Dear Facebook and Instagram users,
If you care about the security of your online identity, there is one piece of advice I strongly urge you to follow:
Stop using “Login with Facebook.”
Better yet — remove it entirely from every service where you’ve used it.
I’m writing this after experiencing a sophisticated account takeover that exposed a structural weakness in how Facebook accounts are compromised today.
Most people believe that enabling two-factor authentication (2FA) protects them. Unfortunately, modern attackers often bypass it completely.
Here is how it happens.
The New Method: Session Hijacking
Today’s attackers rarely try to guess your password. Instead, they aim for something far more powerful:
Your authenticated session.
When you log into Facebook successfully — even with two-factor authentication — Facebook issues a session cookie. This cookie acts like a temporary passport that tells Facebook:
“This user has already authenticated.”
As long as that cookie remains valid, the server assumes the browser using it is you.
Attackers exploit this through several techniques:
• Malware that steals browser session cookies
• Malicious browser extensions
• Phishing pages that proxy your login session in real time
• Compromised public networks or infected devices
Once an attacker obtains your Facebook session cookie, they can often import it into their own browser.
At that moment, they are effectively logged in as you.
No password required.
No 2FA prompt.
No alert.
To Facebook, it appears as if the same authenticated session simply continued.
Why “Login with Facebook” Makes This Worse
The “Login with Facebook” button connects your Facebook account to dozens — sometimes hundreds — of other services.
This dramatically expands your attack surface.
If your Facebook session is hijacked, an attacker may gain access not only to your social account but also to:
• websites where you authenticate via Facebook
• apps connected through Facebook login
• advertising assets and business accounts
• linked Instagram accounts
• developer accounts and services
In other words:
One compromised Facebook session can cascade into access across your digital life.
The Persistence Problem
Once attackers gain access, they frequently establish persistence by:
• Adding their own email addresses to the account
• Linking new Instagram accounts
• Granting access to business assets or ad accounts
• Creating secondary login paths in Meta’s Accounts Center
Even if you change your password, the attacker may still retain access if those changes are not discovered and removed.
What You Should Do Now
If you use Facebook or Instagram, take these steps immediately:
1. Stop using “Login with Facebook.”
Use independent email/password logins for services instead.
2. Review apps connected to your account.
Remove any you do not absolutely need.
3. Use an authenticator app for 2FA.
Avoid SMS-based codes where possible.
4. Regularly review your Accounts Center.
Check for unknown email addresses, phone numbers, or linked accounts.
5. Log out of sessions you do not recognize.
A Final Thought
The convenience of “Login with Facebook” has always come with a hidden cost: centralized risk.
When a single identity becomes the key to dozens of services, compromising that identity becomes incredibly valuable to attackers.
Security professionals have warned about this model for years.
If you rely on Facebook as your universal login, you are effectively putting all of your keys on one keyring — and leaving it online.
For your own protection, reconsider whether that convenience is worth the risk.
Sincerely,
A concerned Meta user
