The latest Facebook hack just got a little smaller, but it didn't get any better, with new admissions from the social media giant that prove you can't trust it with your information.
A couple of weeks ago, Facebook announced that the accounts of 50 million members may have been hacked, and it logged out 90 million accounts just to be sure.
Now, Facebook is saying that "only" 30 million accounts were actually hacked, and about 14 million of them had information grabbed that was far more intimate than had ever been accessed.
How intimate? Try the last 15 people or things they had searched for on Facebook and the last 10 locations they had checked into.
That's a pretty personal violation.
Other information that leaked included personal details like telephone number, email addresses, work, gender, religious affiliation and even the types of devices used to access the site.
Massive mistake for Facebook
This is a huge screw-up for Facebook, and probably the biggest security mistake in its 14-year history. It doesn't stop there.
An additional 15 million members had names and contact information stolen. One million more had security tokens stolen, but their profile information wasn't taken, as far as we know.
The only saving grace: No account passwords or credit card information was taken.
That's what we know so far. In the days since the initial attack, Facebook has scrambled to figure out how things went wrong, who could be responsible for the attack and what the attackers planned to do with the information.
Find out if you were affected
Facebook is offering a way to check to see if you were hit in the latest hack.
This connects you to the Facebook Help Center. You'll want to scroll down and see a box titled “Is my Facebook account impacted by this security issue.”
This is what you hope to see:
You might get another indication, though. It could tell you that your account was hacked and some information taken, or that a lot of information was taken.
The types of access are broken down into three categories. The first is that hackers stole name and contact information. This impacted 15 million people of the 30 million. The second category is more serious, affecting 14 million Facebook users, with all kinds of personal information taken. Finally, Facebook found that hackers did not obtain any information in the third category of 1 million users.
If you did get your information taken, you not only have to protect yourself from Facebook, but from spam emails that might start coming, making prize offers or telling you to click on a link to reset your Facebook account.
This is important: Neither Facebook or any other legitimate site would have you click a link in an email to fix something. You always want to go to the site itself and fix problems. Links will only cause you more problems.
What you need to do now
If you were one of users who were automatically logged out, you can still log back into Facebook with your old password. Once in, there will be a banner on your News Feed titled "An important security update." This message will provide you a link that will provide you with more details about the breach.
Log out of all your Facebook sessions
Important: If you were not affected (yet), you should still be cautious about your Facebook account. As a precaution, it is recommended that you log out of your Facebook account on all your devices to reset your old access tokens.
Here's how to log out of all your Facebook sessions.
Desktop: Click the upside-down triangle on the top right then click Settings >> "Security and Login."
Mobile: Go to your profile page by tapping the "hamburger icon" (three horizontal lines) on the lower-right corner of the screen. Scroll down, tap Settings >> Account Settings >> Security Login.
Here, there's a section called "Where You're Logged In" where you can see all the devices with your active Facebook sessions. To log out of these places all at once, scroll down the list then tap Log Out of All Sessions. This will reset all your current access tokens.
Obviously, you'll need to log back into each gadget you want to access your Facebook account from.
Next, change your password
After logging in, you should change your current password to be on the safe side.
To reset your Facebook password, go back to Settings >> Account Settings >> Security and Login then tap or click on Change Password. Note: Make sure it's a unique password so crooks can't use it for password reuse attacks.
Turn on two-factor authentication
Here's another layer of security you can employ on your Facebook account -- turn on Two-Factor authentication.
Here's how you do this. Stay on Settings >> Account Settings >> Security and Login >> then scroll down to Use Two-Factor Authentication. Click Edit >> choose the method you want to use. You can either chose "Text Message" or "Authentication App."
However, TechCrunch revealed that Facebook is also using its users' two-factor authentication phone numbers for targeted ads. According to the article, Facebook uses the "information people provide to offer a better, more personalized experience on Facebook, including ads."
If true, this is troubling because it is yet another indication that Facebook is repurposing its users' information, phone numbers used for security, nonetheless, for monetary purposes.
Because of this, you should use "Authentication App" instead of linking your phone number as your Facebook 2FA gadget. Instead of a text message, you can use an app like Google Authenticator to generate your 2FA login codes.
Turn on login alerts
After logging out, changing your password and setting up your two-factor authentication method, please "turn on alerts for unrecognized logins too."
To turn on these alerts, go back to your Settings >> Security and Login then go to the "Setting Up Extra Security" section. Tap or click on the Edit button of "Get alerts about unrecognized logins" then turn Notifications, Messenger and Email alerts on.
Should you ever receive an alert from Facebook stating someone has logged into your account from an unrecognized location, it's critical that you follow the instructions provided.
The email you receive will outline steps you should take to reset your password and secure your information.
Log out or disable third-party apps
Since access tokens are also used by third-party apps, it's also recommended that you audit and remove all your third-party apps and services that you linked your Facebook account with.
Although it's convenient, we suggest that you stop using your Facebook account to sign up and log in to third-party apps and services.
Disabling ALL third-party apps and services
1. Go to your Facebook Account Settings to access your Apps and Websites settings.
Desktop: Click the upside-down triangle on the top right then click Settings >> "Apps and Websites."
Mobile: Go to your profile page by tapping the "hamburger icon" (three horizontal lines) on the lower-right corner of the screen. Scroll down, tap Settings >> Account Settings >> Apps.
2. On the Apps Settings page, to disable ALL third-party app access with one click, turn off your profile's ability to interact with apps, websites and games (formerly called Platform)
Desktop: Click "Edit" on the "Apps, Websites and Games" then choose "Turn off."
Mobile: Tap Edit on the "Apps, Websites and Games" section. Choose "Turn Off."
Disabling individual apps and services
Keep in mind that turning off your ability to interact with apps will disable even the legitimate apps and services that you use. For example, if you linked your Facebook profile to login to or share with other services like Spotify, Airbnb or Twitter, you will lose that access.
With the recent changes in Facebook's settings, it's easier to review and remove your apps and websites.
In this section, you can also check apps and websites that are expired, meaning they're still in your profile but they no longer have data access. You can also review apps that you have removed.
Desktop: On the same App Settings page, you'll see a list of all the third-party apps and services you have authorized. To remove an app, simply click the "x" symbol in the right-hand corner of the app.
Mobile: On the same Apps and Websites page, tap "Logged in with Facebook." Here, you'll see all the apps that are active, expired or removed. Simply select an app to review its data access and visibility. To remove an app, tick off its checkbox then tap "Remove App." Note: You can also check off multiple apps and remove them in one tap.
How about taking a break from Facebook?
After the Cambridge Analytica fiasco and now this massive data breach, it's essential that you secure your Facebook data as much as possible.
But after the latest event, if you are feeling apprehensive about Facebook right now, you can take a break by either deactivating it or part with it for good by deleting it completely.
If you don't want to leave but want to take a break, tap or click here for steps to take to deactivate.
Had enough of all the Facebook data security lapses? Here's how to delete your Facebook account for good.
Kim's take: Can Facebook be trusted anymore?
You need to know that Facebook isn't watching out for you. It's a business that will use its resources -- you and me -- to attract advertisers and make money. It pays lip service to your security, but then it does things that show us that we're nothing but dollar signs to them. Tap or click below to hear Kim talk about why Facebook is alienating millions.