In the wake of an epidemic of hacked Facebook accounts, here are my suggestions about saving your account from getting “hacked”
1. Often, your Facebook doesn’t get hacked, it is not about your Facebook’s password either, rather possibly it is your email or your phone that gets ‘hacked’. It simply begins with asking Facebook to reset your password using your name, username, your most commonly known email address etc. Then the password reset key is sent to your email or 2FA codes to your sms. These get stolen by hacking your email or spoofing your phone.
2. Oftentimes, these “hackings” are done by people who somehow know you, i.e: people who might possibly know some information about you, like your email address, phone number, date of birth etc. verifiable information. This group include people who have a copy of your NID or passport—like a stupid concert that asked for ID for entry, a Facebook group or page you shared your information with, a security guard whom you gave your full name, phone number and email address to enter a building, the IT support guy who helped you install your anti-virus, all of them are your possible attackers. Hacking an absolutely random, unknown account is way more difficult than accounts of whom you have certain information about.
Here is the most effective way to prevent your Facebook account from being hacked as far I have tried and tested:
1. Install Authy for Two Factor Authentication (2FA) code generation. Ideally, use a password manager app, I recommend: Dashlane, or Bitwarden.
2. Immediately turn on Two-factor Authentication [on Facebook, go to Settings > Security and Login > Two-Factor Authentication]. Use Authy for generating code, avoid codes by SMS.
3. Go to Facebook settings > Apps and Websites, ideally remove everything from here, or keep only the apps/services/games that you must keep. Give up on the habit of “log in with Facebook” completely, use your email address for opening accounts in various websites and services.
4. Do not leave your computer or phone open, EVER, not at home, not at work, religiously lock your computer before you leave your desk (on Windows it’s Windows+L, on Mac it’s ⌘+Control+q to lock) even if it is for a few seconds. On your work machines insist for a personal account on the computer, do not share its password with anyone; your office’s IT team can have their own admin account on the computer for maintenance, but they never need your personal account’s password. If your employer disagrees about it, quit the job.
5. Do not login to your account from random computers/phones, not even of your friends’, family’s or your office computers unless you already have a “computer user account” on that machine. If you don’t, and if you must use your Facebook, then use a “Guest” account on the machine, or at least an incognito/private window, and be sure to carefully check the address bar of your browser if it is with a lock sign and the URL is exactly https://www.facebook.com/ and nothing else at the end or middle (if the full URL is not visible, click on the address bar to see the full form of the URL), to make sure you are not putting your ID and password in a fake phishing website.
Steps to Secure Your Facebook:
1. Create a new encrypted email address dedicated for Facebook. Use Protonmail for making the new address. Ideally do not share this email address with anyone, avoid using it publicly.
2. Go to Facebook settings > General > Contact. Add your new Protonmail address as the primary email. You must remove every other email address from your account.
3. Check where you are logged in, remove any unknown, or unnecessary device from the list.
4. On Protonmail go to Settings > Security: Turn on Two Factor Authentication, as always use Authy, avoid SMS.
5. (On Protonmail) now go to Settings > Keys: Click the dropdown arrow next to your email address, click on Actions: Export, select “Public Key.” It will download an ASC file. Open the ASC file with Notepad (or TextEdit on Mac). Select all, copy everything from the file.
6. Now, go to Facebook settings > security and login > scroll down to Encrypted notification emails. Paste the text here. Check in the box for “Use this public key to encrypt notification emails that Facebook sends you?” Save.
It might send a test email to your Protonmail to check if the encryption key is working. This email might land in your spam of Protonmail. Click on the “Yes, encrypt notification emails sent to me from Facebook.” to confirm.
Now your Facebook settings for Encrypted notification email should show “On”.
7. Memorise your Protonmail login password, or use Dashlane to save your password. Now go to Protonmail settings > Account > Disable the “Allow password reset” option. Remember that, it means, if you forget Protonmail password, it is not recoverable, you are screwed. But this is the final layer of security.
You are all set. It will now be super-duper difficult for anyone to hack into your Facebook account.