How to Avoid a Facebook Hack
with a personal password audit
In the past two weeks two of my friends on Facebook have been hacked. By “hacked,” I mean their Facebook accounts were accessed by an individual (or more likely by a program written by a bad actor) and direct messages to “friends” were sent out from their account including a shady link with the accompanying message, “Is this really you in this video?”
Messages like these are cyberattacks known as “phishing attacks.” A bad actor is attempting to use “social engineering” techniques to trick someone else into clicking a hyperlink which either directly compromises their computer / phone / tablet / Internet connected device, or provides another prompt which invites the unwitting victim to provide a password or other login credential which will be captured and likely sold on the dark web by the bad actor. These kinds of phishing attacks / cyberattacks / hacks continue to grow more common, so it’s worthwhile to consider the specific actions we should all take (if we have not already) to prevent unwanted messages and links like these from exploding into an identity theft incident, bank account theft, or other form of digital crime or mischief.
The short answer to the question, “How can I avoid a Facebook hack” may sound scary and nigh-impossible, so let me preface this summary with some encouragement. In addition to sharing WHAT we all need to do to prevent bad actors from hacking our web accounts and our lives, I’ll also share some suggestions for HOW these steps can be accomplished. Fear not. While a formidable challenge and prospect, these ARE things you CAN and SHOULD do. In fact, everyone using the Internet today should.
To avoid a Facebook hack or other type of cyberattack on your online identity and activities, we all need to:
Use unique passwords on each website or app we login to (this means NEVER repeating the use of the same password)
Use long and complex passwords, which include lower case and upper case letters, numbers, and special characters. Length is VERY important: The longer the password, the more difficult it is for hacker programs to guess / breach a password.
Use a second factor of authentication on as many web accounts and apps as you can, definitely including all email accounts, bank accounts, and anything involving the transfer of money. Sometimes abbreviated 2FA (for “two factor authentication”) or MFT (for “multi-factor authentication”), this additional layer of security requires that you (or someone else attempting to impersonate you) have a second piece of information or physical hardware to access your personal account in addition to your userID and password.1
Before exploring some of the recommended ways you can comprehensively audit all of your web accounts and update each of them with a unique, long password and 2FA/MFA, let’s consider a bit more WHY you need to do this. After all, this “personal password audit” is a tall order, and many people (maybe even a majority of web users today, I’m not sure) will balk at the prospect of doing this tedious work. Don’t be one of “those people” who ignore this important advice!
If you’ve been using Internet websites for awhile, one or all of the email addresses you use have almost certainly been a part of a “hack” in which personal information has been stolen. In many cases, these hacks include user passwords. One of the best ways to personalize your need (or a relative or friend’s need) to perform this comprehensive personal security audit and password update process is to use the website, haveibeenpwned.com. Maintained by Microsoft cybersecurity expert Troy Hunt, a “white hat hacker,” this website invites users to enter JUST their email address (not any passwords) and quickly ascertain whether or not that email address has been involved in any hacks or data breaches. The process of showing someone this website, asking THEM to personally enter their email address, and then reviewing the hacks / data breaches in which their email address was compromised can be a very eye opening experience. It can also be scary. Be sure to read the fine print: In each hack, WHAT information was compromised? This can include not only passwords but also dates of birth, social security numbers, answers to security questions, and more.
We already have far too much fear and outrage amplified through social media, so I am not advocating for an entirely fear-based approach to motivation for a personal password audit. However, it is vitally important for people who have NOT yet been the victim of an identity theft attack to understand how REAL and POSSIBLE these kinds of cyberattacks are for all of us using the Internet to communicate, buy and/or sell things, and just “live a digitally connected life” in the early twenty-first century.
Stolen user account credentials are bought and sold on “the dark web” every day. The dark web is a segment of the Internet which can only be accessed via special software (like the TOR browser) and is filled with illicit and illegal data.2 The majority of Internet users today have likely never accessed the dark web and probably never will, but their stolen personal data almost certainly IS on the dark web and is for sale right now.
How do people hack Facebook accounts? Methods definitely vary, but one of the easiest ways for hackers to compromise a website is to access stolen user data on the dark web which includes userIDs (often email addresses) and passwords. Since our human minds are naturally lazy, most of us have grown accustomed to using THE SAME PASSWORD on multiple websites. It’s “our special password,” and we may have used the same one for a LONG time. In many cases, we do NOT want to stop using that password, because it is comfortable, we’re used to typing it, and it makes accessing our web accounts fast and easy.
“Fast and easy” is the enemy of security in many contexts, including online. If you’ve used the same password on multiple web accounts (and most likely as a human being, you have) then a ‘bad actor’ with access to hacked web account information can use a software program which attempts to login with THOUSANDS or MILLIONS of different user email addresses and passwords, which were used together on websites that have been hacked / compromised. This means as cybercrime rates grow along with the frequency and scale of corporate hacks / data breaches, the likelihood that your REPEATED PASSWORD is going to be used to compromise your online identity is increasing FAST.
If I was betting on this, I’d wager that my friends who had their Facebook accounts hacked in the past week were using a repeated password, and had NOT yet enabled 2FA / MFA on their Facebook accounts.
Let me explain this a more direct way: If you ignore this advice, and continue to use REPEATED passwords on different web accounts, you are planting a ticking time bomb in your online identity that is eventually going to blow up. Hacks and data breaches are now a routine part of our lives, and even though security professionals are working hard to stay one step ahead of the bad actors, so many vulnerabilities exist on so many complex computer systems, that data breaches are at this point INEVITABLE and absolutely EXPECTED. So be warned: You ignore this advice at your own peril and at the peril of your family and friends who will be affected when your web accounts are compromised / your identity is stolen.
So HOW can each of us conduct this “comprehensive web password audit” and remain sane? Fortunately, tools which can assist us with this process have also proliferated and increased in both their power as well as ease-of-use.
Let’s start by discussing the freely available options. For iPhone / iOS users with the latest iOS 15 update, the PASSWORDS menu option under SETTINGS app includes SECURITY RECOMMENDATIONS. If you have chosen to save passwords in your Apple “keychain,” iOS has the option to DETECT COMPROMISED PASSWORDS and list which web accounts need a password reset because of a known hack / data breach. Conveniently, the iOS “Security Recommendations” menu also provides links to “Change Password on Website” for many accounts, making this auditing process faster and easier. iOS will also suggest secure passwords when resetting a password or creating a new account, and then offer to save it in the “keychain.” Fortunately, Apple has required users to enable 2FA / MFA on phones using phone numbers and login verification on other iCloud-connected devices for awhile, so the likelihood of an Apple ID / Apple user account being breached today is less than it is for many other accounts protected with ONLY a userID and password.
Since I’m not currently an Android phone or tablet user, I cannot personally attest to whether a similar security audit feature is included for free by Google, but I suspect it is. (It certainly should be.)
In addition to using my iPhone, iPad, and MacBook laptop daily, I am also constantly using my Google / GMail accounts and login credentials within the Chrome web browser. Like Apple and iOS, Google now provides a robust capability to check for breached passwords within the Google Chrome settings menu. Click the three dots (“the hot dog”) in the upper right corner of your Chrome browser, choose SETTINGS, then search for PASSWORDS. After clicking it, you can choose to CHECK PASSWORDS to find compromised passwords.
The integration of this “Identify compromised passwords” feature in iOS and ChromeOS is outstanding and helpful, because it can elevate the reality of data hacks and the need most of us have to TAKE ACTION and RESET PASSWORDS today. These features (particularly in iOS) also make it faster to reset passwords, since web links for different accounts are directly provided in the Settings menu. You may be able to make significant headway with your “personal password audit” using just these two free tools.
If you do not ever use devices or computers outside the Apple / iOS universe or the ChromeOS world (for instance, if you use a Chromebook and an Android phone exclusively) you may not need to go beyond these free tools for your password audit and update needs. However, if you use different kinds of computing devices and/or you need to share passwords with others in your immediate family, a PASSWORD MANAGER is the tool you need.
Password Managers like 1Password (www.1password.com) and LastPass (www.lastpass.com) can seem scary and insecure to some people, because they involve “putting all your eggs in one basket,” metaphorically, when it comes to passwords. For this reason, it is extremely important that you set a long, complex and unique “master password” for these accounts, and also enable 2FA/MFA. That is the same “password best practice” advice for other web accounts and app accounts, of course, but it’s most important for your password manager account.
It is also important to print and safely secure documentation for your Password Manager account, like the “Emergency Kit” option which 1Password provides. This is a printable document which includes codes you can use in an emergency if you forget or lose your account login credentials. This can also be used by your next-of-kin when you die, so they can recover and use your web accounts. This may seem macabre to mention, but it’s a practical need we each have today in our web-connected world and lives.
Password managers like 1Password and LastPass include password auditing features which compare your saved passwords with those in known data breaches. Like the newer password security features of iOS and ChromeOS, these password manager audit tools can quantify the number of web passwords you need to reset, because passwords are repeated, weak, or have been compromised in a hack. They also can speed up the process by providing password reset links for different websites and apps.
So here is your homework. If you have not already, visit haveibeenpwned.com and put in the primary email addresses you use, to get a sense of how many data breaches to date have included your email address. Pay attention to how many times PASSWORDS were part of the compromised data in the breach. Remember, that data is ON THE DARK WEB NOW and is FOR SALE. Bad actors have this information now, and some are likely using it in automated hacking programs.
Next, start using one of the password managers or built-in password auditing tools of iOS or ChromeOS to quantify and start changing your repeated, weak or hacked passwords. Start a chart of progress and post it on your refrigerator or bathroom mirror. Chip away at that number of compromised passwords until you reach ZERO.
If you haven’t seen a suspicious message from a family member, friend, or other online acquaintance lately, sharing a phishing link with a tempting teaser message like, “Are you in this video?” just wait. More of those messages are coming, and they are going to get even trickier in the months and years ahead. This is the reality of “social engineering” and “bad actors” online in our globally connected 21st century world.
Fortunately, however, we don’t need to sit back and wait to become yet anther identity theft statistic and victim. We can and should take proactive steps to defend ourselves online from those bad actors who are working 24/7 to breach the defenses of our online identities.
You also can watch my free video, “Protecting Yourself and Your Family Online” for more tutorials about why and how to use a password manager for personal and family defense. Also watch for my TEDxUCO talk from March 2021, called “Technology Fear Therapy,” which will hopefully be published on YouTube later this fall. The themes of both videos and presentations are the same: We’re living in an increasingly digital world, and the criminals / bad actors have increased the sophistication of their attacks against us. Like it or not, we have to upgrade our personal, digital security game and posture as well.
I hope the ideas I’ve shared in this article are helpful to you and your family. If so, please share this with others. If you’re on Twitter, write a reply to @wfryer and let me know.
Protecting ourselves and our families from online digital threats should be a top priority. Fortunately the tools at our disposal to mount an effective cyber-defense are more capable and user-friendly than ever. They still require a commitment of TIME and the development of some new SKILLS to use, but the payoffs / benefits could be immeasurable for you and those you love / care about.
Shields up!
Dr. Wesley Fryer is a media literacy teacher and instructional coach in Oklahoma City. Learn more about Wes and connect with him on social media by visiting www.wesfryer.com.
“Multi-Factor Authentication.” Wikipedia, 5 Sept. 2021. Wikipedia, https://en.wikipedia.org/w/index.php?title=Multi-factor_authentication&oldid=1042568913.
“Tor (Network).” Wikipedia, 26 Sept. 2021. Wikipedia, https://en.wikipedia.org/w/index.php?title=Tor_(network)&oldid=1046555795.