I’m not sure how to start this except to repeat, “I got my Facebook account hacked.”
I poured through tons of documentation, Quora and Reddit forums, as well as other blog posts trying to find some solution to getting it back after trying to deal with Meta’s awful recovery account recovery system. I just kept getting the “death loop” — more on that later.
So I decided to write this once I got my account back. Maybe this one blog post can save you days of frustration and disappointment.
The quickest way to figure out if what happened to me is happening to you is by skipping down to “What Happened”
Alternatively, if you’d rather listen to my story — I covered it on my podcast.
Agency Growth Podcast | My Facebook Was Hacked and Hacker Spent $30,000 in Ads | Episode 071
Table of Contents
- Intro & Context
- What Happened
- Learning I Was Hacked
- Account Recovery “Deathloop”
- Hacker Stole $30,000
- What the Hacker Wanted
- Immediate Steps I Took
- Reported Facebook Account as Compromised
- Canceled All Debit & Credit Cards
- Signed up for Aura
- Changed All Passwords to Everything
- Ensured 2FA & MFA Was Being Used Everywhere with Authenticator App
- Reached Out to Hacked.com
- How I Got My Facebook Account Back
- Scheduled Call with Hacked.com
- Contacted the California Attorney General
- Other Things I Tired
- 5.5 Weeks Later
- After I Recovered My Facebook Account
- Securing My Account with Hacked.com
- Becoming Facebook Verified
- Random Problems & Bugs with My Account
- Session Expired
- Account Restricted
- The Hacker Kept Trying to Access
- Suspended Business Manager & Ad Accounts
- The Solutions
- Back to Normal
(For Context) My Facebook Account is Important
You probably find yours important too — but I figured some context would be good as I use my Facebook account for more purposes than the average user.
I run a lawn care and landscaping digital marketing agency (as in we do digital marketing primarily for landscaping and lawn care companies). A lot of which run Facebook ads.
It’s strictly against Meta policy to have more than one Facebook account. Even if your account has been compromised, you’re forbidden from creating a new one, or else that one might get banned.
Of course, everyone does this and your risk of getting caught is low, but as a legitimate business owner, I can’t take that chance.
On top of that, my Facebook account is an Admin for quite a bit of ad accounts, both internal and client-owned. There were implications to the security of my account I hadn’t taken into consideration prior to this happening to me.
Simply logging into the Facebook Business Manager under my personal account would give anyone access to those ad accounts — all of which have payment methods on file.
Now that we’ve established some context, let’s get into what happened and how I got it back.
What Happened
On July 15th, 2023 (a day before my dad’s birthday), my fiancée and dad were hanging out at my sister and brother-in-law’s house. As I was scrolling through Facebook, I was logged out of my app.
When I tried to log back in using my email and password, it said that the user was not recognized on Facebook. Additionally, when I tried other emails associated with my account as well as logging in with my phone number, I kept getting the same messages.
At this point, it hasn’t registered with me that my Meta account was hacked yet. I figured this was a bug or a glitch and only affecting my profile. I tried looking to see if there were any issues on Downdetector.
But nothing.
Not being able to use my Facebook account is a bigger deal than it might seem. If you’re reading this, I’m assuming it’s a big deal to you too.
As you can tell, this pretty much ruined my night. I figured I’d try again the next day.
(By the way, don’t tell Twitter you got your Facebook account hacked… you’ll get spammed.)
Yes… those are all spam comments, retweets, and likes (no one follows me on Twitter…X?)
Learning I Was Hacked
The morning after (now my dad’s birthday), I received a message from one of my clients:
“We just had some spam ads placed from our Meta account. We disputed the charges with the Amex. When I looked at the account, the three of us are the only people with access to the ad account. Please change your password in Meta to hopefully stop this activity. Thanks.”
This was at 9:11 am.
At 9:12 am, two things happened:
- I officially learned that this was not a glitch and that my account was hacked.
- I responded immediately.
“My accounts been hacked. Please remove me ASAP.”
Now it was game time to figure out how to get my account back.
Facebook Account Recovery “Deathloop”
A little-known fact is there are three ways to sign in:
- Using your email (not recognized)
- Using your phone number (not recognized)
- Using your account name (hadn’t tried this yet)
You can find your account name by going to your profile (have a friend go to it) and see what the handle is (it’s in the URL).
The first step is going to facebook.com as if you’re going to login.
Then click “Forgot password?”
Next, when it asks you for your email or phone number, enter your Facebook username instead.
Follow the steps and soon enough it will show you the associated emails and / or phone numbers that you can use to have a login code sent to.
What was my problem, though?
All of the emails and phone numbers it was showing me weren’t mine… they were the hackers.
Yeah, none of those are mine.
From here, I got sent into what is referred to as, “the account recovery deathloop”.
None of those will work so you click on “No longer have access to these?” and it shows you the same info…
You’re probably here because you’re either just curious about my story or you’re at the exact same spot. The worst part is that there is no public Facebook support line. All support forms require you to be logged in.
If you’re here, I’m sorry. However, there’s hope and I’m writing this for you.
Hackers Spent $30,000 on My Ad Accounts
This was the worst part.
The worst part wasn’t being able to engage with my family or podcast community on Facebook. The worst part was that in literally 12 hours after being hacked, $15,000 was spent across multiple ad accounts.
Remember when I woke up to that client message? By noon, 4 hours after I learned I was hacked, $15,000 was spent.
I immediately took action at 9:12am and contacted all of my clients to whom I had access to their ad accounts. It still wasn’t fast enough to prevent this.
I wasn’t able to get ahold of all of my clients that same day.
By Monday evening, the grand total spent was $30,000.
It was at this point, all of my clients had responded to me and taken action to remove my profile’s access.
What Were the Hackers Doing?
This is just because I know you’re curious.
The hackers were running spam ads on my clients’ ad accounts to a …foot massager?
Turns out, the site that the link went to was a scam site. I’m not sure if it stole credit card information or just didn’t deliver the product.
So their end game was to use an account that was associated with ad accounts and their payment methods, then run free ads to a scam site to further steal people’s money.
There’s a place in hell for these people.
Immediate Steps I Took After I Learned I Was Hacked
After learning my account was hacked (aside from contacting all of my clients), I did a series of things immediately after to protect myself and also take action to get it back.
This is everything I did in order of not only what I did, but what I recommend you do as well.
Reported My Compromised Account
Through all of my digging, I did find that Facebook has a link where you can report a compromised account. You need to know your username for this.
I’m not entirely sure what this does… no one reached out to me. But if I had to guess, it just flags the account internally to Facebook and Facebook likely restricts the access that account has to certain features (like viewing payment methods or other sensitive information.
Apparently, they don’t block the account from spending money on payment methods already present…
Canceled All Credit & Debit Cards
I’ve had my marketing agency’s ad accounts up for a while so I honestly had no idea what cards were still connected to my ad accounts. Additionally, if you’ve ever paid for anything directly through Facebook or sent money to anyone on Facebook, that card information is still associated to your account.
Not to mention if you have a Meta Quest. Is your card connected to your Quest account and is your Quest synced up with your Meta account like most people’s?
So step number one was to cancel all credit and debit cards.
DON’T throw away your old cards. Keep them until you get your account back. These will come in handy for recovery later on.
Signed Up for Aura
When I realized the financial implications of having an account like Facebook hacked, I realized I needed better online security management.
Even if it wasn’t an account like Facebook, an email getting hacked that’s connected to other accounts is also not ideal — imagine what accounts that email can be used as a means to access other accounts.
I was really looking for a VPN because I was never going to be logging into public wifi again without being secure. But I found a lot more with Aura that I didn’t realize was helpful like:
- A password manager to not only manage my usernames and passwords to all my accounts, but also auto-generate random passwords for each one
- Online data monitoring — in the Aura dashboard, you can monitor multiple emails, phone numbers, and other personal details (including documents like passports and social security numbers). Aura will let you know if any of that gets leaked on the internet
- Bank account monitoring — Aura monitors my bank account transactions
- VPN — what I was actually looking for
- Data broker removal requests — Aura will also ask data brokers to remove your information if they find it in their possession
- $1,000,000 in identity theft protection
- And a ton more, honestly…
It was basically a complete online personal data security tool for $15/mo and it was well worth it.
Even after logging in for the first time and inputting my first emails to monitor, it immediately let me know that certain emails and passwords were involved in data leaks… that would have been helpful to know before this happened…
This wasn’t meant to be a promotional post. It’s literally what I did after I was hacked.
After signing up for Aura and getting my account back, I partnered up with them as an affiliate / partner. I realized this was a tool I wish I had earlier and everyone should have.
Even if it isn’t Aura — get some kind of data monitoring tool.
I’d even recommend getting set up with the 14 free trial just to see how much of your data Aura finds that has been compromised.
You can get up to 50% off individual plans with my link or 63% off on family plans.
Okay, moving on.
Changed All of My Passwords
I had already started changing passwords on other social accounts like LinkedIn, Instagram, and Twitter, but next became the exhaustive process of changing passwords for everything…
However, Aura made this process significantly faster… This isn’t even a plug — it’s legitimately what I did.
I used to use Passpack for my passwords but it had its flaws. I was on the free plan and that’s all it was, a desktop password manager with no mobile application or ease of access. I had almost 100 passwords in there.
I downloaded the password and user files and then simply uploaded them to Aura. Aura then went through and found all passwords that were either weak or reused. From there, I just went in and changed those ones.
I just had Aura randomly generate passwords for everything. No thinking involved.
Ensured 2FA & MFA via Authenticator App Was Used on All Platforms
The thing that frustrated me the most was that I had 2FA turned on for my Facebook account. It was the Facebook SMS text with a code. I did notice early on that Facebook’s texting system wasn’t great. I’d have to “resend” the code almost every time just to get it once.
The unfortunate part was that I had never gotten a text to my phone saying someone was trying to log in from another location or an unrecognized device.
I’m not a hacker so I don’t know the kind of strategies they use to prevent that SMS from firing. Friends and forums have told me that hackers can get ahold of your carrier and social engineer them to get them a SIM card with your number as well as just spoof your number so the SMS is redirected to their number (maybe it’s the same thing?).
Either way — lesson learned, 2FA SMS is trash and you should be using an Authenticator App when at all possible.
If you’re new to authenticator apps, they’re basically just an app on your phone that connects to the account you’re securing. The account you’re logging into (Facebook) will ask you for a 6-digit code in your authenticator app.
So you’ll have to open that app and get that code, but that code resets every 60 seconds.
Rather than an SMS text message code being able to be intercepted, the code lives on your device only in your phone. Facebook asks the authenticator app if it’s the correct code when you put it in and the authenticator app acknowledges it, allowing you to access your account from a new device.
Some authenticator apps I recommend:
Bonus points if you use biometrics on your phone to unlock your app.
Security Keys
One more option for 2-factor or multi-factor authentication…
Some platforms allow you to use a security key rather than an authenticator app or other form of 2-factor authentication.
Security keys work almost the same as authenticator apps but instead of being able to simply log in to your app via password or biometrics, you have to have a physical device either connected via Bluetooth or plugged into your device to access the authenticator app or platform. It’s a literal key to your account.
This is the next step above the app for added security. You can get them on Amazon.
Reached Out to Hacked
If you do only one thing in this entire post, do this one.
This was the number one thing I did to get my account back. Everything before this was just to protect myself from further damage. None of it actually helped me get my account back.
After all of this happened on July 15th, not only did I spend every second researching options, so did my family.
My fiancée found an article from Verge (I think it was this one) that mentioned Hacked.com.
I’d been skeptical about reaching out to a company regarding getting a Facebook account back because of what I mentioned previously with the bot commenters and spammers.
They charge per call. I can’t remember what the initial consultation cost. I think it was between $50 – $70. I figured the worst that could happen was that I lost that money but nothing else.
Since I was already in the hole for $30,000, $70 didn’t seem so bad to gamble.
I reached out to Hacked.com and was paired up with Christian — the most calm and collected person I’ve probably ever talked to via Zoom. He kinda reminded me of Justin Long.
You can even read my review of them on Trust Pilot I left on August 25th, 2023. That’d probably paint an even clearer picture than I am painting right now.
I’m not gonna lie, the way they take payments seems sketchy. It’s via PayPal. Maybe they’ve updated it since I worked with them. However, they’re completely legitimate, just a small company that hasn’t quite invested in more well-known invoicing / payment software.
How I Got My Facebook Account Back
Ultimately, it was Hacked.com who really helped me get my account back. But I exhausted a few other options as well.
Got on a Call with Hacked.com
As mentioned before, step one is getting on a call with them. Go to their website here.
Step two is to be patient. This process can take weeks or even months. But they’ll tell you that on the call as well.
Christian at Hacked.com led me through a pretty extensive process to account recovery that went through all options (and trust me, there is a lot). He was familiar with the “death loop” and everything we tried was to circumvent that.
There was a strict process we followed. We never tried two things at once.
I’m not going to get into what we tried or details about the process because honestly, I don’t want to give away the secrets of their business that helped me get my business back on its feet. I value what they’re doing and want them to be successful.
Contacted the California Attorney General
I don’t have confirmation on this, but I think this was the nail in the coffin that sealed the deal.
One of the steps we took was to contact the California Attorney General (because that’s where Meta is located… oddly enough… on 1 Hacker Way….).
Hacked.com instructed me on how to reach out to the California AG as well as what to say in order to get a response.
The advice worked…
I submitted my complaint on August 1st and the letter I received in the mail a week later from the AG was dated for the following day.
You can read the whole letter I got from Rob Bonita below.
I don’t think I could have made as compelling of a case without Christian coaching me.
Other Things I Tried…
In my line of work, I do a lot with Facebook ads and with that, I get Meta Parter Pros reaching out to me via my work email (and sometimes my personal email) about ad accounts they’ve been assigned to.
They’re basically glorified sales reps to get you to spend more money. Google does this too and I usually ignore both of them.
But one Partner Pro reached out to my work email and instead of ignoring her, I simply said:
“I had my account hacked and can’t get back in.
I’d love to help you, but I can’t.“
This actually got a positive response from her and the first Meta Marketing Pro that has actually tried to help. She even called me and we talked on the phone about the issue.
She said she was going to put an internal ticket in with her team to help get this resolved as one of the accounts she was assigned to was one that had $15,000 spent on it fraudulently.
Crystal was really helpful for about a week and a half. After the internal ticket was logged, it was outsourced to a help center in India and they honestly had no idea what was going on.
They ended up flagging me as “unresponsive” when they said they’d send me an email (to an email that I gave them) asking me to show them what I saw when trying to log in — but they never sent that email.
It got my hopes up but ultimately I hit a dead end.
5.5 Weeks Later
On August 23rd, I noticed I had gotten two emails right in a row that I hadn’t gotten in a few weeks:
- An email saying that my ad was approved and scheduled (weird)
- An email saying that someone tried logging into my account (hadn’t received this since the first week of this)
The first email was for a client of mine who was running their own ads and my email was still associated with the account. I checked the ad and everything looked legitimate. The other weird thing was that the hacker had removed my email from the account… so how was I receiving this email?
The second email I had received before… but It had been a long while. The contents of the email when opened and read stated that the next time I log in, I needed to verify some details and change my password.
If this was one week into this process, I would have just deleted the email because it would have sent me to the hacker’s recovery options. But I thought I’d give this email a try just to see what happens…
I clicked the button, “Secure Account” and I was immediately directed to a page that asked me how I would like to receive a secure code for authentication.
I couldn’t believe it… it showed me all of my old emails and phone numbers associated to the account. It was like the hack never happened and Facebook just reset everything to pre-July 15th.
One thing it had me verify was a saved payment method…
This kinda sucked because I cut up and threw away all my old cards.
Fortunately, I had my credit card number cooked in my browser and my browser was able to pull in the CC information which worked!
Earlier I said to not throw away your old cards — this is why.
After I went through the recovery steps… I was in! I was staring at my feed!
…along with 97 messages and 99+ notifications…
After I Recovered My Facebook Account
Post-recovery was littered with learning moments as well. I knew that just because I was back in didn’t mean was going to immediately go back to normal.
Securing My Account with Hacked
Once I was back in, I messaged Christian at Hacked.com and we jumped on another 20-minute phone call. He walked me through securing my Facebook account. Updating settings I didn’t even know existed.
We actually spent the majority of the time going through connected apps and disabling them. Remember 2010? The Farmville and “What Disney villain are you?” era? Yeah, all of those are connected apps that technically have your Facebook login.
You have to go through all of those and disconnect them.
Becoming Facebook Verified
This was something I didn’t want to do.
It’s $12/mo and you get that blue checkmark next to your name.
I’ve always hated people who do this because I figured it was just a way for people to feel more important than they are and to essentially “buy” clout.
However, it comes with added security to your profile and a direct helpline for issues with your account or Facebook in general (more on that in a little bit).
I paid the $12 and verified my account. I verified with my government ID and even a letter in the mail to my home address to verify my actual location.
By the way, here are the steps to get Meta Verified.
I’ll still make fun of people for getting it for the clout purpose (although no one will admit it), but if security is your reason… then I’m with you.
Although… it does look kinda neat…
Random Problems and Bugs with My Account
After 5.5 weeks of a hacker using my account for hacker purposes and after I told Facebook that my account was compromised, literally everything I did was “suspicious activity”.
Session Expired
I kept getting emails saying that there was suspicious activity and that I needed to say “This was me” or verify some sort of information. It happened at least 3 times per day. And every time that it did happen, it would log me out everywhere and I would get a “Session Expired” notification.
The process was even more annoying because I didn’t know my password. I used randomly generated ones from Aura’s password manager.
It also made me change my password a lot. Saying that there was suspicious activity and that I needed to update my password.
Aura made it super easy but having to go in and have it randomly generate a new password every time was a pain. Not on Aura’s part — just the Facebook process in general.
Account Restricted
I noticed another weird thing. My profile kept saying that it was “restricted”.
Nothing seemed to be “restricted” and I didn’t notice anything that I wasn’t able to do normally. This banner was just annoying me and also a little concerning.
The Hacker Kept Trying to Access
The most annoying part was that the hacker kept trying to access my account not realizing I had reclaimed it.
They weren’t ever able to get back in and any time that I got an email like this, I would do what Facebook was asking and reverify that this wasn’t me.
The hacker ultimately gave up after this last attempt in early September.
Suspended Business Manager and Ad Accounts
The biggest post-hack issue I was dealing with was having my Business Manager suspended and all of the associated ad accounts.
I’m sorry I don’t have a picture for this but basically, when I went to business.facebook.com, my Evergrow Marketing (my company) Business Manager was restricted because all of the ad accounts were restricted for suspicious payment activity.
I actually assume the suspicious payment activity was due to me canceling all of my cards and the hacker still trying to spend money on them.
That mixed with my flagging my profile as “compromised”.
I reached out to Facebook Business Support using the Facebook Business Support form (I don’t actually know how to get to this form… A friend sent it to me and I’ve just saved it).
It’s a crapshoot whether you actually get someone that helps you. I did get someone to open a ticket for me but it went literally nowhere.
I got my account back… but my business was still technically dead in the water until I could figure out the Business Manager situation.
The Solutions
I remembered as a Meta Verified user, you get better access to Facebook support.
My plan was to submit a support ticket through there to look into my “Account Restricted” profile b manner as well as the Business Manager issue.
If you go to accountscenter.facebook.com, and then click on “Meta Verified”, there is a button called “Get Support”:
I went through here and submitted a “Problem” or “Error”, I can’t remember what it was called at the time. But I got connected with a rep who eventually asked if she could call me.
She did and I was able to explain the situation.
Long story short, my Business Manager and associated ad accounts were enabled along with that banner was removed from my profile within a matter of hours that same day.
Also, the banner on my profile was a bug. It wasn’t actually affecting anything. She said on Facebook’s side, the account is in “green health”.
Back to Normal
I’m pleased to say that everything has seemed to go back to normal. It’s October 16th at the time of writing this and I have experienced no problems with Facebook.
The last time the hacker tried to reaccess my account was on September 5th.
Oh, and in case you’re wondering… yes, all of the $30,000 was either recovered or forgiven. None of my clients or myself had to absorb that.
I know this was a lot to read, but if you read all of it, thank you for taking the time. I hope it was a quick read and if you were going through this and this either helped you or brought you comfort then this post did its job.