whatever contact details are currently on the account, which are the attacker’s. Keep using it and you simply hand them more codes. The way back in is a different flow built for this exact case, where you tell Facebook up front that you can no longer reach the listed email or phone.
Step 1: Start from the compromised-account page, not the login screen
Open facebook.com/hacked from a browser, ideally on a phone or computer you have used to log into this account before. This is the entry point Facebook built for accounts that have been taken over, and it behaves differently from the ordinary password reset. It asks what happened, lets you point to your account by name, email, phone, or username, and then routes you toward identity checks instead of dead-end codes.
If you can still find your profile, you can also open it and use the “Report” path to flag that the account was hacked. The goal at this stage is simply to get into the recovery track designed for takeovers, where the system expects that your normal contact methods are no longer in your hands.
Step 2: Tell Facebook you no longer have access to the listed details
Somewhere in the flow you will reach a screen offering to send a code to the email or phone on file. Because those now belong to the intruder, look for the small link that says something like “No longer have access to these?” and choose it. This is the single most important click in the whole process, and it is the one people miss while they keep refreshing their own empty inbox.
Selecting that option tells Facebook to stop relying on the hijacked contact details and to verify you another way instead. Depending on your account, it may offer a new email address you control, ask you to identify friends, point you to a device you have used before, or invite you to upload a photo of your ID. Pick whichever you can actually complete right now.
Step 3: Use the “recent changes” window while it is open
Facebook knows that hijackers move fast, so it keeps a short grace period after sensitive details are changed. If the attacker only just edited your email or password, the system may show a notice that your information was recently updated and ask, in effect, “was this you?” Saying no can roll the account back to your original details and is often the fastest way home.
This window does not stay open forever, which is exactly why speed matters here. The moment you realize codes are going to a stranger, run the flow above rather than waiting until tomorrow. Acting within the first hours dramatically raises the odds that the revert option is still available to you.
Step 4: If the automated checks fail, escalate with proof of identity
When the quick paths do not clear you, the reliable fallback is the identity review. Facebook will ask for a photo of a government-issued ID, a passport, driver’s license, UMID, or national ID for readers in the Philippines, to confirm the account is yours. Submit a clear, well-lit image where the name matches the profile, and then wait. Reviews usually take from a couple of days to about two weeks.
A few habits make this stage go smoother:
Recommended next steps
If you have already tried the steps above and the listed email and phone are both out of reach, the next page goes deeper into the ID-upload and trusted-device routes. And once you are back in, your first job is to push the intruder out for good and turn on stronger protection, because accounts recovered this way are prime targets for a second attempt.
You’ll stay on this site.
Frequently asked questions
The code only goes to the hacker’s email. How do I get one sent to me?
Stop using the normal “Forgot password” screen and start at facebook.com/hacked. When it offers the old email or phone, choose “No longer have access to these,” then add a new email you control so future codes reach you.
Should I keep requesting new codes in the meantime?
No. Each request only sends another code to the attacker. Switch to the compromised-account flow instead, which verifies you without relying on the hijacked contact details.
Can I still recover the account without giving an ID?
Sometimes. Trusted-device recognition, identifying friends, or the recent-changes revert can clear you without an ID. The ID upload is the fallback for when those automated checks do not succeed.
How long do I have to use the “this wasn’t me” revert?
The grace period is short and Facebook does not publish an exact figure. Treat it as hours, not days, and run the recovery the moment you notice the codes going elsewhere.
Is it safe to pay someone who says they can recover my account fast?
No. Facebook has no paid recovery service, and anyone asking for your password or a fee is running a scam. Every legitimate step happens inside Facebook’s own flows at no cost.
Seeing your codes go to a stranger is frightening, but the takeover flow exists precisely for this. Start at facebook.com/hacked, tell the system you have lost access to the old contacts, lean on the recent-changes revert if it appears, and fall back to an ID check if you need to. Move quickly and most accounts come home.
Sources: Facebook Help Center guidance on hacked and compromised accounts (facebook.com/help) and the Meta Help Center identity-confirmation pages (facebook.com/hacked).