More than half a billion — yes, billion — Facebook accounts have been compromised in a huge data breach. Among the data leaked are full names, email addresses, phone numbers, birthdays, and location information.
If you're trying to figure out whether or not you should be worried about your information being compromised, a site called haveibeenpwned.com can help. The site is completely legitimate, letting you quickly search to see if your email address or phone number has shown up in data breaches, including the new Facebook data breach. If you haven't used it before, it's worth checking out and setting up notifications so you'll get an email if your accounts show up in a future data breach (just click "notify me" at the top of the page to sign up).
You can also check to see if your passwords — not just your email — have been compromised. To find out if yours is on the list, go to the site's password page and look yours up. And, yes, it's safe to do so on this site, which takes serious measures to protect your security. Just remember you should be extremely wary of unknown sites that ask for your password — a less trustworthy site could easily use this to steal your account information.
[Editor's note: Concerned that entering a password into this site could create its own security risks? The creator of the site, Troy Hunt, is a well-known and highly-regarded security expert; you are not entering any other information that could be used/associated with the password (e.g., user name, email, specific site name); and the site isn't storing your password. However, it is theoretically possible that if you sign up to be notified when a password is breached, the stored hash could somehow be decrypted, and if there is an IP address stored alongside it that decrypted password could then be connected back to you and your logins via other third-party hacks. We would say the likelihood of this is extremely small, and the benefit of the site outweighs this risk, but it is possible. So if you want to be absolutely safe, only enter passwords that you are no longer using, or change any active passwords you do enter immediately before or after. There is still value to the process with inactive passwords because if one of those hacked passwords is the one you're using for your bank, email or other critical use, you know there's a possibility that either their data was hacked, you're reusing passwords and risking your critical site login or the passwords you're using are too common and you need to develop more secure password habits.]
After you type in your password and hit enter, the site will tell you whether the password has shown up in any data breaches, and how many times. For example, the all too common "password" has shown up 3,861,493 in data breaches. Even if your usual password hasn't been leaked more than three million times, you should change it if it's been leaked at all — because once it's out there, it makes it easier for hackers to get into any accounts that use that password.
If you find out your passwords have been compromised, you should change them immediately. Be sure to make a different password for every site and use a password manager to keep track of them all. Our current favorite is Dashlane, which you can download for free.
Once you've changed any hacked passwords, it's time to turn on two-factor authentication for any accounts that offer it. This security feature means that in addition to your username and password, you'll need a code — often texted to your phone or sent to an app like Google Authenticator — to get into your account. This can stop hackers in their tracks even if they do have your username and password, but don't use it as an excuse not to change any compromised passwords. While the instructions for setting up two-factor authentication will be different for each site, you can check Two Factor Auth to find sites that support this security feature and how to enable it on each.
Now you can be sure your accounts are safe and stay safe in the future.
Updated on 4/8/2021
[Image credit: Facebook breach via BigStockPhoto, haveibeenpwned.com]