top of page

Facebook and fencing yours in

It’s safe to say Facebook isn’t safe.

Just last month (Thursday 21 March 2019) Facebook announced yet another data breach – the third in a year (we know of), this time involving up to 600 million passwords stored in plain text and exposed internally to up to 20,000 employees of the social network giant. The news caps a long period of trouble for Facebook over the way it handles and protects user data.

In September last year, it said information on 50 million users had been exposed by a security flaw by a rogue state such as Russia, security experts say. And earlier in 2018 it revealed that data on millions of users had been harvested by data science company Cambridge Analytica, a political firm working for Donald Trump in 2016. And it doesn’t stop there, just before we hit the publish button on this article, a fourth data breach emerged (Thursday 4 April 2019) with reports that more than 540 million records about Facebook users were publicly exposed on Amazon’s cloud computing service.

With so many leaks in privacy and security by the world’s biggest social media site it’s safe to say your private information and data in general is not safe on Facebook. Is there anything you can do about it?


Here are 10 tips to strengthening the fence around your Facebook account… if you HAVE TO have one:

1)  Change your password

While we are not advocates of changing a password regularly just for the sake of it, it may be a good time to update yours anyway; if not just for the above lack of security, then hopefully because you have come up with a much longer and more complex alternative. After all, how many apps and websites have you allowed Facebook to “control”?

To do so, click on the Edit button next to “Change Password” on the Security and Login screen.

If you’re not already using a password manager that auto-populates, you will need to re-enter your existing password, followed by your new one. Re-type the new password and then click on Save Changes.

2)  Turn on two-factor authentication

Until a foolproof biometric alternative comes along, the password is here to stay. We’ve previously written tips on creating strong passwords, and argued the merits of password managers, but the truth is, most people still end up using poor credentials. The best solution to that problem, for now, is two-factor authentication and you should enable it on your Facebook account RIGHT NOW.

To do so, go to the Security and Login settings and click on Edit for “Use two-factor authentication”.

Here you will be presented with several methods of using 2FA:

SMS Text Message (a code delivered via phone)

Security Keys (use a physical security key)

Code Generator (generate a session code via the Facebook app)

Recovery Codes (useful if you are out and haven’t taken your phone with you)

App Passwords (creates a one-time password)

Authorised Logins (disable 2FA on select devices)

Click on Set Up and configure as required.

3)   Set up unrecognised login notifications

From the main page, click on the drop-down arrow in the top right corner of the toolbar and click on Settings.

This time, instead of clicking on Privacy, choose “Security and Login” instead. Now, to receive a notification whenever an unknown computer or other device attempts to access your account, click on “Get alerts about unrecognised logins”. Click on the Edit button and then choose whether you wish to receive notifications, including email alerts to your primary address or a secondary email account.

4)  Check where you’re logged in

Have you accidentally left yourself logged into a device that can be accessed by your family, lost a device or sold one on without logging out of Facebook? If so, you’ll want to review which devices are logged in and do something about it!

Under the Security and Login section, look for the “Where You’re Logged in” section, which may already be displaying one or two devices. Click on “See More” if you are fortunate enough to have many devices logged into Facebook.

You can either click on “Log Out Of All Sessions” which will do exactly what it sounds like, or you can click on the column of three dots next to a specific entry to log out of a particular session, or notify Facebook that the device in question is not yours at all.

5)  Keep Apps in Check

Over the years you’ve used Facebook, you’ve probably given various apps permission to tap into its data trove. And why not? At the time it’s a simple enough request, a way to share photos more easily, or find friends across the app diaspora.

In doing so, though, you’re granting developers deep insight into your Facebook profile. And until Facebook tightened up permissions in 2015, you were also potentially letting them see information about your friends, as well; Cambridge Analytica scored all that data not from a hack, but because the developer of a legitimate quiz app passed it to them. So! Time to audit which apps you’ve let creep on your Facebook account, and give the boot to any that don’t have a very good reason for being there. That’s most of them.

On a desktop — you can do this on mobile as well, but it’s more streamlined on a computer — head to the downward-facing arrow in the upper-right corner of your screen, and click Privacy. (You’re going to spend a lot of time here today.) Now go to Apps, and check what permissions you so easily gave away.

OK, so maybe it’s not that bad. Or maybe it is! I have friends who discovered well over a dozen apps lurking within the Logged in with Facebook pane. Either way, you can see not only what apps are there, but how much info they’re privy to. To revoke any of those permissions, go over and click the pencil. To scrap the app altogether, hit the X. You’ll get a pop-up asking if you’re sure. Click Remove to make it official.

An important note here: Those developers still have whatever data about you that they’ve collected up to this point. You have to contact them directly to ask them to delete it, and they’re under no obligation to do so. To at least make the attempt, find the app on Facebook and send them a message. If they ask for your User ID, you can find that back on the Apps page by clicking on the app in question and scrolling all the way down.

It feels like you should be done now, but you’re not. From that same Apps page, go down just a smidge further to Apps, Websites, and Plugins. If you don’t want Facebook bleeding into any other part of your online experience—that’s games, user profiles, apps, you name it—then click Disable Platform. This could have unintended consequences, especially if you’ve used Facebook to login to other sites! Only one way to find out, though.

6)  Bad Ads

Back to the Settings panel! This time head to Ads, which you’ll find right below Apps. (The fact that neither of these falls under Security or Privacy should tell you all you need to know about Facebook’s disposition here.)

Just to be clear, Facebook — along with Google, and tons of faceless ad networks — tracks your every move online, even if you don’t have an account. That’s the internet we’re stuck with for now, and no amount of settings tweaks can fix it. What you can do, though, is take a modicum of control over what Facebook does with that information.

That pair of shoes that haunts your News Feed, even though you already bought a similar pair? Exorcise them by turning off Ads based on my use of websites and apps.

Also say no to Ads on apps and websites off the Facebook companies, which covers all the non-Facebook parts internet where the company serves up ads—which is pretty much everywhere. Then head straight down the line to Ads with your social actions, which you should only leave on in the event you want to share with the world that you accidentally clicked ‘Like’ on that sponsored post from a furniture company that probably exists only on a server in Luxembourg.

And for some fun insight into what Facebook thinks you’re into, click on Your Interests. There you’ll find the categories that Facebook uses to tailor ads to your Liking. You can clear out any that bother you by clicking the X in the upper-righthand corner when you hover over, but mostly it’s a fun lesson in how digital advertisers distill your essence. You’ll also likely find at least one surprise; Facebook thinks I’m into IndyCar, which honestly, maybe, if I’d only give it a chance.

Please remember that none of this will in any way change the number of ads you see on Facebook or around the web. For that, you’ll need an ad blocker.

7)  Friends Focus

After a decade on Facebook, you’ve likely picked up friends along the way you no longer recognise—not just their profile picture, their name and context. Who are all these people? Why are they Liking your baby pics? Why aren’t they liking your baby pics?

To get a handle on who can see which of your posts, it’s finally time to head to Settings then Privacy.

Start with Who can see my posts, then click on Who can see my future posts to manage your defaults. You’ve got options! You can go full-on public and share with the world, or limit your circle by geography, employers, schools, groups, you name it. Whatever you pick will be your default from here on out.

Whatever you pick, immediately go to Limit the audience for posts you’ve shared with friends of friends or public? to make that choice retroactive. In other words, if you had a public account until now, changing your settings won’t automatically make your past posts private. You have to get in a few extra clicks for that.

Skip ahead down to How People Find and Contact You, since that’s thankfully pretty straightforward. Tweak all the settings to your liking. The main note here: Don’t share your email or phone number unless you absolutely have to, and if you do, keep the circle as small as possible. (If you do have to share one or the other with Facebook for account purposes, you can hide them by going to your profile page, clicking Contact and Basic Info, then Edit when you mouse over the email field. From there, click on the downward arrow with two silhouettes to customize who can see it, including no one but you.)

And while we’re almost done with this part, first we have to talk about tagging. If people want to tag you on Facebook, there’s not much you can do about it. Sorry! But you can at least stop those embarrassing pics from showing up in your timeline. Enable the option to Review posts you’re tagged in before the post appears on your timeline so you can clear anything out that you’d rather not see there.

Then, head to Timeline and Tagging in the left-hand menu. There you can limit who can post to your timeline, who can see which posts, who can see what you’re tagged in, and so on. Your tolerance here will vary depending on how active a Facebook user you are and how obnoxious your friends can be, but at the very least it’s helpful for setting custom audiences that exclude people — your boss, maybe, or an ex — you definitely don’t want taking an active role in your Facebook experience.

To test out those changes, head to Review what other people see on your timeline, where you can see what your account looks like through the eyes of a set of people or a specific friend.

One last thing: You’ll see a Face Recognition option in the left-hand menu pane as well. It has some genuine uses, like letting you know if someone is using a photo of you in their account for trolling or impersonation. But if you’re fundamentally more creeped out by Facebook’s algorithms hunting for your face than by potential human jerks, go ahead and switch it off.

8)  Watch out for hoax updates and messages on Facebook

Now that your account is locked down tight, the only other areas you need to consider on Facebook are the messages you receive, and the content you see on others’ timelines. It’s always worth remembering that bad guys are always looking for a way to trick their victims into doing something that is to their advantage. Often this can be something benign, such as liking a ridiculous post that is anything but true – celebrity death hoaxes are quite common on Facebook – or replying to a message containing fake news.

Such scenarios often don’t pose any real risk but can be incredibly frustrating, saddening or simply annoying and a good reason to use the blocking settings!

9)  Is Facebook listening to everything I say?

By this point, it’s a trope: You have a casual conversation about toothbrushes with your roommate — as one doe s— and a few hours later, toothbrush ads flood your News Feed. Surely this means Facebook’s using your smartphone’s mic to eavesdrop, right?

Well, no, sorry! As we’ve explained here and others have investigated elsewhere, Facebook’s not actually hijacking your microphone. For starters, it would be wildly impractical not only to sort through all that data, but to figure out which words meant anything. Besides, worrying about Facebook eavesdropping distracts from the far more concerning fact that it doesn’t have to. The things you and your friends do online, and where you do them, and when, and how, and from what locations, all form more than enough of a profile to inform ads that feel like Facebook isn’t just listening in on your conversations, but on your private thoughts. So, please do feel better about the mic thing, but much, much worse about the state of internet tracking, targeting, and advertising at large.

10)  Pulling the plug

If even scrolling through all of these settings tweaks has left you exhausted, much less actually implementing them, you do have a more efficient option: pulling the plug altogether.

Before you do this: First, do recognise that this won’t solve all of your online ad woes. You’ll still be tracked, targeted, and so on across the web, both by Facebook and other ad networks. They’ll all have that much less info to work with, though! So that’s something.

And second, if you do decide to go through with it, think about downloading your account first. There’s no reason to lose all those photos and statuses and such. To preserve those memories offline, head to Settings > General Account Settings > Download a copy of your Facebook data and click Start my archive. Facebook will email you with a download link when it’s ready, which you should pounce on since it’ll expire eventually.

OK all set? Here we go. Head back to Settings again, where you’ll start in General. Click on Manage Account, scroll past the grim “what happens to my social media presence when I die” bits, and click Deactivate my account. You’ll need to enter your password here, look at photos of friends who will “miss” you, take a quick survey about why you’re bailing, and then click Deactivate one more time. Done. Your Facebook woes are no more and you’re safe. Or are you…?


CybACADEMY courses powered by GoldPhish® educates employees on the cyber risk and helps build a more secure organisation with awareness training.



bottom of page