Facebook has experienced multiple data breaches and privacy scandals — including a 2019 leak of 533 million phone numbers and the Cambridge Analytica incident affecting 87 million profiles. Despite this troubled history, Facebook is generally safe to use in 2026, as Meta has invested billions in security. But you need to take some steps to protect your account.

What happened in the Facebook data breaches?

Facebook, now owned by Meta, has had several major security incidents over the years. Here are the most significant ones.

The 2019 phone number leak exposed data from 533 million Facebook users across 106 countries. The leaked database included phone numbers, full names, locations, email addresses, and biographical information. This data was scraped through a vulnerability in Facebook’s contact importer feature, which allowed attackers to link phone numbers to Facebook profiles at scale. The full database was posted for free on hacking forums in April 2021.

The Cambridge Analytica scandal in 2018 revealed that a political consulting firm had harvested personal data from up to 87 million Facebook profiles. A third-party quiz app collected not only data from people who used the app, but also from all of their Facebook friends — without proper consent. This data was then used for targeted political advertising. While this was technically a misuse of Facebook’s data sharing policies rather than a hack, it exposed how loosely Facebook controlled access to user data.

Multiple smaller incidents have also occurred, including a 2018 bug that exposed access tokens for 50 million accounts, and a 2019 incident where hundreds of millions of passwords were found stored in plain text on internal servers (accessible to Facebook employees but not leaked externally).

Is Facebook safe to use now?

Yes, Facebook is safe to use in 2026 — but with an important caveat: you need to actively manage your privacy and security settings.

Meta has invested billions of dollars in security and privacy since these incidents. The company now employs thousands of security engineers and has built some of the most advanced threat detection systems in the technology industry. The specific vulnerabilities exploited in previous breaches have been patched, and the data access policies that enabled Cambridge Analytica have been completely overhauled.

Meta also introduced the Security Checkup tool, which walks you through your security settings step by step. Third-party apps now have much more limited access to your data, and Facebook’s contact importer — the feature exploited in the 533 million user leak — has been restricted.

However, Facebook collects a large amount of personal data by design. Even without a breach, you should be thoughtful about what information you share on the platform and who can see it.

What did Meta do to fix the security problems?

Meta took extensive action after these incidents:

  • Shut down the contact importer vulnerability that enabled the 533 million record scraping attack
  • Completely overhauled third-party app permissions — apps can no longer access data from your friends without their explicit consent
  • Built the Security Checkup tool that guides users through reviewing passwords, two-factor authentication, and login alerts
  • Expanded the bug bounty program — paying independent security researchers to find and report vulnerabilities before attackers can exploit them
  • Invested in AI-powered threat detection that monitors for suspicious activity patterns across the platform
  • Hired thousands of additional security and privacy engineers as part of a multi-billion dollar investment in platform integrity
  • Implemented stricter data access reviews for all third-party developers building on the Facebook platform

Meta also paid a record $5 billion fine to the US Federal Trade Commission in 2019, which came with binding requirements for stronger privacy protections.

How to check if your Facebook data was exposed

Your email or phone number may have been part of the 533 million record leak without you knowing about it.

Check your email now with EmailLeaked — it scans billions of records from known data breaches and tells you in seconds whether your information appeared in the Facebook breach or any other incident. The check is free and private.

If your email appears, it means your data was in the leaked database. It does not necessarily mean someone has accessed your Facebook account, but you should take the steps below to secure it.

5 steps to secure your Facebook account right now

These steps will significantly reduce the risk of unauthorized access to your account, whether or not you were affected by a previous breach.

Step 1: Change your password. Go to Settings and Privacy, then Settings, then Security and Login, then Change Password. Choose a password that is at least 16 characters, completely unique to Facebook, and not used anywhere else. A password manager can generate and remember it for you.

Step 2: Enable two-factor authentication. In the same Security and Login section, turn on two-factor authentication. Use an authenticator app rather than SMS for better security. This means even if someone gets your password, they cannot log in without the second code. Read more about how two-factor authentication protects you.

Step 3: Review where you are logged in. Under Security and Login, check “Where you are logged in” and remove any sessions you do not recognize. This immediately logs out anyone who might have unauthorized access.

Step 4: Check your connected apps. Go to Settings, then Apps and Websites, and remove any apps you no longer use or do not recognize. Each connected app has some level of access to your Facebook data — fewer connections means a smaller attack surface.

Step 5: Tighten your privacy settings. Go to Settings, then Privacy, and set “Who can look you up using your phone number” and “Who can look you up using your email address” to “Only me” or “Friends.” This prevents the type of scraping that caused the 533 million record leak.

The bottom line

Facebook’s breach history is concerning, and the Cambridge Analytica scandal revealed serious problems with how the platform handled user data. But Meta has made substantial investments in security since then, and the specific vulnerabilities that were exploited have been addressed.

The biggest risk is not that Facebook will be breached again in the same way — it is that your old data from previous breaches is still circulating on the dark web. Check if your email was exposed, change your password, enable two-factor authentication, and review your privacy settings.

For more context on how breached data gets used, read our guides on what happens to stolen data and what credential stuffing is.