In the wake of an epidemic of hacked Facebook accounts, here are my suggestions about saving your account from getting “hacked”
- Most often, your Facebook doesn’t get hacked, it is not about your Facebook’s password either. Often it is your email or your phone that gets ‘hacked’. It simply begins with asking Facebook to reset your password using your name, username, your most commonly known email address etc. Then the password reset key is sent to your email or 2FA codes to your sms. These get stolen by hacking your email or spoofing your phone.
- Oftentimes, these hackings are done by people who somehow knows you, i.e: people you might possibly know some information about you, like your email address, phone number, date of birth etc. verifiable information. This group include people who have a copy of your NID or passport, a security guard whom you gave your full name, phone number and email address to enter a building, the IT support guy who helped you install your anti-virus, all of them. Hacking an absolutely random account is way more difficult than accounts of whom you have certain information about.
The most effective way to prevent your Facebook account from being hacked:
- Install Authy or Google Authenticator. Ideally, use a password manager app, I recommend: Dashlane.
- Immediately turn on Two-factor Authentication. Use Authy/Authenticator app for generating code, avoid codes by SMS if there is an option.
- Go to Facebook settings > Apps and Websites, ideally remove everything from here, or keep only the apps/services/games that you must keep. Give up on the habit of “log in with Facebook” completely, use your email address for opening accounts in various websites and services.
- Do not leave your computer or phone open, EVER, not at home, not at work, religiously lock your computer before you leave your desk (on Windows it’s Windows+L, on Mac it’s ⌘+Control+q to lock) even if it is for a few seconds. On your work machines insist for a personal account on the computer, do not share its password with anyone; your office’s IT team can have their own admin account on the computer for maintenance, but they never need your personal account’s password. If your employer disagrees about it, quit the job.
- Do not login to your account from random computers/phones, not even of your friends or your office computers. If you must, use an incognito/private window and be sure to check the address bar of your browser if it is marked green with a lock sign and the URL is exactly https://www.facebook.com/ and nothing else at the end or middle, to make sure you are not putting your ID and password in a fake phishing website.
Steps to secure your Facebook:
- Create a fresh email address dedicated for Facebook. Use protonmail.com for making the new address. Ideally do not share this email address with anyone, do not use it for anything else.
- Go to Facebook settings > General > Contact. Add your new protonmail address as the primary email. You must remove every other email address from your account.
- Check where you are logged in, remove any unknown, or unnecessary device from the list.
- On Protonmail go to Settings > Security: Turn on Two Factor Authentication, as always use Authy/Authenticator, avoid SMS.
- Now go to Settings > Keys: Click the dropdown arrow next to your email address, click on Actions: Export, select “Public Key.” It will download an ASC file. Open the ASC file with Notepad (or TextEdit on Mac). Select all, copy everything from the file.
- Go to Facebook settings > security and login > scroll down to Encrypted notification emails.
Paste the text here. Check in the box for “Use this public key to encrypt notification emails that Facebook sends you?” Save.
It might send a test email to your Protonmail to check if the encryption key is working. This email might land in your spam of Protonmail. Click on the “Yes, encrypt notification emails sent to me from Facebook.” to confirm.
Now your Facebook settings for Encrypted notification email should show “On”.
- Memorize your Protonmail login password, or use Dashlane to save your password. Now go to Protonmail settings > Account > Disable the “Allow password reset” option. Remember that, it means, if you forget Protonmail password, it is not recoverable, you are screwed. But this is the final layer of security.
You are all set. It will now be super-duper difficult for anyone to hack into your Facebook account.
If you need any help about this write to [email protected]
Or text/call via Signal. I do not check or respond to Facebook inbox, I do not have WhatsApp.