Skip to Content
© Daniel Constante |
Security & privacy

Facebook security warning: Thousands of passwords stolen

Stolen social media accounts are a hot commodity on Dark Web marketplaces. The average Facebook account sells for about $74.50, making the social network a priority target for phishing scams and cybercriminals.

Phishing campaigns make it easy to steal large quantities of login credentials at once. All scammers need to do is create a fake login page and trick victims into signing in. Tap or click here to see a copyright notice phishing scam targeting Facebook users.

If cybercriminals aren’t careful with their stolen data, they can easily blow their entire operation. A group of cybercriminals learned this the hard way after hosting hundreds of thousands of Facebook logins on an unprotected database. Cybersecurity isn’t just for the good guys, after all.

A botched phishing job leads Facebook to a ring of cybercriminals

Security researchers with VPNmentor found an unsecured database containing hundreds of thousands of stolen Facebook logins. The credentials were stolen as part of a widespread phishing operation targeting Facebook users with fake landing pages.

The researchers, who shared their findings with CNET, believed the scammers used websites that offered fraudulent services to Facebook users, such as reports on who recently visited a user’s page.

Victims would log in with their username and password, thinking they were signing up for the service, only to have their data stolen and sent back to the cybercriminals.

The massive amount of users in the database is shocking enough, but the scammers made a fatal mistake during their data heist: They forgot to add a password to their treasure trove of stolen data.

Anyone with a web browser could easily access the stolen database, which contained millions of user records. VPNMentor researchers believe the accounts were used to dupe even more victims into joining a cryptocurrency scam.

Tap or click here to see how a similar cryptocurrency scam took over some of Twitter’s most influential accounts.

The botched security of the database gave researchers everything they needed to report their findings to Facebook. The database is no longer online, and Facebook forced password resets for affected users.

Am I affected? What should I do?

If your information was included in the link, Facebook might have already reached out to you with a password reset request. If Facebook forces a password reset, you won’t be able to log in again until you create a new password.

Tap or click here to see how to create stronger passwords.

Even if you weren’t a victim, it’s always a good idea to frequently reset your password. Any phishing campaigns or brute-force attempts won’t be able to keep up with your account if you do.

Follow these steps to reset your Facebook account on your computer or smartphone:

On your desktop:

  1. Click the downwards-pointing arrow in the top right of the Facebook homepage.
  2. Click Settings & Privacy, followed by Settings.
  3. Click Security and Login.
  4. Click Edit next to Change password.
  5. Enter your current password and type in a new password. Use a complex combination of letters, numbers and symbols that won’t be easily guessed.
  6. Click Save Changes.

On your phone

  1. Open the Facebook app and tap the three-line icon. On iOS, the icon will be on the bottom right. On Android, the icon will be on the top-right.
  2. Scroll down and tap Settings & Privacy, then tap Settings.
  3. Tap Security and Login, then tap Change Password.
  4. Enter your current password and type in a new password. Use a complex combination of letters, numbers and symbols that won’t be easily guessed.
  5. Tap Save Changes.

For extra security, we’d also recommend activating two-factor authentication for your Facebook account. Once 2FA is set up, you’ll automatically know when someone tries to log in without your permission.

Tap or click here to see how to set up 2FA for Facebook and other social networks.

To stay safe in the future, follow these guidelines:

  • Never log into your Facebook account outside of Facebook. Services that ask for your login information do not have your best interest in mind.
  • Any time you’re asked to log into your account, look at your browser’s address bar. If the URL doesn’t include “,” it could be a phishing site.
  • Avoid clicking any links sent to you by email. If you click a link from an email that takes you to a Facebook login page, close your window. This is a red flag for phishing sites.

With a stronger password and two-factor authentication turned on, you’re already smarter than the cybercriminals running this failed phishing campaign. If only the rest of the cybercriminals out there were this careless. Then they might not be such a threat anymore.

Refer friends, earn rewards

Share your source of digital lifestyle news, tips and advice with friends and family, and you'll be on your way to earning awesome rewards!

Get started