Over 1 million Facebook users' passwords compromised — what to do now

Facebook app on phone
(Image credit: Shutterstock)

Facebook’s parent company Meta has reported that the login information of up to a million users may have been compromised and made available to hackers. If you think you have been hit, reset your passwords now.  

Scanning both the Google Play store and Apple's App Store Meta previously announced it has found 400 apps designed specifically to harvest users' personal information. Posing across a range of genres these apps include games, VPNs, health services, and photo editing tools. All the apps are designed to ‘phish’ for users Facebook login information, which could lead to compromised accounts. 

These apps have been removed from their respective stores but users should check that they haven’t already got one installed. Meta has listed the apps in full in a blog post for users to cross-reference with their Android or iPhone and is reaching out to those affected.  According to the Washington Post, a Meta spokespersons has said that one million Facebook users may have been affected by these malicious apps.  

Worryingly, many of these dangerous apps were targeted toward children with Meta finding that 11.7% of them were masquerading as games. Most disturbing of all, 42.6% of the apps were claiming to be photo editing apps, with any pictures taken using them likely compromised too. 

The trick to the phishing attack here was to get users to log into the app using the “login with Facebook” service that the social network offers and often makes it trivially easy to log into service when using a mobile device. But in the case of the malicious apps, they'd quietly steal the user's login credentials, no doubt for later unscrupulous use. 

Change your password now

how to hide Facebook likes

(Image credit: Shutterstock)

If you suspect you may have fallen foul of such phishing attacks, then we suggest you go and change your Facebook password right away. This should curtail any malicious use of your account.

And when it comes to logging into apps with a Facebook (or other social media) account be aware that just because something is on Google or Apple’s official app store does not mean it is safe. Both companies do have stringent measures against this kind of fraud but something will always slip through the cracks. 

Meta has laid out some guidelines to follow when deciding whether to trust an app, which include checking reviews and guidance for an app and whether it only offers users the chance to log in via social media (a gigantic red flag). This is a start, but there are plenty of ways to further increase your security online. 

First and foremost using one of the best password managers available will improve your safety no end and will greatly reduce the damage any leaked information can do. This is especially true if you use the same password on several platforms. Our senior security and networking editor Anthony Spadafora recommends LastPass, “because of its ease of use, its support for all major platforms and its wide range of features.”

To spot a malicious app, Anthony suggests users stay aware of what their apps require permission to do. Does a flashlight app need access to your contacts or address for example? For Android in particular this can be a problem and it is well worth checking out the best Android antivirus apps.

Two-factor authentication (2FA) is another great tool to protect your login credentials, it can be installed on most large online services such as Amazon, Facebook and Twitter and even Fortnite. In this day and age, it is up to us as users to protect our own data. Make sure you don’t get caught out.

Andy is a freelance writer with a passion for streaming and VPNs. Based in the U.K., he originally cut his teeth at Tom's Guide as a Trainee Writer before moving to cover all things tech and streaming at T3. Outside of work, his passions are movies, football (soccer) and Formula 1. He is also something of an amateur screenwriter having studied creative writing at university.