Facebook Business Account Hacked — Recovery Guide

bolt

Quick Answer

If your Facebook Business account has been hacked, act immediately: revoke all unrecognized admin access, change your password, remove unfamiliar payment methods, and report the compromise to Meta at facebook.com/hacked. Every hour of delay means more budget spent by attackers and more damage to reverse. File a compromised account report — do not wait for organic support response.

Why This Happens

Phishing attack via fake Meta email or support message

The most common entry vector for business account hacks is a phishing email that impersonates Meta's policy team, ad review team, or billing department. These emails create urgency (threatening account suspension or requesting verification) and direct the target to a fake login page that captures credentials. Facebook employees will never DM you asking for your password or 2FA codes — any such request is a phishing attempt.

Compromised team member account with admin access

Business Managers with multiple admins are only as secure as their least-secure team member. If a freelancer, former employee, or contractor who has admin access to your Business Manager is phished or their account is compromised, attackers gain full access to everything that person could access — including your ad accounts, payment methods, and Pages. This is the most common attack vector for agency accounts and larger teams.

Malware or session hijacking on an admin's device

Attackers can steal active browser sessions through malware, browser extensions, or man-in-the-middle attacks — bypassing 2FA entirely because they capture a valid session token rather than credentials. Session hijacking is particularly difficult to detect because there's no failed login attempt and the attacker's actions appear to come from the legitimate user's session. Browser session tokens for Meta can remain valid for extended periods.

Reused or weak passwords across multiple services

If the password for a Business Manager admin's Facebook account was reused from another service that suffered a data breach, attackers can obtain valid credentials without any phishing. Credential stuffing attacks — using lists of leaked username/password pairs against major platforms — are automated and run continuously. Business accounts connected to personal Facebook profiles are especially vulnerable when personal account security is weak.

Rogue third-party app with overly broad permissions

Marketing tools, scheduling apps, CRM integrations, and other third-party apps that connect to your Facebook Business account sometimes request broad permissions. If one of these apps is compromised, sold to a bad actor, or has security vulnerabilities, attackers can use the app's permissions to make changes to your ad accounts, payment methods, or Business Manager settings without ever logging in directly.

Step-by-Step Recovery

Immediately revoke all unrecognized admin access

Go to Business Manager Settings → People and Assets → People. Remove any email addresses or users you don't recognize. Also check Business Settings → Partners and remove any unrecognized partner connections. Do this before changing your password — attackers who still have admin access may have added a backup admin that survives a password reset.

Change your password and log out all other sessions

Go to Facebook Settings → Security and Login → Change Password. After changing your password, scroll down to 'Where You're Logged In' and click 'Log Out of All Sessions.' This terminates all active sessions including any the attacker may be using. Enable login alerts if not already active — you'll be notified of any new login attempts.

Enable 2FA on all admin accounts immediately

If 2FA wasn't enabled (or was bypassed), enable it now on every account that has Business Manager access. Use an authenticator app (Google Authenticator, Authy) rather than SMS-based 2FA — SIM swapping makes SMS 2FA vulnerable. Require all other admins on your Business Manager to also enable authenticator-based 2FA as a condition of continued access.

Pause all campaigns and remove unrecognized payment methods

Immediately pause all active campaigns to stop budget bleed. Then go to Billing → Payment Settings and remove any payment methods you didn't add. If attackers added their own payment methods, those charges may be fraudulent — document the payment methods before removing them. Check your billing history to understand the full scope of unauthorized spend.

Report the compromise to Meta through official channels

Go to facebook.com/hacked and follow the compromised account recovery flow. In your Business Manager, go to Help → Report a Problem and file a detailed report explaining that your account was accessed without authorization. Document everything: dates, unauthorized actions taken, payment amounts charged, pages or assets transferred. The more specific your report, the faster Meta's security team can act.

Audit all Pages, pixels, and Business Manager assets

Check whether any Pages were unpublished, removed from your Business Manager, or transferred to other Business Managers. Check your pixels to see if any were shared with unknown Business Managers. Review your Apps section for any applications added without your authorization. Attackers sometimes transfer valuable assets (Pages with large followings, established pixels) to other accounts as part of the attack.

Document all unauthorized charges and file a dispute if appropriate

Compile a complete record of unauthorized ad spend: campaign names, dates, amounts, and targeting details. This documentation is needed for Meta's fraud investigation and for any potential credit card dispute. Note: disputing valid Meta charges (even unauthorized ones) through your bank can complicate your account recovery. Consult Meta's support team first about the appropriate channel for recovering fraudulent charges.

Conduct a full security audit before restoring access

Before restoring full operations, audit every access point: review all admin accounts and remove anyone who no longer needs access, revoke all third-party app permissions that aren't actively needed, check email accounts of all admins for signs of phishing compromise, and verify that all admins have enabled 2FA. Consider using dedicated devices or browser profiles for Business Manager access to isolate session data. Running high-budget campaigns through agency infrastructure like AdsInfra provides additional account-level isolation that limits the blast radius of any future compromise.

Appeal Template

Copy this template and fill in the bracketed sections with your specific information. Customize it — don't send it as-is.

descriptionAppeal Letter Template

Subject: Compromised Business Account Report — Business Manager [BM_ID]

Dear Meta Security Team,

I am reporting unauthorized access to my Facebook Business Manager account [BM_ID] associated with [BUSINESS_NAME].

Incident details:
- Date discovered: [DATE]
- Business Manager ID: [BM_ID]
- Primary ad account affected: [ACCOUNT_ID]
- Estimated unauthorized ad spend: $[AMOUNT]

Unauthorized actions taken by attacker:
- [List each unauthorized action: campaigns created, payment methods added, pages transferred, admins added, etc.]
- [Include dates and specific details for each action]

Actions I have already taken:
- Changed password and logged out all sessions on [DATE]
- Enabled two-factor authentication on [DATE]
- Removed unrecognized users from Business Manager on [DATE]
- Paused all unauthorized campaigns on [DATE]
- Removed unauthorized payment methods on [DATE]

I request:
1. Reversal of unauthorized ad spend charged to my payment method ([LAST 4 DIGITS OF CARD])
2. Restoration of any assets transferred without my authorization
3. Review of account security to identify the attack vector

I am the verified business owner of [BUSINESS_NAME], incorporated in [STATE/COUNTRY] in [YEAR].

Supporting documentation attached:
- Screenshots of unauthorized campaigns and charges
- Business registration or incorporation documents
- Government-issued ID

Please respond to [YOUR EMAIL]. Thank you for your urgent attention to this matter.

[YOUR NAME]
[YOUR TITLE]
[COMPANY NAME]
[PHONE NUMBER]
[DATE]

Prevention Checklist

check_box_outline_blankEnable authenticator-based 2FA on every account with Business Manager access
check_box_outline_blankAudit Business Manager People and Partners access quarterly — remove anyone who no longer needs it
check_box_outline_blankNever click links in emails claiming to be from Meta's policy or billing team — go directly to facebook.com
check_box_outline_blankUse a dedicated browser profile or device for Business Manager access
check_box_outline_blankReview and revoke third-party app permissions in Business Settings monthly
check_box_outline_blankRequire all admins to use unique, strong passwords managed in a password manager
check_box_outline_blankSet up login alerts and unusual activity notifications in Facebook Security Settings
check_box_outline_blankStore a recovery code for your 2FA method in a secure offline location

Expected Timeline

scheduleResolution Timeline

Immediate lockout: 1-4 hours. Full account restoration: 3-14 business days depending on damage severity

shield_with_heartAdsInfra

Scaling past $50k/mo?

High-spend advertisers avoid downtime by running through agency ad accounts. AdsInfra provides enterprise infrastructure used by brands spending $3M/day across Meta, TikTok, and Google.

check_circleBackup accounts on standby from day one
check_circle24/7 human support with direct escalation
check_circleZero spend caps — scale to your budget

Request Access →Talk to a Specialist

Frequently Asked Questions

Can Meta reverse the unauthorized ad charges from a hack?expand_more

Meta's fraud team does investigate and sometimes reverse unauthorized charges when there's clear evidence of compromise. The key is reporting promptly through facebook.com/hacked and providing detailed documentation of the unauthorized activity. Do not file a chargeback with your bank before exhausting Meta's internal dispute process — chargebacks on Meta charges can trigger account restrictions or disablement that complicates recovery further.

The attacker added themselves as an admin — can I remove them even though I'm locked out?expand_more

If you're fully locked out of your Facebook account, use facebook.com/hacked to initiate account recovery. Meta's recovery flow allows you to verify your identity and regain access even if your email and phone have been changed. If your Business Manager was compromised but your personal Facebook account still works, you can remove unauthorized users directly from Business Settings. If both are compromised, Meta's identity verification process is your only path back in.

How do attackers bypass two-factor authentication?expand_more

Session hijacking is the most common bypass — attackers steal an existing authenticated browser session rather than logging in fresh. This is done via malware that extracts session cookies from the browser, or through malicious browser extensions. Real-time phishing attacks that relay credentials and 2FA codes instantly also work. The defense is regular session management (logging out inactive sessions), avoiding logging into Business Manager on shared or unfamiliar devices, and using hardware security keys instead of authenticator apps for highest-value accounts.

Do I need to rebuild my pixel and audiences after a hack?expand_more

If the attacker shared your pixel with their Business Manager, the pixel connection should be severed once you remove unauthorized users and partners. Your pixel data (historical event data) should remain intact in your Business Manager. Check Events Manager after recovering access — if your pixel shows no recent events, it may have been deleted or replaced. Custom audiences built from pixel data typically persist unless the pixel itself was deleted.

How do agency ad accounts protect against hack damage?expand_more

Agency ad accounts through providers like AdsInfra are owned by the agency's Business Manager infrastructure, which is separate from your personal or business Facebook accounts. Even if your personal Meta account is compromised, the attacker doesn't automatically gain access to the agency-owned ad account. This account-level separation limits the blast radius of any compromise — a critical advantage for advertisers running significant daily spend who can't afford to have their entire ad infrastructure taken down.