Facebook is one of the most popular social media platforms, with over 2.85 billion monthly active users as of October 2022. With so many users, Facebook accounts are common targets for hackers and cybercriminals. One of the key security measures Facebook offers is two-factor authentication, also known as 2FA or two-step verification. This adds an extra layer of security to your account by requiring two different forms of authentication when logging in from a new device. However, there are still ways for hackers to bypass two-factor authentication and gain access to Facebook accounts.
How does Facebook’s two-factor authentication work?
When you enable two-factor authentication on Facebook, you link your account to a trusted phone number. Then, whenever you try to log in from a new device, Facebook will require two steps to verify your identity:
- Something you know – your Facebook password.
- Something you have – a 6-digit security code generated by the Facebook app on your phone or sent to you via text message.
This means that even if a hacker guesses or phishes your Facebook password, they still cannot access your account without also having access to your trusted mobile device. Having two layers of security makes your Facebook account much harder to compromise.
Can my Facebook still be hacked if I have 2FA enabled?
Unfortunately, yes – there are still ways hackers can bypass Facebook’s two-factor authentication and gain access to your account. Here are some of the most common methods used:
SIM swapping
SIM swapping involves hackers contacting your mobile carrier, impersonating you, and convincing the carrier to transfer your phone number to a SIM card they control. This gives them access to any calls, texts, and authentication codes sent to your number. If your Facebook 2FA is linked to that number, the hacker can then receive the login code and access your account.
Social engineering
Hackers may attempt to contact Facebook’s customer support, pretending to be you and claiming to be locked out of your account. By providing some of your personal info, they may convince support to disable 2FA or send them a password reset link. This requires knowing a lot of sensitive information about you.
Malware/spyware
Malicious apps or links can install malware or spyware on your phone without you realizing. This gives hackers access to read text messages, record calls, and steal authentication codes from your device. Always be vigilant about apps and links you click.
Session hijacking
If you stay logged into Facebook on a public or shared computer, a hacker can hijack your active session. When you log in with 2FA, Facebook creates a persistent session so you stay logged in on that device without re-verifying every time. Hackers can steal this cookie/token and access your account.
Recovery code phishing
When you enable 2FA, Facebook gives you a list of one-time use recovery codes. These can be used to regain access if you ever lose your phone. Hackers may attempt to trick you into giving them your Facebook recovery codes through phishing emails or texts. Never give these codes out.
How likely is it for my Facebook to be hacked with 2FA?
Enabling 2FA significantly improves your Facebook security and makes your account much harder to hack. However, it is not completely foolproof. According to Facebook’s own estimates, using 2FA reduces the risk of being hacked by 99.7%.
The likelihood depends on how cautious you are with your login details, how strong your Facebook password is, and how securely you use Facebook. Avoiding common 2FA mistakes like re-using passwords or clicking suspicious links is key to staying protected.
Here is a rough table estimating annual hacking risk based on your Facebook security habits:
| Your Facebook Security Habits | Annual Risk of Being Hacked |
|---|---|
| Very weak password, click any links/files, never log out | 1 in 10 |
| Re-used password, occasionally click sketchy links | 1 in 100 |
| Unique strong password, cautious with links, always log out | 1 in 10,000 |
| Unique complex password, 2FA, very security conscious | 1 in 1,000,000 |
As you can see, with strong security habits the chances of being hacked even with 2FA enabled are extremely low.
What should I do if my Facebook is hacked despite 2FA?
If you suspect your Facebook has been hacked or accessed without authorization, here are the steps to take immediately:
- Log into Facebook and reset your password – make it long and complex.
- Remove any unfamiliar devices logged into your account under Settings.
- Temporarily disable 2FA.
- Scan all devices linked to your Facebook for malware.
- Change the phone number linked to your Facebook account.
- Carefully re-enable 2FA with your new number.
- Review recent posts and messages for anything suspicious.
- Report unusual account activity to Facebook.
You may also want to contact your mobile carrier about blocking unauthorized SIM swaps on your number. Be wary of any further suspicious messages or activity going forward.
How can I further secure my Facebook from hacking?
Here are some extra steps you can take to strengthen your Facebook security beyond just using 2FA:
Use strong and unique passwords
Never reuse passwords across accounts. Your Facebook password should be at least 12 characters, with upper and lowercase letters, numbers, and symbols.
Review login notifications
Facebook sends you notifications whenever your account is accessed from a new device. Review these regularly for suspicious logins.
Enable login approvals
This adds an extra step of requiring approval from your other devices whenever a new device attempts to login.
Limit active sessions
Log out fully after each Facebook session instead of staying perpetually logged in. This reduces the risk of session hijacking.
Carefully check links/files
Be wary of clicking links or downloading files sent to you within Facebook, as they could be infected with malware or steal your login info.
Monitor tagged photos
Review any photos you’re tagged in for inappropriate or unusual posts made without your knowledge, which could signal an account breach.
Limit app permissions
Be selective when allowing third-party apps access to your Facebook data. Only enable permissions needed for the app’s functionality.
Conclusion
While Facebook’s two-factor authentication adds a significant layer of security to your account, it is still possible for persistent hackers to bypass it through techniques like SIM swapping, social engineering, phishing, and malware. No single security measure makes you completely invulnerable.
The most important things are using unique strong passwords, exercising caution around suspicious links/files, monitoring your account activity, and limiting app permissions. Enable 2FA, but also be vigilant with your account security habits. With good practices, the risk of being hacked stays extremely low.