If someone entered your Facebook account without permission, changed your password, read your Messenger conversations, used your photos, posted as you, or used your account to scam other people, you may be dealing with both a cybercrime and a data privacy issue in the Philippines. The practical response is not just “report it to Facebook.” You need to secure the account, preserve proof, notify Meta/Facebook through its support channels, and decide whether to file with the National Privacy Commission (NPC), the NBI Cybercrime Division, the PNP Anti-Cybercrime Group, or sometimes all of them depending on what happened.
What “unauthorized access to a Facebook account” means under Philippine law
In ordinary terms, unauthorized access means someone entered, used, controlled, viewed, copied, altered, or interfered with your Facebook account or data without your permission.
Common examples include:
- Someone guessed or stole your password and logged in.
- A person used your phone while you were asleep and opened your Facebook or Messenger.
- A scammer tricked you into giving a login code or one-time password.
- Your email, SIM, or recovery number was compromised and used to reset Facebook access.
- Someone accessed your Messenger conversations and shared screenshots.
- A fake or duplicate account used your name, photos, and personal details.
- A hacked account was used to message relatives asking for GCash, bank transfers, or “emergency” money.
Under the Cybercrime Prevention Act of 2012, or Republic Act No. 10175, “illegal access” includes access to the whole or any part of a computer system without right. The Supreme Court, in Disini v. Secretary of Justice, recognized that punishing access to another’s computer system without right targets conduct that is not protected speech. (Supreme Court E-Library)
A Facebook account is not just a social media profile. It may contain personal information, such as your name, photos, birthday, location, contacts, private messages, login history, device information, and sometimes sensitive personal information such as health details, religion, political opinions, government IDs, financial information, or private family matters. That is why the same incident may also fall under the Data Privacy Act of 2012, or Republic Act No. 10173.
Is a hacked Facebook account a data privacy complaint?
It can be, but not every hacked Facebook account automatically becomes a strong NPC complaint.
A data privacy complaint is strongest when the incident involves one or more of these:
- Unauthorized processing of your personal data, such as use, collection, disclosure, copying, posting, or sharing without lawful basis.
- Failure of a personal information controller to protect your personal data.
- Unauthorized disclosure of private messages, photos, videos, IDs, or other personal information.
- Failure to act properly after you reported the breach or violation.
- Use of your personal data for unauthorized purposes, such as impersonation, scams, harassment, blackmail, or fake account creation.
The NPC generally handles violations involving personal data and the obligations of personal information controllers (PICs) and personal information processors (PIPs). A PIC is an entity or person that controls how and why personal data is processed. A PIP processes personal data on behalf of a PIC. The Data Privacy Act gives data subjects rights such as the right to be informed, right to access, right to rectification, right to object, right to erasure or blocking, and right to damages for unauthorized use of personal information. (National Privacy Commission)
For a Facebook hacking incident, the NPC complaint may be directed against the person who misused the data, against an organization involved in the misuse, or against a platform or entity if the complaint is really about its handling of personal data, response to a report, or alleged failure to address a privacy violation. But if your main goal is to identify and prosecute the hacker, the proper route is usually NBI or PNP cybercrime investigation, not only an NPC complaint.
Legal bases in the Philippines
Data Privacy Act of 2012: RA 10173
The Data Privacy Act protects personal information in information and communications systems in both the government and private sector. Its basic principles are transparency, legitimate purpose, and proportionality. In simple terms, personal data should be processed openly, for a lawful and declared purpose, and only to the extent necessary. (Lawphil)
Relevant provisions include:
| Issue | Possible legal basis |
|---|---|
| Someone used your personal information without authority | Section 25, unauthorized processing of personal information or sensitive personal information |
| Someone accessed a system where personal and sensitive personal information is stored | Section 29, unauthorized access or intentional breach |
| A PIC failed to protect personal information from unlawful access or misuse | Section 20, security of personal information |
| Someone disclosed private information without authority | Sections 31 and 32, malicious or unauthorized disclosure |
| Your personal data was used for another purpose, such as scams or harassment | Section 28, processing for unauthorized purposes |
The penalties under RA 10173 can include imprisonment and fines. For example, unauthorized processing of personal information may be punished by imprisonment of one to three years and a fine of ₱500,000 to ₱2,000,000, while unauthorized processing of sensitive personal information carries heavier penalties. Unauthorized access or intentional breach under Section 29 may also carry imprisonment and a fine. (National Privacy Commission)
Cybercrime Prevention Act of 2012: RA 10175
RA 10175 directly covers hacking-type conduct. It penalizes:
- Illegal access — accessing a computer system without right.
- Data interference — intentional or reckless alteration, damaging, deletion, or deterioration of computer data without right.
- System interference — interfering with the functioning of a computer or network.
- Misuse of devices — including passwords or access codes intended for cybercrime.
- Computer-related fraud — unauthorized input, alteration, deletion, or interference with fraudulent intent.
- Cyberlibel — libel under the Revised Penal Code committed through a computer system.
The law also provides that the NBI and PNP are responsible for cybercrime law enforcement and must organize cybercrime units or centers to handle these cases. (Supreme Court E-Library)
Civil Code remedies for privacy and damages
Even when a criminal case is difficult to prove, a separate civil claim may sometimes be available. Article 26 of the Civil Code requires every person to respect the dignity, personality, privacy, and peace of mind of others. It recognizes a cause of action for damages, prevention, and other relief for acts such as meddling with or disturbing another person’s private life. Article 32 also allows an independent civil action for violation of certain rights, including privacy of communication and correspondence, with moral damages and possible exemplary damages. (Supreme Court E-Library)
This matters when, for example, an ex-partner opens your Messenger, screenshots private conversations, sends them to relatives, or posts intimate or humiliating material. That may involve privacy, civil damages, criminal law, and data privacy issues all at the same time.
Data privacy complaint vs cybercrime complaint: which one should you file?
| Your main problem | Better first office | Why |
|---|---|---|
| You want to recover your Facebook account | Facebook/Meta hacked account recovery tools | Government agencies usually cannot directly restore your account |
| Someone hacked your account and scammed people | NBI Cybercrime Division or PNP Anti-Cybercrime Group | This is investigation and possible criminal prosecution |
| Private messages, photos, IDs, or personal data were accessed or shared | NPC, plus NBI/PNP if criminal conduct is involved | This may involve data privacy violations and cybercrime |
| A company, school, employer, lending app, or organization misused your Facebook data | NPC | This is closer to a personal data processing complaint |
| A fake account uses your name and photos | Facebook/Meta report, NPC if personal data is misused, NBI/PNP if fraud or harassment is involved | Multiple remedies may apply |
| The hacker is unknown | NBI/PNP first | Investigators may need preservation or disclosure processes for technical data |
| You already reported to Meta but nothing happened | NPC may be considered if the issue involves personal data rights and you have proof of the report | NPC rules require proof that you gave the PIC or concerned entity a chance to act |
A practical point: do not rely on only one report button. Save proof of every report, every automated reply, every reference number, every screenshot, and every email. In a recent NPC resolution involving Meta Platforms, the Commission emphasized the need for proof that the complainant reported the matter to the platform or gave the PIC an opportunity to act; merely saying that a report was made through the support/help center was not enough.
What to do immediately after your Facebook account is hacked
1. Secure the account and connected accounts
Use Facebook’s official hacked-account process, preferably on a device you previously used to log in. Meta’s hacked account page says it will walk users through security steps to recover the account. (Facebook)
Do these as soon as possible:
- Change your Facebook password if you still have access.
- Log out of unknown devices.
- Turn on two-factor authentication.
- Check linked email addresses and mobile numbers.
- Check your email account security because Facebook recovery often depends on email access.
- Check your SIM or phone number if OTPs were intercepted.
- Review recent posts, messages, ads, marketplace listings, page admin changes, and payment settings.
- Warn relatives, friends, staff, customers, or page followers if the account was used for scams.
2. Preserve evidence before deleting anything
People often panic and delete posts, messages, or comments. That can make investigation harder. Preserve first, then clean up.
Save:
- Screenshots showing the hacked posts or messages.
- URLs of the Facebook profile, page, post, comment, or fake account.
- Date and time of discovery.
- Login alerts from Facebook or email.
- Password reset emails or OTP messages.
- Messages from victims who were scammed.
- Proof of money transfers, GCash receipts, bank transfers, or crypto wallet addresses.
- Screenshots of account settings showing changed email, number, name, or device.
- Your report to Facebook/Meta and any reference number.
- Your government ID or proof that the account, number, page, or business belongs to you.
For evidence, take screenshots that show the full screen, date/time where possible, sender profile, URL, and surrounding context. For serious cases, have screenshots printed and attached to a sworn statement. Some complainants also execute an affidavit explaining how the screenshots were obtained.
3. Report to Facebook or Meta and keep proof
For NPC purposes, proof that you gave the concerned entity a chance to act can be important. Under the amended 2021 NPC Rules of Procedure, a complaint generally will not be given due course unless the complainant proves that they informed the PIC, PIP, or concerned entity in writing of the privacy violation or personal data breach, and that the entity failed to take timely or appropriate action or did not respond within 15 calendar days.
Because Facebook reports are often made through online forms, you should keep:
- Screenshots of the completed report form.
- Email confirmations.
- Case numbers or support inbox messages.
- Dates when you submitted each report.
- Proof that the account, page, or data is yours.
- Follow-up messages if no action was taken.
4. File a cybercrime complaint if there was hacking, fraud, threats, blackmail, or scams
The DOJ Office of Cybercrime advises the public that cybercrime complaints may be brought to the National Bureau of Investigation – Cybercrime Division or the Philippine National Police – Anti-Cybercrime Group. (Cybercrime Division)
The NBI Citizen’s Charter for investigative assistance to victims of computer crimes identifies its CyberCrime Division service as available to the general public, with complainants proceeding to file a complaint or request investigation, undergoing preliminary interview, and executing sworn statements or submitting prepared affidavits. (National Bureau of Investigation)
Bring a printed and digital evidence packet. In practice, it helps to organize it this way:
- Affidavit-complaint narrating what happened.
- Chronology with dates, times, and links.
- Screenshots and printouts labeled as annexes.
- Proof of ownership or identity, such as IDs, email ownership, SIM registration details, business registration, page admin proof, or prior account screenshots.
- Proof of damage, such as scam transfers, business losses, threats, reputational harm, or customer complaints.
- Names of suspects, if known, or leads such as phone numbers, GCash accounts, email addresses, bank accounts, IP-related notices, or linked profiles.
- Proof of reports to Facebook/Meta, if available.
Law enforcement may need court processes to obtain subscriber information, traffic data, or relevant data from service providers. RA 10175 provides for preservation of traffic data and subscriber information for a minimum of six months and disclosure of computer data upon securing a court warrant, subject to the law’s requirements. (Supreme Court E-Library)
How to file a data privacy complaint with the NPC
Step 1: Identify the privacy violation
Before drafting, be clear about what privacy right was violated. Examples:
- My personal photos were copied and posted without consent.
- My Messenger conversations were accessed and disclosed.
- My ID, phone number, address, or private information was exposed.
- My account was used to process my personal data for scams.
- The platform or entity failed to respond properly after I reported the breach.
- A business, school, employer, or organization used my Facebook data without lawful basis.
Avoid vague statements like “my privacy was violated.” State the specific personal data, who processed it, how it was processed, why it was unauthorized, and what harm resulted.
Step 2: Notify the respondent in writing first
For many NPC complaints, this is the step people miss.
The amended NPC Rules require proof that the complainant informed the PIC, PIP, or concerned entity in writing and gave it a chance to take appropriate action. If there is no response within 15 calendar days, or the action is not timely or appropriate, the NPC complaint may proceed. The NPC may waive this requirement for good cause or serious violations, such as grave and irreparable damage that only NPC action can prevent.
For Facebook-related complaints, written notice may include:
- A report through the hacked account portal.
- A report through Facebook Help Center or Support Inbox.
- An email or written communication if available.
- A formal demand or privacy rights request.
- Screenshots proving submission.
Step 3: Prepare the verified complaint
A formal NPC complaint must be in writing, signed, and verified. It should identify the complainant, respondent, contact details, facts, evidence, reliefs sought, correspondence with the respondent, and supporting affidavits or documents. It must also include a certification against forum shopping. Failure to comply with the proper form and contents may lead to outright dismissal.
Your complaint should normally include:
| Requirement | Practical notes |
|---|---|
| Verified complaint-affidavit | Must be signed and notarized |
| Identity of complainant | Full name, address, email, contact number |
| Identity of respondent | Hacker, fake account user, organization, platform, company, or “unknown” with identifying leads |
| Statement of facts | Chronological, specific, with dates |
| Personal data involved | Photos, messages, IDs, phone number, location, account credentials, sensitive data |
| Law or rights violated | DPA, IRR, NPC issuances, data subject rights |
| Proof of prior written notice | Screenshots or copies of report to Meta/Facebook or respondent |
| Evidence | Screenshots, URLs, affidavits, receipts, emails, logs |
| Reliefs requested | Investigation, correction, deletion, blocking, damages, temporary ban if proper, other appropriate relief |
| Certification against forum shopping | Required sworn certification |
Step 4: Notarize and file with the NPC
The NPC’s public filing instructions state that a formal complaint must be downloaded, printed, filled out, notarized, and submitted to the NPC in person, by courier, or by scanned email. (National Privacy Commission)
Under the amended NPC Rules, complaints may be filed personally, by registered mail, by courier, or electronically as authorized by the Commission.
For Filipinos abroad, the amended NPC Rules recognize that a non-resident citizen without an authorized representative in the Philippines may submit a complaint, provided the complaint is notarized by the Philippine Embassy or Consulate, or has an apostille certificate from the country of origin.
Step 5: Pay filing fees, unless exempt
NPC Circular No. 2023-01 lists a ₱500 filing fee for complaints, additional fees for claims of damages, a ₱500 motion for reconsideration fee, and a ₱1,000 fee for an application for a cease-and-desist order. Indigent litigants may be exempt if they meet the stated requirements, including a barangay certificate of indigency and supporting affidavits. (National Privacy Commission)
Step 6: Wait for evaluation, comment, mediation, investigation, or decision
Under the amended NPC Rules, the NPC assigns the complaint for evaluation. A complaint may be dismissed outright if it is insufficient in form, if the respondent was not given an opportunity to address the complaint, if it does not involve a DPA violation or privacy violation/data breach, if there is insufficient information, or if parties cannot be identified despite diligence. If the complaint is given due course, the respondent may be required to file a verified comment within 15 calendar days.
In practice, timelines vary depending on completeness of documents, whether the respondent can be served, whether mediation is attempted, whether technical facts must be investigated, and whether multiple parties are involved.
Common mistakes that weaken Facebook privacy complaints
Reporting only verbally or through chat
A phone call, casual message, or verbal request is hard to prove. Use written reports and save screenshots.
Filing with the NPC without first notifying the respondent
This is a common reason complaints are dismissed or delayed. The NPC usually wants proof that the respondent had a chance to address the issue, unless there is a strong reason to waive that requirement.
Not proving that the account or data is yours
If the account uses a nickname, old number, business name, or page name, attach proof connecting you to it. In the Meta-related NPC resolution mentioned earlier, the Commission noted problems with evidence that did not sufficiently prove that the accounts or mobile number were the complainant’s personal data.
Depending only on screenshots without context
Screenshots should show URLs, profile identifiers, timestamps, and surrounding conversation. Investigators need to understand who sent what, when, and how it relates to you.
Waiting too long
Digital traces can disappear. Accounts may be deleted, URLs may change, devices may be wiped, and scam proceeds may be moved. RA 10175 has preservation rules for certain computer data, but you still need to report early so law enforcement can act while useful data may still exist. (Supreme Court E-Library)
Confusing account recovery with legal liability
NPC, NBI, PNP, and prosecutors handle legal processes. They do not function as Facebook customer support. Account recovery usually still begins with Meta’s own tools.
Special situations
If the hacker used your account to borrow money or scam relatives
File a cybercrime complaint as soon as possible. Include GCash numbers, bank accounts, crypto addresses, screenshots of conversations, and affidavits from people who sent money. Warn contacts publicly, but avoid making accusations against a named person unless you have evidence.
If an ex-partner opened your Messenger
This may involve illegal access, privacy violations, civil damages, and possibly other offenses depending on whether private images, threats, or coercion are involved. Preserve device access evidence, screenshots, admissions, and witness statements.
If your employer, school, condo admin, or lending app used Facebook data
This may be a stronger NPC case because an organization may be acting as a PIC. Focus on what data was collected, where it came from, whether you consented, the purpose, who received it, and whether the processing was necessary and proportionate.
If you are a foreigner in the Philippines
Philippine cybercrime law may apply if elements of the offense occurred in the Philippines, a computer system in the Philippines was used, or damage was caused to a person who was in the Philippines at the time. RA 10175 also places cybercrime cases under the Regional Trial Court, with designated cybercrime courts. (Supreme Court E-Library)
For data privacy, RA 10173 has extraterritorial application in certain situations, including acts involving personal information about a Philippine citizen or resident, and entities with links to the Philippines such as carrying on business in the Philippines or collecting or holding personal information in the Philippines. (National Privacy Commission)
If you are a Filipino abroad
You may still report a cybercrime or data privacy issue, especially if the suspect, victim, account, damage, or relevant entity has a Philippine connection. For NPC complaints, non-resident citizens may need consular notarization or an apostille if filing from abroad.
Frequently Asked Questions
Can I file a data privacy complaint if my Facebook was hacked?
Yes, if the hacking involved misuse, access, disclosure, or unauthorized processing of your personal data. But if your main goal is to identify and prosecute the hacker, you should also consider filing with the NBI Cybercrime Division or PNP Anti-Cybercrime Group.
Should I file with the NPC or NBI first?
File with NBI or PNP first if there is hacking, fraud, blackmail, threats, identity theft, or scams. File with the NPC if the issue involves data privacy rights, misuse of personal data, failure of a PIC to act, or unauthorized disclosure of your personal information. In serious cases, both routes may be appropriate.
Does the NPC recover hacked Facebook accounts?
The NPC handles data privacy complaints. It is not Facebook customer support and usually does not directly restore account access. Use Meta’s hacked account recovery process while preserving proof for possible legal action.
What proof do I need for a hacked Facebook complaint?
Prepare screenshots, URLs, login alerts, password reset emails, OTP messages, scam messages, proof of account ownership, reports submitted to Facebook, witness affidavits, and proof of damage such as GCash or bank transfer receipts.
Do I need to notify Facebook before filing with the NPC?
In most cases, yes. NPC rules generally require proof that you informed the PIC, PIP, or concerned entity in writing and that it failed to respond within 15 calendar days or did not take timely or appropriate action, unless the NPC waives the requirement for good cause or serious harm.
How much is the NPC filing fee?
The basic NPC filing fee for complaints is ₱500, with additional fees for claims of damages and certain applications such as cease-and-desist orders. Indigent litigants may be exempt if they submit the required proof. (National Privacy Commission)
Can I sue the hacker for damages?
Possibly. Aside from criminal and data privacy remedies, the Civil Code recognizes civil actions for privacy-related wrongs and violations of rights, including moral damages in proper cases. (Supreme Court E-Library)
What if I do not know who hacked my account?
You may still report to NBI or PNP. Provide all technical and circumstantial leads, such as phone numbers, emails, URLs, scam accounts, bank or wallet details, login alerts, and names of people who received messages. Law enforcement may seek preservation or disclosure of data through proper legal processes.
Can I file from abroad?
Yes, but expect additional document requirements. For NPC complaints by non-resident Filipino citizens, the amended rules require notarization by the Philippine Embassy or Consulate or an apostille certificate from the country of origin.
Key Takeaways
- A hacked Facebook account may involve cybercrime, data privacy violations, civil damages, or all three.
- Use Facebook/Meta recovery tools immediately, but preserve evidence before deleting posts or messages.
- Report hacking, scams, threats, blackmail, and fraud to the NBI Cybercrime Division or PNP Anti-Cybercrime Group.
- File with the NPC when the issue involves misuse, disclosure, unauthorized processing, or mishandling of personal data.
- For NPC complaints, keep proof that you notified the respondent in writing and allowed time for action, unless there is a strong reason for waiver.
- Strong evidence matters: screenshots should show URLs, dates, account identifiers, context, and proof that the account or data belongs to you.
- Filipinos abroad and foreigners in the Philippines may still have remedies when the facts have a sufficient Philippine connection.