Facebook Hacked, Email Changed: How to Regain Access

A stolen Facebook account is bad. A stolen Facebook account where the attacker also changed your registered email is worse, because the normal "Forgot password" flow now sends reset links to the hacker, not to you. This guide walks through every realistic option to regain control, and it explains why most automated appeals come back rejected when this specific attack pattern hits.

What "Email Changed" Actually Means for Your Account

When an attacker breaches a Facebook profile, the first thing they usually do is replace the recovery email and phone number. Sometimes they also enable two-factor authentication on a device you do not own. Once those changes go through, Facebook's standard password reset is useless to you, because every code or magic link goes to the attacker's address.

The good news is that Facebook does send a notification to the original email when this change happens. That notification includes a "Secure your account" link that, if used quickly, can undo the email change and lock the attacker out. The catch is the window: the link typically remains valid for 24 hours, sometimes less, and many users never see the message because it lands in spam or is deleted by the attacker through email forwarding rules they set on a compromised inbox.

The 24-Hour Window: Reverse the Email Change in Your Inbox

Before anything else, open the email account that was originally linked to your Facebook profile. Search for messages from [email protected] or [email protected]. Look specifically for a subject line like "Your Facebook email address has been changed" or "Did you change your email?".

1. Open the most recent message from Facebook in your old inbox.
2. Find the link labeled "Secure my account" or "If you didn't make this change, reverse it here".
3. Click it and follow the prompts. Facebook will roll back the email change and prompt you to set a new password.
4. Immediately review login locations, active sessions, and connected apps. Remove anything unfamiliar.
5. Turn on two-factor authentication with an authenticator app, not SMS.

If you find the email and the link still works, you are done in under ten minutes. If the link has expired, the attacker deleted the message, or you never received it, skip to the next section.

After 24 Hours: Identity Verification at facebook.com/hacked

Once the reversal window closes, Facebook routes you to the formal hacked-account workflow. Open facebook.com/hacked and choose "My account is compromised." You will be asked to identify the account by entering an email, phone number, username, or full name. Use any identifier the attacker has not yet wiped.

If Facebook finds the account, it will offer to send a recovery code. When all your recovery methods have been changed, that path dead-ends and the system pushes you toward identity verification. You will be asked to upload a government-issued photo ID that matches the name on the account.

A few practical notes on the ID upload step:

• The name on the document must match the name on the profile exactly. Nicknames, abbreviations, or a married name on the account with a maiden name on the ID will cause the appeal to bounce.
• Take a sharp, well-lit photo with all four corners visible. Glare on a passport or a cropped edge often triggers an automatic rejection.
• Accepted documents include passport, national ID card, and driver's license. Some users get rejected on first attempt with one document type and accepted with another.
• Review can take anywhere from 48 hours to several weeks. Facebook does not provide status updates during this period.

For a broader breakdown of the platform's recovery channels, see our guide on recovering a hacked Facebook account.

When Two-Factor Authentication Is Also Compromised

Sophisticated attackers do not stop at changing the email. They also enable 2FA tied to their own device, which blocks the legitimate owner even if a password reset succeeds. Facebook does provide an "I can't access my two-factor authentication codes" option during login, but it routes back to the same identity verification pipeline described above. Our Facebook 2FA lockout guide covers that specific scenario in more detail.

Why Self-Service Recovery Has Such a Low Success Rate

Facebook's automated review system is built for volume, not for nuance. It rejects ID submissions for minor inconsistencies, ignores context that a human reviewer would catch, and provides no avenue to explain unusual situations such as a recently changed legal name, a profile created years ago under different details, or a business page where the original admin no longer matches the current operator.

Independent reports and consumer protection studies consistently put the success rate of self-service appeals on hacked accounts in the single digits. The hardest variant is exactly the one this article addresses: account compromised, email changed, and 2FA enabled. The automated path almost never resolves that combination.

Recover's success rate on hacked Facebook cases where the email was changed is 97%, with 96% of cases resolved within 30 days. The service uses legal arguments under GDPR and the Digital Services Act to reach human reviewers inside Meta, rather than relying on the automated appeal forms.

Your Legal Rights Under GDPR and the Digital Services Act

European users have leverage that most people never use. Under GDPR Article 15, you have the right of access to personal data held by Meta, including data tied to a profile under your name. Under the Digital Services Act, very large online platforms are required to provide an "internal complaint-handling system" and a path to out-of-court dispute settlement when account actions are challenged.

These rights exist on paper. Using them effectively requires citing the right article, addressing the request to the correct legal entity (Meta Platforms Ireland for EU users), and following up through the prescribed channels. This is a paperwork process, not a technical one.

How Professional Recovery Differs From a Standard Appeal

A professional recovery service such as Recover does not submit the same form ten times in different words. The legal department drafts a formal request that frames the case under applicable law, attaches the documents Meta's review team actually needs, and sends it through channels designed for legal correspondence rather than user support. That is why outcomes diverge so sharply from self-service results.

Recover's pricing is one-time and outcome-aligned. A personal Facebook profile recovery is €290. A business profile or Page is €690. A pay-after-recovery option is available, with a €19 verification deposit upfront and the balance charged only on successful restoration. Pricing details and tiers are listed on the service page.

What to Do Right After You Get Your Account Back

Recovery is only half the job. Within the first hour after access is restored:

1. Change the password to something long and unique. Use a password manager.
2. Remove all unfamiliar email addresses and phone numbers from Settings > Accounts Center > Personal details.
3. Review Security and login > Where you're logged in and end every unrecognized session.
4. Disable any 2FA method the attacker set up and re-enable 2FA on a device you control, using an authenticator app.
5. Check connected apps and remove anything you do not actively use.
6. Audit recent posts, messages, and friend list changes. Attackers often run scams against your contacts before the account is reclaimed.

Our Facebook account security guide covers the full hardening checklist.

FAQ

How long do I have to reverse a hacker's email change on Facebook?

The "Secure my account" link in the original notification email usually stays valid for around 24 hours. If you spot the email within that window, one click can undo the change. After it expires, identity verification through facebook.com/hacked is the main remaining path.

Can I recover my Facebook account if the hacker also enabled two-factor authentication?

Yes, but it becomes harder. Facebook offers an "I can't access my two-factor authentication codes" option during login, which routes through identity verification with a government ID. Success on this combined scenario through self-service is low; legal escalation under GDPR and the DSA materially improves the odds.

What if Facebook keeps rejecting my identity documents?

Automated review often rejects valid IDs for minor issues: glare, a cropped corner, a name mismatch with the profile. Try a different document type and a higher-resolution photo. If repeated submissions fail, a professional recovery service can escalate the case through legal channels rather than the user-facing form.

Sources

1. Facebook Help Center — Hacked Accounts
2. Regulation (EU) 2016/679 — General Data Protection Regulation
3. Regulation (EU) 2022/2065 — Digital Services Act
4. Facebook Help Center