Secure Facebook After a Hack: Remove Hidden Access and Turn On 2FA in 2026
Getting back in is a relief, but a quiet intruder can still be watching from a corner you have not checked yet.
You’ll stay on this site.
Getting back in is only half the job
There is a particular kind of dread that comes after you recover a hacked account: the nagging sense that whoever broke in might still be there, silent, reading messages, waiting to lock you out again. That fear is not paranoia. Attackers routinely plant ways back in before they are pushed out, and a recovered account that is not cleaned up is one of the most common to be hijacked a second time.
The fix is to work through the account methodically, closing every door the intruder could have left ajar. It takes about twenty focused minutes, and at the end you can actually exhale. The four steps below cover hidden sessions, the traps attackers leave behind, your own devices, and the lock that stops it all from happening again.
Step 1: End every session and remove unknown devices
Changing your password does not automatically kick out someone already signed in elsewhere, which is why this is the very first move. Go to Settings » Security and login (or Password and security) and open the section that lists where you are logged in. You will see every active session, with rough locations and device types.
Scan the list for anything you do not recognize, an unfamiliar city, a device you have never owned, a browser you do not use, and log it out individually. Better still, use the option to log out of all sessions at once, then sign back in only on your own devices. This single action drops the intruder out of the account in real time.
Step 2: Undo the traps left behind
An attacker’s goal is rarely a one-time visit; it is lasting access. So before you relax, hunt for the quiet changes they make to slip back in later. Check the email addresses and phone numbers linked to the account and delete any you did not add, because a stray recovery email is a permanent back door. Review your linked authentication apps and login alerts too.
If you run a Page or use Meta Business Suite, look there as well. Intruders sometimes add themselves as an admin, connect a rogue business account, or change payment details to run ads on your card. Remove any person or asset you do not recognize, and confirm that you are the only full admin. This is the step people skip, and it is the one that most often lets a hacker return.
Step 3: Clean your own devices
Sometimes the breach did not start on Facebook at all; it started on your phone or computer. A keylogger or a malicious app quietly records what you type, including the new password you just set, and hands the account straight back to the attacker. Recovering the account without cleaning the device is like changing the locks while the thief still holds a copy of the key.
Run a full scan with a trusted, up-to-date security tool on every device you use to log in. Remove apps and browser extensions you do not remember installing, especially anything that promised free followers, game coins, or “who viewed your profile.” Update your operating system and browser, since those updates close the exact holes that malware exploits.
Step 4: Turn on two-factor authentication and harden the account
This is the lock that changes everything. With two-factor authentication on, your password alone is no longer enough to get in, so even a stolen password is useless without the second code. Set it up under Security and login, and choose an authenticator app over SMS where you can, since app codes cannot be intercepted by a SIM swap. A few more settings finish the job:
Recommended next steps
With the intruder out and 2FA in place, the last thing worth doing is making this level of protection your new normal across every account that matters. The two guides below cover the security tools that automate most of this and the password setup that closes the door attackers use most.
You’ll stay on this site.
Frequently asked questions
I recovered my account. How do I know the hacker is really gone?
Open the list of active sessions in Security and login and end all of them, then sign back in only on your own devices. After that, remove any unknown linked email or phone, since those are how an intruder quietly returns.
Why does two-factor authentication matter so much?
It adds a second step that only you can complete, so even someone who knows your password cannot sign in. It is the single change that most reduces the risk of being hacked again.
Should I check my devices for malware after a hack?
Yes. Many takeovers start with a keylogger or a malicious app that captured your password. Run a full scan with an up-to-date security tool and remove anything you do not recognize before trusting the device again.
The hacker added themselves to my Page. How do I remove them?
In Meta Business Suite or your Page settings, review the people with access and remove anyone you did not add, then confirm you are the only full admin. Also check that no rogue payment method was attached for ads.
Is SMS or an authenticator app better for 2FA?
An authenticator app is safer. It works without signal and cannot be stolen through a SIM swap, a trick that can intercept text-message codes. Use SMS only if an app is not an option for you.
The fear after a hack fades once you have actually closed the gaps. End the hidden sessions, strip out the linked emails and admins you did not add, scan your own devices, and switch on two-factor authentication. Do that and the account stops being an open target and becomes one of the hardest on the platform to break into.
Sources: Facebook Help Center guidance on securing a hacked account and the Security and Login settings (facebook.com/help), and Meta’s two-factor authentication documentation (facebook.com/help/2fac).