How attackers compromise Facebook accounts and how to lock yours down.
Facebook accounts are high-value targets because of what they grant access to — private messages with friends and family, photos accumulated over a decade or more, group memberships, marketplace activity, login credentials to other sites that use "Sign in with Facebook", and crucially Facebook Business Manager access for users with business assets. Compromised personal accounts are used for scams against friends; compromised business accounts can result in five and six figure ad-spend losses.
The threat landscape for Facebook overlaps significantly with Instagram (both are Meta) but with some Facebook-specific patterns: heavy focus on Marketplace scams, business account takeover for ad-spending, and exploitation of older accounts with weaker security setups (Facebook accounts predate modern 2FA standards; many long-time users still have weak protections from earlier eras).
For account holders, the right framing is the same as Instagram: assume your password will be in some breach, build defences that work even when your password is compromised. Facebook adds the Business Manager dimension for some users — that requires its own additional protections because of the financial-loss potential.
Conceptual attack categories, not exploitation procedures. Understanding these patterns is what lets you recognise and defend against them.
Same pattern as Instagram and most other accounts — attackers test breached credentials from other sites against Facebook. Facebook accounts often predate modern password practices, so reused or weak passwords are common. High-volume background attack against essentially every Facebook user.
Common variants include "your account will be deleted for community standards violations", "log in to dispute a copyright claim", "verify your identity to keep your account active". Each leads to a fake login page capturing credentials. Facebook business pages get heavily targeted because the business owner is more likely to fall for "your page will be deleted" urgency.
Info-stealing malware on victim's device captures Facebook session cookies, allowing attacker login without password. Common via malicious browser extensions, fake software downloads, pirated software bundles. Stolen Facebook sessions are sold in bulk on underground markets.
Many Facebook business accounts have multiple users with various permission levels. Compromise of any one user with admin access can lead to total account takeover. Once attacker has admin access, they typically add their own user, lock out legitimate admins, and run massive ad campaigns charged to the original owner's payment method.
Facebook Marketplace transactions sometimes lead to phishing — buyer or seller asks the other to verify identity via a "Facebook verification" link that is actually a credential phishing page. The marketplace context makes targets less suspicious of the unusual flow.
Attackers contact victims claiming to be Facebook support warning of account compromise, then convince victims to "verify" by entering credentials, codes, or installing remote-access software. Older users disproportionately targeted because they may not know what legitimate Facebook support communication looks like.
Browser extensions with broad permissions can read Facebook cookies and exfiltrate them to attackers. Extensions that promise Facebook-related functionality (analytics, themes, message export) are particularly suspicious; many are deliberately designed for cookie theft.
Signs that your facebook accounts may have been compromised:
Facebook sends notifications when your account logs in from a new device. Receiving these for logins you did not make is the strongest single signal of compromise. Check Facebook Settings → Security → Where You're Logged In to see all current sessions.
Compromised accounts are typically used for spam (cryptocurrency scams, phishing links, fake giveaways), often posted to your timeline or sent as messages to your friends. If your friends mention seeing posts from you that you did not make, the account is compromised.
Facebook emails you when password, email, phone, or recovery options change. Receiving these emails for changes you did not make is strong evidence of compromise. Often the first sign because attackers change recovery options to lock you out.
Compromised accounts sometimes accept many friend requests automatically (to expand attack surface for scam targeting). Sudden appearance of friends you do not recognise is suspicious.
Password no longer works, you have not changed it. Almost certainly compromise — attacker changed the password. Use Facebook's account recovery flow immediately.
Compromised Facebook Business accounts are typically used for fraudulent ad spend — campaigns you did not create using your payment method. Check Ads Manager regularly; alert on unexpected charges. By the time you notice large unexpected charges, significant money may already be lost.
Concrete actions ranked by impact. Items marked critical are the highest-leverage protections; do those first.
In Facebook Settings → Security and Login → Two-Factor Authentication, choose "Authentication App". Avoid SMS-based 2FA — vulnerable to SIM swap. Facebook also supports hardware security keys for the strongest protection. App-based or hardware-key 2FA defeats credential-stuffing attacks even when your password is in a breach.
Password manager generating a unique strong password for Facebook. Long-time Facebook users are particularly likely to have weak or reused passwords from earlier eras; updating to a unique strong password is high-leverage even if you cannot remember the last time you changed it.
Facebook lets you nominate trusted contacts (3-5 friends) who can help you recover access if locked out. Set this up BEFORE you need it. The recovery experience is significantly faster when trusted contacts are pre-configured.
Business Manager admins should enforce 2FA for all users with account access. One employee with weak credentials can compromise the entire business account. Settings → Business Settings → Security Center supports the enforcement.
Settings → Apps and Websites shows everything with Facebook access — old games, abandoned services, third-party logins. Revoke anything you do not actively use. Many older Facebook accounts have dozens of forgotten app connections each representing a potential attack vector.
Settings → Security and Login → Where You're Logged In shows all current sessions. Log out anything unfamiliar; change password if you find unauthorised sessions.
Facebook does not contact users via email, message, or call asking for credentials, payment, or to install software. Any such outreach is essentially always a scam. Real account issues are handled through the Facebook help centre and in-app notifications.
Set spending limits on ad accounts so even if compromise occurs, financial damage is bounded. Daily and lifetime spending limits available in Ads Manager. Combined with monitoring, limits convert "catastrophic loss" scenarios into "manageable incident".
Extensions promising Facebook-specific functionality (themes, message export, friend management, analytics) are common cookie-theft vectors. Stick to well-established extensions with clear ownership and recent updates. Audit your installed extensions periodically.
For business accounts especially, consider an email address used only for that account. Reduces exposure when other accounts using the same email are breached, and isolates the recovery surface.