My Friend Got Locked Out of Their Facebook and Asked Me to Send Them a Text Code

This could happen to anyone, and for entrepreneurs this may lock you out of your business profiles and advertising capabilities – which is an even bigger issue: in some cases, the bad guys will now be able to run ads for their pages using YOUR payment method, potentially racking up tens of thousands of dollars of charges for ads. Facebook has a way for users who get locked out of their account to sometimes have a friend help them reset their profile. So it doesn’t seem completely questionable that you may get a message from a friend asking for help so they can get back in. And if it comes at a time when you’re otherwise distracted, tired, sick, busy, almost anyone can fall for it. Your “friend” tells you that Facebook needs to send you a code (text) that you need to give them.

Just a reminder that we aren’t directly affiliated with Facebook and do not have access to your account. If you need help, you will need to contact them through their Help/support system.

Oh shit. You just gave a hacker the code to log in to YOUR Facebook account. In some cases, you’ve also used your Facebook account to log into other websites like Amazon or WalMart or your bank or … and now they have access to IT ALL. They may be going on a spending spree, or draining your bank account.

But … maybe they aren’t trying to do any of that (yet). Maybe at this moment they’re only using your account to get the same type of access to your friends – sending them a message from “you” that says you’ve been locked out and they need that friend to send them a code … and then they get access to your friend. Maybe they’re storing up a bunch of access until people forget, and THEN going on some spending sprees.

“But wait, Vicky!” you say … “when I realized this, I changed my password!” But that may not be enough, and probably isn’t enough. It’s also not enough to turn on “Facebook Protect” if they’ve offered you that service.

The bad guys could have given themselves access (by changing some of Facebook’s settings) that would bypass requiring the password OR the texted code. So they could still be in there.

Sometimes people incorrectly think if their friends have received a second friend request, this means their account has been hacked. Usually that’s not the case. THIS issue, however … yes you’ve been hacked.

You need to check several settings.

This is the order I recommend it in, since doing things out of order could make changing some of the settings less effective.

DO THIS ON A DESKTOP (not all of the settings are easy to find on mobile – so use your mobile to read this article while you do the steps on your computer)

Click your profile pic top right, click the dropdown arrow and choose Settings & privacy, and then click on Settings

Several things to check, in order:

(1) Security and Login
Under “where you’re logged in“, see if something looks wrong, such as a location that isn’t yours. Seeing a different city may not always be concerning – for instance when I use my VPN it may show a different state or country. We will come back here in a bit to log out of all sessions (but don’t yet, since it will log you out) – this just may tell you quickly if someone you don’t recognize has been logged into your account.

Change password
If you haven’t changed your password since the breach, we are going to do so again in the final step, so you don’t need to do it yet (you WILL need to do it again anyway, even if you did it after the bad guys got your code, so just wait and do it in step 6.)

Two-factor authentication

Make sure it is still turned ON. We’re going to turn it on in step 5 and you can do so during that step if you haven’t yet.

Authorized logins

This lists all devices that a login code / two-factor authentication is NOT required.

Your bad guy may have set their device to be authorized, which means Facebook no longer needs to send them a code for them go get in to your account. You can checkmark any devices that are not you, then scroll down to the bottom of the list and click Remove. If you remove your own device(s) here, it won’t hurt, you will be able to reauthorize it again the next time you try to log in on that device. So if you’re not sure, remove them all.

Get alerts about unrecognized devices

Make sure it is still turned ON

(2) Apps and Websites (menu on the left of the same page)
It’s a good time to scroll through the list and remove any that you don’t recognize or remember. It’s possible the bad actor could have added an app to your account that would allow them access to your account or other things.

Some of these apps also allow you to log in to another website using your Facebook profile – which is how your bad guy could have already gained access to some of your other accounts (I will talk about that briefly after step 7). As you look through this list, if you see websites that you’re worried the bad guys may have gained access to, you should make a note of each of those so that you can manually check them later.

(3) Business Integrations (also on the left same page)
Similar to above, remove any that you do not recognize.

(4) Activity Log – Click your profile image again (top right) and click on Activity Log
In the left column, choose Logged actions and other activity, then from the dropdown choose Recognized devices (it’s about the 8th item down). You may have removed any suspect devices in step 1, so this list may be empty or only show your current device.

Look and see if any recognized devices have been added since this breach occurred. If so, click the ellipsis … to the right and choose Remove. If you know for certain an entry is you, it’s okay to leave. It’s also okay if you remove too many, because you will be able to add your own devices back.

We’re just double-checking that any unauthorized recognized devices have been removed before taking the next couple of really important steps.

(5) Next we need to make sure the bad guys haven’t set up something that will give them continued access to your account without your knowledge

Click your profile pic top right, click the dropdown arrow and choose Settings & Privacy
Click on Security and login on the left, and then scroll down and click on Use Two-Factor Authentication
At this point it will likely ask for your password on the screen, so enter it.
If you have turned on two-factor authentication, it will say so here. If not, we will turn it on (in the reset section below). .

If it’s already turned on, you MUST check these things:

Phone number – used to receive text messages is still your number. Click Manage button to the right and change it if needed. If you see one you aren’t aware of, we will go through a reset below which will remove it.

Authentication app – if you have not set up an authentication app (it’s a multi-step process, so you would know if you have), you want to click the Manage button and click on Turn Off – just to make sure the bad guys haven’t set one up. If you can’t remember if you had done it, you can still turn it off, since you would be able to turn it on again later.

Security key – this requires a USB inserted into your physical laptop/desktop, so you probably have never done this. Click Setup button to check, and if it appears that one has been set up, you can use the reset instructions below which will remove it.

Recovery codes – click Setup button
If you see codes listed … you will need to reset to REMOVE those codes.
If there are no codes shown, you should be okay but may want to do the next reset step anyway just to be extra safe.
Click Close button.

Resetting to remove access – To reset in case security key or recovery codes or someone else’s phone number have been set:

• Scroll back up to the top of the page where it says Two-factor authentication is on, and click the Turn Off button, then click the blue Turn Off button in the popup window.
• This should (hopefully) erase any codes that have already been generated.
• Now we will turn Two-factor authentication back on again.
• Click on the SMS option (middle of page on the right), enter your mobile number, and follow the prompts. The will text a code to the phone number you supplied that you need to enter on the screen. Once the code is accepted, your two-factor authentication should be turned back on. If you click on Recovery codes > Setup, you’ll notice that all prior codes are gone – which means the ones the bad guys set up are no longer valid.

(6) Reset password

Now, as one final step since hopefully you’ve taken all the steps to hopefully lock the bad guys out, change your password.

At the top left area of the page (under the menu area) there should be two small text links Security and login > Two factor authentication. Click on the Security and login text link.

Under Login on the right, click Change password. Then follow the prompts change your password (make sure you remember what you set your new password as!).

The next time you log into a different device, you may be asked to enter a code that you’re texted or etc as a security protocol.

Now … all the other sites.

Your Facebook settings are done. However, keep in mind, during the hours between when this first happened, and when you finished the steps above, the bad guys could have been logging into all of those random websites with your Facebook profile.

They could have been making purchases.

They could have been changing your login info, so they can use your BILLING info.

If they haven’t taken that step yet to try to log in to other websites – because they assume you think simply changing your password is enough but they know if you haven’t taken the steps above then they may still have access – then by doing all of those steps above, you’ve likely revoked their access entirely and they won’t be able to use your Facebook to log in elsewhere now either.

But if they already have, they could have compromised those accounts. If you made a list of any during your steps above, you can manually check each website and check the account settings there and see if they’ve changed the email address or login information, the shipping address, or placed any orders. Not much can be done here except to do this manually.