Just heard that Facebook is reporting that 90 million accounts were compromised! How can I change my password and make sure I don’t get hacked?
You’re right that Facebook is reporting this alarming number, though whether it’s 50 million or 90 million is up for debate. Here’s what USA Today is reporting: “… the accounts of nearly 50 million users were breached. Attackers exploited a feature in Facebook’s code that allowed them to take over users’ accounts… Facebook says it patched the vulnerability Thursday night. It notified the FBI on Wednesday. Facebook does not yet know if people’s personal information was accessed by the attackers.”
Hopefully whatever was happening is now solved and patched, but it still means that 50 million (or more) Facebook users have likely had their accounts exposed to hackers and data mining efforts. Not good. Worse would be to lose control of your account entirely so, as with any exploit, changing your password is a good idea. No, it’s a GREAT idea.
Facebook apparently is forcing compromised accounts to change their password by logging them out of the service, but I wouldn’t trust that, personally. Just update your password and enable 2-step verification (we’ll talk about that in a second) to stay safe.
I’m going to use the Web browser interface because that’s how I mostly use Facebook. It’s easy. From any Facebook page, go onto the top right and click on the triangle to bring down this menu:
As highlighted, you want to choose “Settings” here to proceed.
On the subsequent screen, look on the right menu and choose “Security and Login”:
The main area on the right side will change to show you where you’re logged in and a bunch of other info.
Let’s start by looking at the current logins area:
Since I’m using a VPN on my Mac system, this is accurate data: My computer’s logged into Facebook through a Dallas point of presence, while my phone is in Boulder, CO where I actually have my office. Looks good.
But what if it was a device you didn’t recognize or a location that wasn’t where you’ve been in the last few days? A click on the three vertical dots will reveal a small menu:
In fact, if you’re really paranoid, you can log out of everywhere. Well, maybe everywhere but your actual Web browser since that’ll effectively end your session without you changing your password!
Note also that “See More” shows additional places you’re logged in. Don’t recognize some of them? LOG OUT!
Further down on the screen is the section that lets you change your password and control additional account security settings. All of these are important:
We’ll come back to the Change password feature, but before we go there, please disable “Log in with your profile picture”. It’s a bad idea. And please do enable two-factor authentication. That’s a real lifesaver if your password is compromised because even with it, bad guys won’t be able to log in to your account without also having access to your smartphone.
Not sure how to enable two-step verification on Facebook? I have a handy – and easy to follow – tutorial on just that topic: How to Enable Two-Step Verification on Facebook. Please, just do it.
Okay, now I recommend you review the Authorized Logins and withdraw authorization for anything you don’t recognize. Worst case you have to log in again from an app or Web site. No worries.
Click on the “Edit” button adjacent to the Change password entry on this window when you’re ready. Here’s what you’ll see:
Enter your current password, then pick a new one. I encourage you to use a password generator or to at least create a strong and complex password with digits, punctuation and both upper and lowercase letters. I am a fan of 1Password and it has an excellent password generation tool that I use all the time. And I never reuse passwords on multiple sites either.
Specified the new password? It’s a tough one to guess? Good. Click on “Save Changes” and…
Password has been changed. Phew. Now I encourage you to review other devices and aggressively log out of everything you don’t immediately recognize. And that’s it. Done. Safe.