With just a phone number
The attacker first needs to click on the "Forgot account?" link on the Facebook.com homepage to reset your password. Now, when asked for a phone number or email address linked to the target account, the hacker needs to provide the legitimate phone number.
The attacker then diverts the SMS containing a one-time passcode (OTP) to their own computer or phone, and can gain access to the target's Facebook account.