Yeah, you're probably spot-on—it does sound like Meta (Facebook) flagged the account for security reasons after the suspicious login attempt and password reset. When something like that happens, even if the account looks fine on the surface, Facebook's backend systems often put a temporary hold or elevated risk status on billing activity.
Here’s what’s likely happening:
After a potential breach or suspicious activity, Meta automatically puts your ad account into a high-fraud-risk state, which:
Reduces charge thresholds back to ultra-low ($2 is common),
Triggers extra verification layers on every transaction, and
Often leads to payment methods being temporarily “challenged” or declined by default.
Even if your client has sufficient funds and the card is fine, Facebook doesn’t “trust” the transaction yet.
What You Can Try:
Wait 24–48 hours
Let Facebook’s systems “cool off” and re-evaluate the risk. Many times, the billing behavior resets after a day or two of normal login and no further flags.
Switch to a new, verified payment method
Sometimes just adding a new credit card (not a debit or prepaid) will reset billing trust faster.
Verify the business account
In Business Settings > Security Center, you can complete Business Verification (if not done yet), which helps re-establish trust.
Contact Meta Support again with full context
Mention the attempted hack, password reset, and explain the billing issue. Ask specifically if the account is under a temporary security review or billing hold. Sometimes they’ll push it to the payments/security team for internal review.
Pro tip:
Avoid repeatedly retrying payments manually if it fails the first time—it can actually worsen the trust score. Just wait, switch cards, or contact support directly instead.