You might have given away your Facebook login info without meaning to, if you downloaded one of the more than 400 malicious apps designed to steal Facebook credentials from users. So it might be time to change your password.
Facebook discovered hundreds of malicious apps
The news dropped in an announcement by Meta, Facebook’s parent company, who disclosed the hundreds of malicious apps discovered by its researchers. According to Meta, there were a wide variety of apps in this roundup, making it easier for bad actors to find victims. Among the malicious apps were photos editors, which made up a whopping 42.6% of cases, as well as VPNs, flashlight apps, 3D games, fitness trackers, horoscopes, and business or ad management apps. We knew about one of these ad management apps already, which tricked more than 250,000 users into downloading it to their devices.
You don’t need to worry about any of these apps going forward—both Google and Apple have scrubbed their marketplaces of these known apps since Meta’s announcement—however, that won’t remove the apps from any devices that already installed them. If you downloaded any of the more than 400 malicious apps to your iPhone or Android, you’ll need to delete them. You can find a complete list of the known malicious apps on Meta’s announcement page here.
Don’t use apps that require you to log in through Facebook
In addition, this list is not inherently exhaustive. While Meta has put forth a thorough accounting of all known malicious apps, it can’t guarantee to catch all of the bad actors. That means it’s on the rest of us to be cautious when downloading new apps from the Play Store or App Store, especially when those apps want to connect to your Facebook account for login verification.
Of course, many apps offer Facebook as login method. That in itself isn’t necessarily nefarious, but it is a cause for caution: If an app doesn’t work without providing your Facebook credentials, consider deleting it from your phone. Legitimate apps don’t force you to connect to Facebook to use it, save for some specific examples from Meta.
How to protect your Facebook password
Meta is reaching out to the roughly one million affected users, so you should receive a notification if your login information was compromised. However, in light of how widespread this issue is, it wouldn’t hurt for all of us to reset our login info now.
To start, login to Facebook. On desktop, click your avatar in the top right, on mobile, tap Menu in the bottom right. On either platform, head to Settings & Privacy. On desktop, choose “Security & login,” while on mobile, choose “Password and security.” From there, you can choose a new password from the “Change password” option (just make sure to make it strong and unique).
Arguably more important, though, is to enable two-factor authentication (2FA) if you haven’t already. With this option enabled, you’ll need to provide a 2FA code each time you log in, which requires having access to the approved authentication app, phone, or physical security key.
With 2FA, your username and password isn’t enough for malicious users to break into your account. If an app does steal your login info in the future, you’ll still be protected. It doesn’t take much time to set up, so I highly recommend you do so now. If you have an iPhone, you can even use the built-in authentication feature, so no need to download a third-party app.