[Last updated on 29th September, 2022]
In the wake of an epidemic of hacked Facebook accounts, here are my suggestions about saving your account from getting “hacked”
1. Often, your Facebook doesn’t get hacked, it is not about your Facebook’s password either, rather possibly it is your email or your phone that gets ‘hacked’. It simply begins with asking Facebook to reset your password using your name, username, your most commonly known email address etc. Then the password reset key is sent to your email or 2FA codes to your sms. These get stolen by hacking your email or spoofing your phone.
2. Oftentimes, these “hackings” are done by people who somehow know you, i.e: people who might possibly know some information about you, like your email address, phone number, date of birth etc. verifiable information. This group include people who have a copy of your NID or passport—like a stupid concert that asked for ID for entry, a Facebook group or page you shared your information with, a security guard whom you gave your full name, phone number and email address to enter a building, the IT support guy who helped you install your anti-virus, all of them are your possible attackers. Hacking an absolutely random, unknown account is way more difficult than accounts of whom you have certain information about.
Here is the most effective way to prevent your Facebook account from being hacked as far I have tried and tested:
1. Install Authy for Two Factor Authentication (2FA) code generation. Ideally, use a password manager app, I recommend: Dashlane, or Bitwarden.
2. Immediately turn on Two-factor Authentication [on Facebook, go to Settings > Security and Login > Two-Factor Authentication]. Use Authy for generating code, avoid codes by SMS.
3. Go to Facebook settings > Apps and Websites, ideally remove everything from here, or keep only the apps/services/games that you must keep. Give up on the habit of “Log in with Facebook” completely, use your email address for opening accounts in various websites and services.
4. Do not leave your computer or phone open, EVER, not at home, not at work, religiously lock your computer before you leave your desk (on Windows it is Windows+L, on Mac it is ⌘+Control+q to lock) even if it is for a few seconds or a bathroom-break. On your work machines insist for a personal account on the computer, do not share its password with anyone; your office’s IT team can have their own admin account on the computer for maintenance, but they never need your personal account’s password. If your employer disagrees about it, quit the job, it is THAT serious.
5. Do not login to your account from random computers/phones, not even of your friends’, family’s or your office computers unless you already have a “computer user account” on that machine. If you don’t, and if you must use your Facebook, then use a “Guest” account on the machine, or at least an incognito/private window, and be sure to carefully check the address bar of your browser, check if it is with a lock sign and the URL is exactly https://www.facebook.com/ and nothing else at the end or middle (if the full URL is not visible, click on the address bar to see the full form of the URL), to make sure you are not putting your ID and password in a fake phishing website.
Steps to Secure Your Facebook:
You will need a web-browser on a computer to follow all these steps, as some of the options and steps I mention here may not be available on mobile browser or apps. Do not use a browser with too many add-ons or plug-ins. Ideally, you should use an incognito/private window of a browser to avoid any browser plug-ins from logging these information. Keep a notebook and pen with you to note down crucial passwords and information just in case, then after you are done, and after you backed up everything in a password manager, destroy the paper.
1. Create a new encrypted email address dedicated for Facebook (and probably other social media, banking and sensitive tasks only). Use ProtonMail for making the new address. Ideally do not share this email address with anyone, avoid using this email address publicly for general communications. Do not opt for “auto forwarding” of emails from ProtonMail to your existing email addresses, that would defeat the whole purpose of doing this. Do not connect any of your existing email/phone number with ProtonMail, keep it completely separate, disconnected from everything else. For the ease of checking it regularly you can install ProtonMail mobile apps.
2. Go to Facebook homepage click on your profile photo on the top-right corner go to Settings and Privacy > Settings > Accounts Settings > General > Contact. Add your new ProtonMail address as the primary email. You must remove every other email address and phone numbers from your account, completely.
3. Check where you are logged in, remove any unknown, or unnecessary device from the list.
4. On ProtonMail, go to Settings > Account and Password: Turn on Two Factor Authentication, as always use Authy, avoid SMS.
5. (On ProtonMail) now go to Settings > Encryption and Keys > Email encryption keys: Click the dropdown arrow next to your email address, click on Actions: Export, select “Public Key.” It will download an ASC file. Open the ASC file with Notepad (or TextEdit on Mac). Select all, copy everything from the file.
6. Now, go to Facebook settings > security and login > scroll down to Advanced > Encrypted notification emails, click Edit, and Paste the text from ASC file here. Check in the box for “Use this public key to encrypt notification emails that Facebook sends you?” Save.
It might send a test email to your ProtonMail to check if the encryption key is working. This email might land in your spam of ProtonMail. Click on the “Yes, encrypt notification emails sent to me from Facebook.” to confirm.
Now your Facebook settings for Encrypted notification email should show “On”.
7. Memorise your ProtonMail login password, or use Dashlane to save your password. Now go to ProtonMail settings > Account > Disable the “Allow password reset” option. Remember that, it means, if you forget your ProtonMail password, it is not recoverable, you are screwed. But this is the final layer of security.
You are all set. It will now be super-duper difficult for anyone to hack into your Facebook account.