We recently helped a client recover their Facebook Business Page after it was compromised. It was a multi-day process involving notarized documents, multiple support tickets, and a lot of patience. We got it back. But the experience reinforced something we already knew: the best time to secure your account is before anything goes wrong. Quick disclaimer, we don’t represent META or any of its many divisions or associates, we just know what we have seen, what was successful for us and what fail miserably. We also acknowledge that these systems and any observations we make about them are purely speculative and are little more than anecdotal, meaning we are not giving you advice, just sharing our story. Your mileage can, and absolutely will very. Proceed with caution.
This post walks through what happened, what we did, and what you can do to protect yourself, maybe.
What Happened
An admin on the client’s Facebook Page had their personal account compromised. Before that account was disabled, bad actors used the access to add themselves to the Business Portfolio and the Page itself. They added fraudulent admin accounts, removed the legitimate owners, and started running scam ads using the client’s payment methods.
The first sign of trouble was an email notification that an unfamiliar person had joined the Business Portfolio. By the time the client saw it, the damage was done. They had changed the name of the business page, created content on the compromised personal page that got it banned and started running scam ads on the business page. They added several different accounts to the business portfolio page and removed all access.
The attack was acute and executed quickly like a well oiled machine going through a process I can only assume has been done many time before. Everything happened within an hour and it was done late at night so the client wasn’t even aware anything had happened until the next morning.
The Recovery Process
We have recovered pages from hackers before. We have done this work privately for clients ranging from small nonprofits to Fortune 500 companies. It is not a service we offer publicly due to the risk and complexity involved. We only take on cases where we can verify ownership and where the account history shows strict compliance with Meta’s community standards. We also only work with assets with a minimum followership and a minimum previous platform investment due to the risk involved in the recovery process. Associating with banned assets an banned accounts in itself can be a risk factor and we can not guarantee success. All of that said, we know you are looking for solutions if you have read this far, let us walk you through what has worked for us and why. Just because might not be able or willing to recover your page, we are more than happy to help you try it on your own. But take heart, this is a task for the tenacious and patient.
Here is what the process looked like:
Step one: Stop the financial bleeding. The hackers were running ads on the client’s payment method. We advised the client to contact their bank immediately, block charges from Meta, and request a new card number. This is urgent. Do not wait for Meta to fix things before protecting your finances. META is actually really great about catching unusual spending and will likely disable the account quickly and require verification of payment before continuing, but there is no reason to wait. Secure any financial account you have attached to the compromised assets.
Step two: Document everything. We gathered page IDs, ad account numbers, Business Portfolio IDs, screenshots of the fraudulent admins as they were noted in the email notice when it was received, and evidence of ownership including business licenses and website records. This is a great time to show proof of you business ownership with notarized records and a copy of your ID. Also, before you submit your request clear your calendar. This is now your only focus for the next 12 hours because once you hit submit you are on call until the issue is resolved. We talk about this more in step three, but suffice to say, once you open a ticket, you are on the golden path, don’t step off the path because it can sometimes be your only opportunity to set this right.
Go to your Meta Business Suite and click on Help. Find a link to the Business Help Center page. This link can change so Google it or hunt for it in the help dashboard. Follow links like “Get Support” and look for your account overview. If you see a prompt, like “How can we help?” and it askes for “asset IDs” to get help you are in the right place!
Step three: Submit a support request. We went through Meta Business Suite to access the help and support tools. Here is where it gets tricky, you might not have access to this. Not all accounts have access to this level of communication and we call these accounts that do have this level of access, concierge accounts. If you do not have a concierge level account you may need to reach out to a trusted friend or a pro to help you get access to the secure META support portal. We don’t have any facts about who gets access and who doesn’t but what we have seen is concierge access level accounts tend to be owners of several pages which have a significant regular ad spend or other investment in the platform and have a pristine record. What is a pristine record? No community violations, and if you are not familiar with what these are you can read all about it. We wont share a link here because it often changes, but Google it and it should come right up. If you make it past this first hurtle, that is the most significant step to success. Keep in mind, that once you are in the chat, you are now on the right path, if you have a case number that is great, write it down and dont close the chat window!
The support chat is not listed in your normal chat list. If you close it and you don’t know where to find it again, you may not be able to find it again!
If you have the opportunity to upload proof, this is your most essential opportunity to share everything they are going to need. Don’t blow it on a cellphone shot of your stolen page, write a report of exactly what happened, give evidence, show proof of ownership and provide pertinent details without any fluff. Keep it in an outline format and make it a PDF or a high resolution image. They will need all the ID numbers you can provide, one for your page, one for your ad account and one for your business portfolio. You should already have these, but if you don’t you can hunt them down using forensic data recovery techniques.
Step four: Be clear, brief, and persistent and give them all the information up front. Every message we sent was structured the same way: a short explanation of the problem, a numbered list of exactly what we needed Meta to do, and all the relevant reference numbers as well as proof of ownership. No life stories. No emotional appeals. Just facts and specific requests. The first few responses can feel generic and unhelpful but this is part of the process, you are on the right track, stay calm, be polite, and don’t fail to respond. Meta’s automated systems kept asking us to verify payment, which we could not safely do while hackers still had full control of the account. That is OK, they have to work through a process of elimination, starting with the basics and then escalating, sometime 3-4 or more times. Hang in there.
Step five: Escalate when necessary. We moved through several layers of support. AI responses, lower-level support staff, and eventually a specialist. Each time we were asked for more information, we responded within the hour. This process took days. Sometimes a request would come though after 4 hours sometimes after 2 days and you only have a short amount of time to respond or your chat request for more information of to make a confirmation. If you fail to respond in the time frame they need, they could close and resolve the case, which could add a new layer of complication, the cold period. We don’t really understand the cold period, but accounts that have a recently closed or resolved case can sometimes have difficulty opening anew case. For example, you submit a case, but you don’t respond in time to a request for more information or for a confirmation and so you try to open a new case, but when you try to submit your case, nothing. The page just opens a blank chat window. We don’t know if this a system issue or a dark pattern designed to reduce abuse of the support ticket services, but either way, once you have a case open and access to a chat window, don’t close the window and reply to every request IMMEDIATLY until your case is resolved.
The hard answer is, banned personal accounts are some of the hardest accounts to recover. One, if your account is banned you have no way to access the recovery tools you need. This puts you at the mercy of a friend who can ask on your behalf, but that friend then opens themself up to risk if your account has community violations
Step six: Provide notarized proof of ownership. In the end, what unlocked the recovery was a notarized document signed by the business owner confirming their identity and ownership of the page. Meta’s security team used that to verify the claim and restore access to the business page an to the business accounts.
The Catch-22 You Might Encounter
Meta’s support process can create frustrating loops. In our case, they asked us to verify a payment method before they would help. But we could not safely add payment information while unauthorized users still had full control. It would put us at risk of letting the bad actors remove us again and keep access to our ad service with freshly verified financial details. Not ideal. We hung on, and kept giving our data and our request, and after 48 hours we were restored.
We had to explain this clearly and repeatedly. Eventually, someone understood and escalated the case appropriately. But it took persistence.
Why Your Facebook Account Might Not Have Access to the Tools You Need
Here is the uncomfortable truth: not all accounts have access to the same level of support. We don’t know why but from what we have seen Meta’s concierge services are generally available to accounts with significant ad spend and a clean history. If you have never run ads or if your account has had policy violations, you may not have access to the support channels that can actually resolve these issues. The service as far as we know doesn’t have public information on who gets what but this is what we have seen. So if you find yourself in need of help, look for someone with these kinds of accounts to help you.
Maybe, but not likely. This is a niche service with a hefty price tag starting at a minimum of $10,000 so your local tech savvy marketing team is not going to have the skills or the tools to navigate this kind of thing. They might, but it is very unlikely. Look for a media team that manages a minimum of 6 figures a year in META media ads. These tend to be the kind of teams that can dedicate themselves to handling hacked Facebook page recovery. We do provide this service, but we only accept a few clients at this level per year and it comes as part of a long term high level maintenance service contract.
Here is where we ask you kindly not to “shoot the messager.” This is not a system we have any control over. We work with what is available. For clients who do have access to these tools, we might be able to help navigate the process but we can not access you accounts if we have never had access to them before the incident. For those who do not, the options are more limited and in some cases, essential nothing. Follow the hacked page form protocol. Follow all the requirements, which might feel invasive, things like requiring a face scan are not uncommon. Have an account name that matches a legal name that you can verify with ID. Get verified.
What You Should Do Right Now (Before Your Business Page Gets Hacked)
The best cure is prevention. Here is what we recommend:
Secure your personal Facebook account. The Business Portfolio is only as secure as the personal accounts that have admin access. If one admin gets compromised, the whole page is at risk.
Enable two-factor authentication everywhere. Turn on 2FA for your personal Facebook account, your Business Portfolio, and your email. Consider using an authenticator app instead of SMS codes. Some authenticator apps include biometric confirmation, which is much harder to compromise remotely.
Require 2FA for your Business Portfolio. In your Business Portfolio settings, you can require all admins to have 2FA enabled. Turn this on.
Audit your admin list regularly. Remove anyone who no longer needs access. Make sure all current admins are active, responsive, and have secured accounts.
Never share your 2FA codes. No legitimate service will ever ask you to share a code via a link or third-party app. If something asks for your code outside of the official Facebook login flow, it is a scam.
Secure your email. If your email gets compromised, your 2FA can be bypassed through password resets. Add 2FA to your email account as well.
Document your account details now. Write down your Page ID, Ad Account ID, Business Portfolio ID, and the email addresses of all legitimate admins. Store this somewhere safe. If you ever get locked out, you will need this information to prove ownership and you will not be able to access it from inside the account.
Hire a Pro. Hire a team like us to document everything for you, audit your current security risks and maintain us on all of your accounts so we can catch issues quickly and know exactly how to respond as soon as an issue happens. We can’t guarantee it wont happen but we can help make sure it is less likely and we can help you recover it when possible using all the records we will create to make sure you have the data you need instantly should something happen. We know time is money and preparation is everything!
If It Happens Anyway – Hacked Facebook Pages Happen to Anyone
Even the most careful people can get tricked. Social engineering is sophisticated. If you lose access to your page, here is what to do (maybe):
- Contact your bank and block any payment methods connected to the ad account.
- Go to Meta Business Suite and navigate to the help and support section.
- Submit a detailed report with all relevant account IDs and a clear description of what happened.
- Be prepared to provide proof of ownership, potentially including notarized documents.
- Respond quickly to any follow-up from Meta. Delays can reset your place in the queue.
- Be patient. This process can take days, weeks, or even months.
And keep in mind: recovering the page does not always mean you are safe. In some cases, bad actors will still “own” the page through the Business Portfolio. They can wait quietly and remove you again later, or wait until you add new payment information and then run fraudulent ads on your account. If you have a security break, secure EVERYTHING. Secure emails and phones and check for unauthorized or unusual apps on your phone. Use an authenticator and lock everything down. Once your accounts have been breached it’s a good time to update all of your passwords especially if you use the same ones! (That is a big no-no!)
A Final Note
There is no step-by-step guide that works for every situation. Meta’s systems change constantly, and different accounts have access to different tools. What worked for us may not work exactly the same way for you.
But the fundamentals remain the same: secure your accounts before something goes wrong, document everything, and if something does happen, be clear and persistent in your communications with support.
Good luck out there. And go check your 2FA settings today.
Post Image Key: 1. Help, 2. META Business Suite, 3. Active cases you may have open, 4. Settings, 5. Search for the page or assets you need to fix – don’t reach out under the wrong account asset! 6. This may look like a place to start a case but it is just a feed back form. It’s great for providing feedback but is not likely to open a case which is the key to recovering your hacked Facebook page.
