Recovery

Recover a Hacked Facebook Business Portfolio

Business Portfolio compromised? Contain ad spend first, lock payments, then audit People, Partners, and System Users for anything the attacker left behind.

A compromised Business Portfolio is a money problem and an access problem at once. The attacker may be spending on your ad accounts right now, and they may have planted ways back in — a new person, a partner, or a System User token that keeps working after you change your password. Contain the spend first, then methodically remove every foothold.

If your situation is actually …

Recover a hacked Business Portfolio

Stage 1 · Stabilize

Contain the damage

  1. Pause every active and scheduled ad campaign across all ad accounts.
    Stops the bleeding while you investigate.
    Where: Meta Ads Manager
  2. Remove or lock payment methods, then contact your bank to flag or block further charges.
    A reset password does not stop a System User token from spending — cutting payment does.
    Where: Meta Business Suite → Billing & payments
  3. Secure the personal accounts behind the portfolio with new passwords and 2FA.
    Where: Facebook → Settings → Security and login
Stage 2 · Diagnose

Find every foothold

  1. Audit People in Business settings for any user you did not add.
    Where: Meta Business Suite → Business settings → People
  2. Audit Partners for any partner business you do not recognise.
    Attackers add a partner business so they keep access even after individual users are removed.
    Where: Meta Business Suite → Business settings → Partners
  3. Audit System Users — these are non-human accounts with long-lived tokens that survive password changes.
    A rogue System User is the most common persistence trick and the easiest to miss.
    Where: Meta Business Suite → Business settings → System Users
Stage 3 · Reclaim

Remove the attacker

  1. Remove every unrecognised person, partner, and System User you found.
    Where: Meta Business Suite → Business settings
  2. Reissue or revoke tokens for any System User you keep, so old tokens stop working.
    Where: Meta Business Suite → Business settings → System Users
  3. Confirm you still hold full control of the portfolio and that no ownership claims changed.
    Where: Meta Business Suite → Business settings → Business info
Stage 4 · Harden

Close the gaps

  1. Require two-factor authentication for everyone with portfolio access.
    Where: Meta Business Suite → Business settings → Security Center
  2. Keep at least two trusted admins so one compromised account cannot lock everyone out.
    Single-admin setups are how a hack becomes permanent.
  3. Schedule a recurring access review so leftover partners and System Users surface before they become incidents.
If this flow does not restore access: How to contact Meta support for access problems

Frequently asked questions

Almost certainly a System User. System Users have long-lived API tokens that are independent of your password — changing your password does nothing to them. You must remove the System User or revoke its token, and lock the payment method to stop the spend.

Delvia

Access issues are easier to prevent when roles, owners, and responsibilities are recorded clearly

Most access problems trace back to the same gap — no clear record of who has access, what role they hold, and what should happen when that changes. Delvia helps you keep that record so problems are visible before they become incidents.

Delvia is free on iPhone and Android. Keep a clear record of who has access to your accounts — and what to do when that changes — wherever you are.