Joe got an email from Facebook saying his password has been changed. He changed it and turned on 2-factor authentication, but the password keeps getting changed back. Leo says that's a scary thought and he probably got bit by a phishing scam and that Facebook didn't send him an email at all. Leo says if it was legit, the first thing the hacker would do is change the email notification.
Leo also says to change your 2-factor from a text message to an authenticator. Leo recommends Authy or Google Authenticator. Ignore emails and texts altogether when it comes to Facebook. Use Authy. Free on your mobile device for Android or iOS.
You're also going to want to change your email password again. Do it from your email's web interface. Then you'll need to change it in the settings of your email client. If your email has been compromised, it can wreak a lot of havoc with your bank and any other online service that requires your email to log in.