So – a friend sent you a message that says, “You’ve been hacked!” because they received a friend request from you.
You probably haven’t been hacked.
Here’s what’s probably happening….
A bad actor sets up a Facebook account in your name and steals your profile picture.
Then he looks at your existing friends and makes friend requests of them.
You haven’t been hacked. You are simply being impersonated.
Your friends have hundreds (maybe thousands) of Facebook friends so unless you’re close, they don’t remember whether they are Facebook friends with you or not, so they accept the request.
Then your impersonator sends them a message: “Hey – I am stranded in Bombay with no money. Can you wire me some?!”
So you probably don’t need to change your password.
You (and your Facebook friends) need to report the fake account to Facebook.