Regain access by starting with the recovery flow that matches your lockout reason, then tighten login and security settings right after you’re back in.
Losing access to Facebook can feel like hitting a locked door with your whole life on the other side: messages, groups, photos, Pages, and logins tied to other apps. The fix is rarely one magic button. It’s usually one of a few common lockout patterns, and each pattern has a best “first move.”
This article walks you through those patterns, the exact info to gather before you start, and the order of steps that saves the most time. You’ll also see what to do the minute you regain access, so you don’t end up right back where you started.
How to Recover My Facebook Account When You’re Locked Out
Start by naming the problem in plain terms. Are you locked out because you forgot details, because the password changed, because the phone number is gone, or because the account was disabled? That single detail decides which path works best.
Step 1: Check what still works in under two minutes
Before you tap any recovery buttons, do these quick checks. They prevent loops where you keep getting sent codes you can’t receive.
- Try a known device first. If you’ve logged in on the same phone or laptop before, use it now. Facebook often trusts it more than a brand-new device.
- Try one clean browser session. Use a private window and type your login details slowly. If you use a password manager, copy-paste once, then type once.
- Search your email for recent Facebook security messages. Look for alerts about a new login, password changes, or email changes. Those messages often contain a “That wasn’t me” option while it’s still fresh.
- Check whether your email account itself is safe. If your email was taken over, recovery codes won’t help until you fix email access first.
Step 2: Pick the right starting path
Facebook recovery works best when you match your situation to the right entry point. If you start in the wrong place, you can waste hours repeating the same screens.
Path A: You forgot the password, but your email or phone still works
This is the cleanest path. Use the standard “forgot password” flow, receive a code, set a new password, then sign in on the device that received the code.
Path B: You forgot the email or phone tied to the account
If you can’t remember what you used to sign up, search your inbox for older Facebook messages and see which address they were sent to. If you still have access to a phone that used to get login codes, try that number with and without country code formats.
Path C: You think someone changed your password or contact info
Move quickly. Start with the hacked-account flow, then focus on removing any contact methods you don’t control, logging out unknown sessions, and setting a new password. If you get back in but leave the attacker’s email on the account, you’re still exposed.
Path D: Your account is disabled, locked, or restricted
This is a different bucket. Password resets might work, but the bigger issue is the status of the account. Your steps depend on what message you see during login and what options you’re shown for review or confirmation.
While you’re deciding, keep your goal simple: get one verified way to prove you own the account (a code, a trusted device login, or an identity check), then immediately remove anything that gives someone else a way back in.
What to gather before you start recovery
Two small prep moves can save a lot of backtracking. First, write down every email address and phone number you might have used on Facebook. Second, list the devices you used to log in over the past year.
Contact details you should have ready
- Primary email addresses you’ve used in the past (work, school, personal)
- Phone numbers you’ve owned, including older numbers that might still be listed
- Your Facebook profile name as friends see it (including older spellings)
- Your username or profile link, if you know it
Device details that help Facebook trust you
- The phone you usually use for Facebook (model and browser/app)
- A laptop/desktop you’ve logged in on before
- Your home Wi-Fi network (use it if possible)
If you suspect an account takeover, also prepare a “safe inbox” email address you control and can keep long-term. Use one with a strong password and two-step sign-in already turned on.
Recovery scenarios and the best first move
Use this table to choose your starting action based on what’s actually happening on your screen. Pick the row that matches your situation the closest and commit to that path for at least one full attempt.
| Situation | Best Starting Page | What To Prepare |
|---|---|---|
| You forgot your password, email/phone still reachable | Standard password reset flow | Access to email or phone for codes |
| You forgot which email/phone you used | Account lookup flow | Possible emails, numbers, profile name |
| Password changed and you can’t log in | Compromised account flow | Safe device, safe email inbox, patience for code prompts |
| Email on the account was changed | Compromised account flow | Access to older inbox messages, plus a new safe email |
| Two-factor prompts you can’t satisfy | Compromised account flow | Any backup method you still control, trusted device if available |
| You can log in, but posts/messages were sent by someone else | Security check inside Settings | Time to review sessions, connected apps, and contact info |
| Account shows disabled/locked message | On-screen review/confirmation path | Consistent identity info and clean device/browser |
| You lost access to the phone number used for codes | Account lookup, then “try another way” options | Alternate email access and older device logins |
Step-by-step recovery that avoids common loops
These steps are written to reduce “dead ends,” like being asked for a code sent to a number you don’t have, or being pushed into repeated login attempts that trigger temporary blocks.
Step 1: Use the account lookup flow if you can’t find the account
If the login screen can’t find your profile, use the account lookup flow and try multiple identifiers: email, phone, and name. Try name searches with older spellings and without special characters.
When you see your profile in the results, choose it and continue even if the profile photo or name looks off. A takeover often changes those.
Step 2: Use the compromised-account flow when you suspect a takeover
If you have signs of a takeover (password changed, email changed, posts you didn’t write), start with Facebook’s Help Center guidance on hacked accounts. This page points you to the right recovery flow and explains what to do when you see strange activity: Hacked and Fake Accounts.
During recovery, you may see options like “Try another way” or “No longer have access to these?” Use them. The goal is to route codes to something you control now, not what the attacker changed it to.
Step 3: If you still have a trusted device, keep using it
A trusted device can quietly do more than you think. It may reduce extra challenges, reduce the need for identity checks, and increase the odds that a “try another way” option appears.
If you’re logged in on a phone already, do not log out to “start clean.” Stay in, change your password from inside settings, and then remove unknown devices. Logging out can hand the attacker a clean slate if they still control recovery contact points.
Step 4: Reset the password only after you can receive a code safely
Password resets are great when the code lands in your hands. They’re useless when the code lands in someone else’s inbox or SIM. If you see only contact details you don’t control, slow down and look for an on-screen route to change the contact method first.
Step 5: Handle temporary blocks the right way
If you see a message like “You’re temporarily blocked” during recovery, stop rapid retries. Wait, then try again from a trusted device and a normal network. Rapid attempts can keep extending the block. When you return, do one full attempt at a time, with careful typing and no frantic refreshing.
What to do right after you get back in
Regaining access is only half the job. The next ten minutes decide whether the same lockout happens again next week.
Lock down access in this order
- Change your password to a long, unique one you don’t reuse anywhere else.
- Remove unknown email addresses and phone numbers from the account.
- Log out of sessions you don’t recognize across devices.
- Turn on two-factor authentication using a method you control long-term.
- Review connected apps and remove anything you don’t trust.
Use a security checkup to catch quiet takeovers
Some takeovers don’t post anything. They just sit there, ready to use your identity later. Look for subtle clues: a new email you didn’t add, a phone number you don’t recognize, or devices logged in from places you’ve never been.
If you run a Page or use Meta Business tools, check permissions too. A takeover sometimes aims for ad spend, Page access, or access to connected Instagram accounts.
Security checklist after recovery
This table is a practical order of operations. Work down the list. Don’t skip steps that remove unknown contact details or unknown sessions.
| Action | When To Do It | What “Done” Looks Like |
|---|---|---|
| Set a new, unique password | Right after you regain access | Old password no longer works anywhere |
| Remove unknown emails and phone numbers | Before you log out of any device | Only your current contact methods remain |
| Log out of unknown sessions | After contact methods are cleaned | Sessions list shows only your devices |
| Turn on two-factor authentication | Same day | Login asks for a second step you control |
| Check connected apps and remove risky ones | Same day | No unfamiliar app has access |
| Review email inbox security | Same day | No unknown forwarding rules or new logins |
| Save recovery info offline | After everything is clean | You can prove ownership even if your phone is lost |
When recovery gets stuck and what to try next
Some recoveries stall. It can happen when you no longer have any of the contact methods on the account, when the account status is restricted, or when repeated attempts trigger blocks. These moves can help without turning into a retry spiral.
Try the same path from a different trusted place
If you’re traveling or on a new network, try again from your usual location and Wi-Fi. Facebook systems often trust patterns. A sudden change in city plus a new device can add friction.
Use the on-screen “try another way” options fully
When Facebook offers alternate verification paths, take them seriously and follow each step carefully. If it requests identity confirmation, submit clear images, match the name you use on your profile, and avoid repeated submissions back-to-back. One clean submission beats five rushed ones.
If you’re still logged in somewhere, treat that as gold
Being logged in on any device is your best leverage. From there, you can change password, remove unknown contact methods, and end sessions. Do those steps before you do anything that might sign you out.
Prevent the next lockout without making login painful
Security that’s annoying gets turned off. The goal is protection that fits your habits. Pick methods you can keep, not methods you’ll abandon in a week.
Use a password manager and stop reuse
Many takeovers start with reused passwords from unrelated breaches. A password manager lets you use unique passwords without memorizing them. Pair that with a second login step and you cut off most common takeover attempts.
Choose a two-factor method you won’t lose
If you switch phones often, an authenticator app can be tricky unless you also keep a backup path. If you travel often and change SIMs, SMS codes can be unreliable. Pick what matches your real life, then keep an alternate method in place.
Keep your email account locked down too
Your email is the master key for many accounts, not just Facebook. Use a strong password, turn on two-step sign-in, and check for inbox rules that forward mail without you noticing.
Finally, keep one calm habit: when you get a login alert you didn’t trigger, act right away. A quick response can stop a takeover before it becomes a full lockout.
References & Sources
- Facebook Help Center.“Hacked and Fake Accounts.”Official guidance on recognizing account takeovers and starting the correct recovery flow.