Use a clean, trusted device and network. If possible, run a malware scan and use a private network (not public Wi-Fi) while doing these steps.

Have your password manager ready. You’ll rotate secrets and store backup codes securely.

No unfamiliar devices, browsers, or locations.

Only your current device should remain after you finish.

Click See all ▸ Log out of all sessions (or remove individually).

If you see any suspicious session, proceed to rotate your password (see Section 5) before continuing the rest.

People & Partners (who has access, including external agencies)

System Users / Apps (service accounts and app access)

Assets (Pages, Ad accounts, Pixels, Catalogs) and Ownership

Security Center ▸ 2FA enforcement & Business verification

Only expected People and Partners with correct roles; no unknown emails.

Ownership of key assets (Pages/Ad accounts) sits with the correct Business.

2FA is required for everyone in the Business (not just optional).

Remove unknown people/partners; downgrade over-privileged roles to least privilege.

In Security Center, Require two-factor authentication for all people with Business access.

Review System Users and Apps; remove anything you don’t recognize.

Confirm Business verification is in good standing to avoid takeover via compliance gaps.

List ALL your Pages: Left sidebar Menu → Pages → Your Pages (scroll the full list).
​Alt: Top-right profile photo → Switch profile → See all Pages.

Per Page (verify access): Open the Page → Settings (left) → Page Setup → Page access (New Page Experience shows “Page access” directly under Settings).

Business inventory: business.facebook.com → Business settings → Accounts → Pages (see Owned by and Partners; click a Page to view assigned People/Partners).

New/unknown Pages: Anything you don’t recognize in Your Pages or Business settings → Accounts → Pages (check Owned by/Partners, and recently added entries).

People with Facebook access: Everyone is known; roles match their job; 2FA enforced at Business level.

Partners with access: Only expected partner Businesses.

Ownership/linking: Page is owned by your Business and correctly shown under Professional dashboard → Linked Business assets.

If an unknown Page appears:

Remove unknown people/partners; downgrade any over-privileged roles to least privilege.

If ownership is wrong, transfer Page ownership back to your Business.

Repeat these checks for every Page in your list, not just the main one.

2FA is ON for your account.

You have at least one strong method: Authenticator App or Passkey (prefer these over SMS).

Business-level setting requires 2FA for everyone with Business access.

Turn on 2FA and choose Authenticator App first; keep SMS only as a backup.

In Business settings, toggle Require 2FA for all people with access.

Save Recovery/Backup codes (see Section 9).

The new password is unique, long, and stored in a password manager.

Saved login info and Remembered devices are cleared (see Section 8).

Change your password now if you saw any suspicious logins — do this before anything else.

After changing, log out of all sessions again (Section 1) to invalidate stolen cookies.

Update the password anywhere you used it (do not reuse across services).

Make sure the checkmark on ‘Log out of other devices’ is selected to ensure you are logging out of all other sessions.

Create a password with at least 15 characters.

Use a mix of special characters, numbers, uppercase, and lowercase letters.

Do not reuse passwords from other platforms or services.

Alerts are enabled to your email and Facebook notifications (and Messenger if desired).

Your primary email and phone number are current and accessible.

Toggle alerts ON for email and notifications.

Go to Personal details to confirm your email and phone; remove any you don’t recognize.

Make sure the fields under ‘Pages you manage’, ‘Other notifications’, ‘Reminders’, and ‘More activity about you’ are selected. Also make sure you activated all notifications under ‘Where you receive notifications’. Ensure that all toggles for email and SMS are turned on so you receive ALL alerts.

Only your device(s) are listed as passkeys; nothing unfamiliar.

Remove any passkey you don’t recognize.

Consider adding a passkey on your primary device for phishing-resistant login.

No devices are permanently trusted unless necessary.

Remove all trusted/saved devices. Only re-trust your primary device later if needed.

You have a fresh set of codes stored in a secure place (e.g., password manager secure notes).

Generate new codes; store them securely (never screenshot to your camera roll).

Label with date and share with no one. Treat them like keys to your account.

Copy the backup codes and paste them into the Spikerz Employee Protection feature after you generate the new codes.

Email and Facebook notifications toggles are ON.

Contact info (Accounts Center → Personal details → Contact info) is correct.

(Optional) In Security checks, glance at Where you’re logged in and Recent emails to confirm activity looks legit.

Open Login alerts → turn Email + Notifications ON.

If you ever get an alert you don’t recognize: Log out all sessions → Change password → Turn on/confirm 2FA → Clear trusted devices → Refresh backup codes.

Only trusted third-party apps/websites remain connected.

No unknown apps have manage pages, ads, or business permissions.

Remove any unused or suspicious integrations.

Re-authorize only what you need with the minimal scopes.