How To Protect Yourself From The Recent Facebook Breach

Media / Blog

How To Protect Yourself From The Recent Facebook Breach


Enjoying the City for Cheap

October 12, 2018

How To Protect Yourself From The Recent Facebook Breach

Facebook announced a data breach on Friday, Sept. 28, in which the personal information of 50 million user accounts was put at risk due to a vulnerability in the social network's code.

The attack potentially exposed personal information and gave hackers the ability to take control of users' profiles. Since discovering the breach, Facebook has fixed the vulnerability and has informed law enforcement to investigate.

Was My Facebook Account Affected?

About 50 million Facebook users were affected by the code vulnerability, which gives hackers the ability to steal "access tokens" that allow users to stay logged into their accounts.

(When you sign in to a site or app with your username and password, your browser or device typically receives a digital key known as an access token that lets you stay logged in without having to re-enter your credentials every time. That token does not actually store your password.)

Fraudsters could use these access tokens to not only take over users' Facebook profiles but also have the ability to access third-party accounts like Airbnb, Spotify or Uber that use Facebook credentials to log in.

Though 50 million accounts were targeted, Facebook reset the access tokens on a total of 90 million accounts as a precautionary measure. If your account was affected, you would have been logged out of Facebook and would need to log back in with your password the next time you visit the site.

What Personal Data Could Have Been Compromised in the Facebook Attack?

According to Facebook, attackers tried to target certain information, including users' names, genders, and hometowns listed in their profiles. But it's not yet clear if that or any other user information was actually compromised before Facebook fixed the vulnerability.

Though the access tokens targeted in the attack could potentially be used to log into third-party sites, Facebook announced on Oct. 2 that its investigators don't believe such third-party sites were affected.

How Do I Protect Myself as a Facebook User?

If you were one of the 90 million users whose access tokens were reset by Facebook, you would have been logged out of your account and will need to log back in. You should have received a notification about this on the top of your Facebook news feed. But even if you were not affected, this is a good time to take the following steps to ensure your identity and personal information is protected:

  • Conduct a Device Audit

To find out if anyone has improperly accessed your Facebook account, click on "Settings" on Facebook. Next, go to the "Security and Login" tab. There, you will see a list of all the devices, locations and the most recent dates that you have logged into Facebook.

If you see any that you do not recognize, you can remove that device from being logged in. Facebook will also take you through a step-by-step process to secure your account if this is the case. You can also log out of all sessions.

  • Reset Your Facebook Password

According to Facebook, there is no need to reset your Facebook login password. However, there is no harm in doing so—and it might be a good idea if you have a weak password or have noticed any suspicious activity.

Consider resetting your Facebook password to one that is unique and not used on any of your other sites or apps. To do so, go to "Settings," then "Security and Login," and click "Edit" on the "Change password" section. Remember, to use a password with an Uppercase letter, Lowercase letter, Number, and Special Character with at least nine letters.

  • Enable Two-Factor Authentication

For the most security, it's smart to turn on two-factor authentication. I have been using the Google Authenticator. This security feature requires a unique code sent by a text message, call, or email, in order to log into your account after entering your password.

That way, even if someone obtains your password, they can't log into your account without the code. To enable two-factor authentication in Facebook, go to "Settings," then "Security and Login," where you will see the option to turn it on.

  • Check Which Sites and Apps Use Facebook for Login

If an attacker has access to your Facebook access token, they have the ability to get into your Facebook account—and also any other site or app you have used Facebook to log in with, such as streaming services, apps or games, and more. Even though Facebook has since announced that third-party sites using Facebook logins were not hacked, it's still smart to decouple your logins for the most security.

To find out which apps and sites use your Facebook login, go to "Settings" and then "Apps and Websites." There you will see a list of all active, expired and removed websites and apps that use your Facebook login. You can remove any or all of these apps. You may want to update the passwords on these services, as well.

How Can I Safeguard My Identity Going Forward?

Data breaches have become an unfortunate part of life in our digital world. In 2017 alone, there were 1,579 data breaches exposing nearly 179 million records. That's why it's important to remain vigilant to protect your identity online and off.

  • Be Aware of Online Scams

Start by being aware of phishing scams in which fraudsters use the information they know about you—like your name or hometown (information that may have been accessed in the Facebook breach)—to get you to divulge other personal data through email. Scammers do this by embedding hyperlinks into emails or text messages that direct you to sites intended to collect your personal information or install malware onto your computer or phone.

As a rule of thumb, do not click on links sent through email or text, especially if they are asking you to give up personal information. There are several variations of phishing scams—including spear phishing, angler phishing, and smishing—but the bottom line is you should always be vigilant when being asked to enter any personal information online or via text.

  • Consider a Free Fraud Alert

If you're worried that you are a victim of identity theft, consider filing a free initial fraud alert on your credit file that remains active for one year through the Experian fraud center. (File it with one credit bureau and you're good to go because the bureaus will share such alerts with their counterparts.) The fraud alert notifies lenders pulling your credit report to take extra steps to verify your identity.

  • Monitor Your Credit and Identity

If you're concerned about your personally identifiable information being out there, you should check a free credit report for errors or suspicious accounts. Run a free dark web scan as well to find out if information like your Social Security number, phone number or email addresses are on the dark web.

  • Protect Your Children

Roughly 7% of all Facebook users are under the age of 18. While you are protecting your own identity, make sure your kids are safe, too—because scammers are now committing child identity theft.

Run a free Child ID Scan to find out if your child's Social Security number is out there or if there is an Experian credit file in her name, which could be a sign of fraud.

If you want to learn more about Cyberwellness, go to to take a course on Cyberwellness.

Source: Article Written by Asmat Ingla


Five Money Moves To Make During Open Enrollment

About the author

Ted Jenkin

Ted Jenkin

CEO and co-Founder


My friends and family all think I'm a workaholic, but I say I'm just a guy that loves to help people do better in life.

My mother is still the only one that calls me by my real name Theodore Michael, my wife calls me Teddy, but for the rest of you it is just plain old Ted.

Ever since I was a little kid, I always loved money and being an entrepreneur. In fact, I still have cassette tapes of me talking to my grandmother at the age of five and my mother tells me all the time how much I played with money as a kid...

Ted Jenkin is a frequent guest columnist for the Wall Street Journal and Headline News Weekend Express. He is the co-CEO of oXYGen Financial. You can follow him on LinkedIn @ or on Twitter @tedjenkin.

Securities offered through Kestra Investment Services, LLC (Kestra IS), member FINRA/SIPC. Investment advisory services offered through Kestra Advisory Services, LLC (Kestra AS), an affiliate of Kestra IS. oXYGen Financial is not affiliated with Kestra IS or Kestra AS. Kestra IS and Kestra AS do not provide tax or legal advice. Investor Disclosures:

The opinions expressed in this commentary are those of the author and may not necessarily reflect those held by Kestra Investment Services, LLC or Kestra Advisory Services, LLC. This is for general information only and is not intended to provide specific investment advice or recommendations for any individual. It is suggested that you consult your financial professional, attorney, or tax advisor with regard to your individual situation.

Background and qualification information is available at FINRA's BrokerCheck website.

Sign Up

Sign up for our exclusive Sunday Paper with a weekly market commentary, insightful personal finance blogs, and life changing education guides.

Email sign up

Securities offered through Kestra Investment Services, LLC (Kestra IS), member FINRA/SIPC. Investment advisory services offered through Kestra Advisory Services, LLC (Kestra AS), an affiliate of Kestra IS. oXYGen Financial is not affiliated with Kestra IS or Kestra AS. Kestra IS and Kestra AS do not provide tax or legal advice.

This site is published for residents of the United States only. Registered Representatives of Kestra IS and Investment Advisor Representatives of Kestra AS may only conduct business with residents of the states and jurisdictions in which they are properly registered. Therefore, a response to a request for information may be delayed. Not all products and services referenced on this site are available in every state and through every representative or advisor listed. For additional information, please contact Kestra IS Compliance Department at 844-553-7872.

PLEASE NOTE: The information being provided is strictly as a courtesy. When you link to any of the web sites provided here, you are leaving this web site. Kestra IS and Kestra AS makes no representation as to the completeness or accuracy of information provided at these web sites. Nor is Kestra IS and Kestra AS liable for any direct or indirect technical or system issues or any consequences arising out of your access to or your use of third-party technologies, web sites, information and programs made available through this web site. When you access one of these web sites, you are leaving our web site and assume total responsibility and risk for your use of the web sites you are linking to.