Don’t get hacked on Facebook. Do these 6 things now.

Everyone is a potential target but you can protect yourself, starting with two-factor authentication

A facebook-colored knight riding on a horse
(Illustration by Emma Kumer/The Washington Post)
6 min

Everyone is a potential target for hackers on Facebook. Even you.

Grandparents who only post the occasional photos, people checking in on their neighborhood groups, and Gen Zers who think they can spot a scam a mile away are all vulnerable. We know because it is overwhelmingly the biggest problem we hear about at Help Desk: My Facebook account was hacked, how do I get back in?

Since it’s a million times easier to prevent a Facebook hack than it is to fix one after the fact, take these simple actions now to avoid pain in the future.


Turn on two-factor authentication

Turning on tw0-factor authentication means you’ll periodically have to enter a special code in addition to your password when you log in from a new device. Even if a hacker gets your log-in and password, they cannot get into your account without a code.

Go to Settings & privacy → Settings → Security and login → Two-factor authentication, click “Edit” and enter your password. You’ll see three options to choose from. Here’s what each does in order of how much more secure they are.

  • Text message (SMS): Facebook will text a number to your phone that you have to enter into the website or Facebook app when you log in, after you enter your password. This is the simplest option and a huge improvement over just a log-in email and password alone.
  • Authentication app: This works similar to the text option, but you will open a third-party app to get the numeric code instead of a message. We recommend downloading a free, reputable authentication app like Twilio’s Authy or Google Authenticator (iOS, Android). Using an app instead of text protects you from a serious but uncommon type of hack called a SIM swap.
  • Security key: Instead of using a text message or smartphone app, this option will let you authenticate your identity with a physical security key. A small dongle you carry on you at all times like the kind made by Yubico, a security key needs to be plugged into or tapped on the device you’re trying to log in on. This is not necessary for the vast majority of casual Facebook users.

Make sure your email is current

If Facebook only has an old, nonworking email address for you, it will be nearly impossible to reset your password in an emergency. Make sure the site has your current email address and not an old Yahoo or college account that you no longer check. Your email account should also have a strong, unique password and two-factor authentication turned on.

Go to Settings & privacy → Settings → General → Contact. Review the listed email address and update it if necessary.


Update weak passwords, store good ones someplace safe

Even with two-factor authentication turned on, good passwords are a must.

Make sure your Facebook password is unique, meaning you don’t use the same password for any other services. Make it strong by following all the classic password rules or generating a new one with a password management app like 1Password or Dashlane. Finally, make sure your existing password hasn’t been part of any data breaches or hacks by looking it up on the same password management apps or the site Have I Been Pwned.

Password management apps are recommended, but if adding yet another app to your life seems too complicated, it’s okay to keep a written book of passwords instead.


Know when you’re being scammed

All the security features in the world can’t save you from falling for convincing scammers in email, texts, Messenger or on the phone. Here are some rules of thumb to avoid being manipulated into turning over your Facebook password, money or personal information.

  • Trust no one: If you get a message from anyone — a friend, family member or official sounding stranger — asking for help, security codes, money or personal information, do not reply. Contact them another way to ask if it is real.
  • Never share your password or codes: Facebook will never text, email or call you to ask for your log-in information or the two-factor authentication code. The only place you’ll ever share them is the Facebook website or app.
  • Be suspicious of links: If you click a link and it opens a Facebook log-in page, don’t type in your credentials. Use your browser to navigate to the Facebook homepage and log in there, instead.
  • Respond promptly to Facebook security updates: If you receive an email from Facebook saying there’s been suspicious activity on your account, use the “this wasn’t me” button to report it (make sure it’s really from Facebook first). Then, log in to your account in a fresh browser window by typing in and change your password.
  • If you’re panicking, pause: Criminals fish for emotional reactions and thrive when their victims feel vulnerable. If anyone reaches out with a ticking clock — “send us this information quickly or your account will be lost forever” — be on guard. Reach out separately to Facebook support and ask if there’s truly a problem.

Turn on this setting to be alerted to log-ins

If someone does manage to log in to your Facebook account, this setting will give you a heads up so you know right away.

Go to Settings & privacy → Settings → Security and login → Setting up extra security. Turn on the option to “Get alerts about unrecognized logins.” Facebook is phasing out this feature and says it will automatically tell people through the app in the future.


Have a backup plan

The impact is more than just inconvenience or money. A hacked Facebook account can also mean lost connections with family members or friends, or a small business losing control of its only online presence.

Save your entire Facebook account now, so you’ll have a backup of all your contacts, posts and other information. Go to Settings & privacy → Settings → Your Facebook information → Download your information. Select view and fill out the form to get a file containing your entire Facebook history.

If you’ve used it to store photos of over the years, you can transfer those albums directly to other services so you have copies. Go to Settings & privacy → Settings → Your Facebook information → Transfer a copy of your information. Select View and pick what service you’d like to use.

Small business owners should make sure they have an additional internet presence besides their Facebook page, like a Google business profile.

If your account is compromised, you’ll want to start here to try to get it back.

Help Desk: Making tech work for you

Help Desk is a destination built for readers looking to better understand and take control of the technology used in everyday life.

Take control: Sign up for The Tech Friend newsletter to get straight talk and advice on how to make your tech a force for good.

Tech tips to make your life easier: 10 tips and tricks to customize iOS 16 | 5 tips to make your gadget batteries last longer | How to get back control of a hacked social media account | How to avoid falling for and spreading misinformation online

Data and Privacy: A guide to every privacy setting you should change now. We have gone through the settings for the most popular (and problematic) services to give you recommendations. Google | Amazon | Facebook | Venmo | Apple | Android

Ask a question: Send the Help Desk your personal technology questions.