After a Facebook data breach, the most critical privacy settings to change immediately are enabling two-factor authentication, reviewing and terminating unfamiliar login sessions, clearing your Off-Facebook Activity history, and auditing connected third-party apps. These four actions address the most common ways attackers exploit leaked credentials and personal data. For example, if your email and password were exposed in the May 2025 breach that left 184 million login credentials stored in plain text, an attacker could access your account within minutes unless you have 2FA enabled as a second barrier. The urgency of these settings cannot be overstated.
A hacker claimed in May 2025 to have exposed 1.2 billion Facebook user records, and data from the 2021 breach affecting 533 million users across 106 countries continues to circulate on dark web forums years later. The cumulative effect means your information may have been compromised multiple times without your knowledge. This article walks through each essential privacy setting in Facebook’s current interface, explains what each setting actually protects against, and identifies which settings matter most depending on your specific concerns. We also cover Meta’s 2026 AI policy changes that affect how your data is used, plus expert recommendations for protecting yourself beyond Facebook’s built-in options.
Table of Contents
- What Are the Most Critical Facebook Privacy Settings to Change After a Breach?
- Managing Off-Facebook Activity and Data Sharing
- Location Tracking Settings and Their Limitations
- Understanding Meta’s 2026 AI Policy and Encrypted Messaging
- Ad Settings and Data Partner Restrictions
- What Breached Data Cannot Be Protected by Settings
- Conclusion
What Are the Most Critical Facebook Privacy Settings to Change After a Breach?
The single most important setting to enable after any breach is two-factor authentication. Navigate to Settings & Privacy, then security and Login, and enable 2FA using an authenticator app rather than SMS codes, since phone numbers can be compromised through SIM swapping attacks. This setting ensures that even if your password was exposed in a breach like the June 2025 incident that leaked over 16 billion credentials harvested by Infostealer malware, attackers cannot access your account without your physical authentication device. Equally important is reviewing your active login sessions. Go to Settings & Privacy, then Activity Log, and find “Where you’re logged in.” This displays every device currently signed into your account, including device type, location, and last active time.
If you see a login from an unfamiliar city or device, that session may belong to an attacker who already used leaked credentials to access your account. Log out of any session you do not recognize immediately, then change your password. Password strength matters more than most users realize. Security experts now recommend passwords of at least 16 characters combining uppercase letters, lowercase letters, numbers, and special characters. Critically, this password must be unique to Facebook and not reused from any other service. The breaches mentioned above specifically targeted credential reuse, where attackers test leaked email and password combinations across multiple platforms hoping users recycled them.
Managing Off-Facebook Activity and Data Sharing
Off-Facebook Activity tracks your interactions on websites and apps outside Facebook that share data with Meta for advertising purposes. This is one of the more invasive data collection mechanisms, and clearing it reduces how much Facebook knows about your behavior elsewhere on the internet. Navigate to Accounts Center, then Your Information and Permissions, then Your Activity Off Meta Technologies. Tap “Clear Previous Activity” to disconnect historical data from your account. This does not delete the data from Meta’s servers entirely, but it does disconnect it from your profile, meaning it will not be used for targeted advertising against your account. Then select “Manage Future Activity” and choose “Disconnect Future Activity” to prevent this data from being linked to you going forward. The limitation here is that this setting does not stop the data collection itself, just its association with your profile. For users concerned about the June 2025 Infostealer malware breach, understand that disconnecting Off-Facebook Activity does nothing to address malware on your device. If your computer is infected with credential-stealing software, changing passwords and adjusting privacy settings on an infected device is ineffective because the malware will capture your new credentials too. This is why security experts recommend running antivirus scans before making any account security changes after a breach.
## How to Audit and Remove Connected Third-Party Apps Third-party apps present a significant privacy risk because they may retain access to your Facebook data long after you stopped using them. Each app you connected to Facebook over the years received permission to access certain information, and breaches at those third-party services can expose your Facebook data even if Facebook itself was not breached. Navigate to Settings & Privacy, then Settings, then Your Activity, then Apps and Websites. Review each connected application and ask whether you still use it and whether it needs the permissions it currently has. Many users discover apps they connected years ago for one-time quizzes or games that still have access to their profile information, friends list, or email address. Remove any app you do not actively use. For apps you keep, review their specific permissions and revoke any that seem excessive for the app’s function. A practical comparison helps illustrate the risk. A fitness app might legitimately need access to your basic profile information to create an account, but it should not need access to your friends list or location history. Conversely, a local event-finding app might reasonably request location access but should not need your work history or relationship status. When permissions exceed what makes sense for the app’s purpose, that is a red flag.
Location Tracking Settings and Their Limitations
Facebook’s location tracking extends beyond what most users expect. The platform can track your location through GPS, WiFi networks, cell towers, and even IP addresses. Adjusting location settings requires changes both within Facebook and at the device level. On iPhone, go to Settings, Privacy & Security, Location Services, then Facebook, and choose “While Using” or “Never.” On Android, navigate to Settings, Location, App Permissions, then Facebook, and select “Allow Only While Using” or “Deny.” Setting location to “While Using” means Facebook only accesses your location when the app is actively open on your screen.
This is a reasonable middle ground if you use location-based features like checking in or finding local events. Setting it to “Never” or “Deny” blocks location access entirely but will break any feature that relies on knowing where you are. The limitation users should understand is that even with GPS location disabled, Facebook can still approximate your location through other means. Your IP address reveals your general geographic area, and if you tag locations in posts or check in at businesses, that information is collected regardless of GPS settings. Complete location privacy on Facebook is not achievable through settings alone because the platform is designed around location-aware features.
Understanding Meta’s 2026 AI Policy and Encrypted Messaging
Meta’s 2026 policy update introduced AI integration into private chats on Facebook, Instagram, and WhatsApp. This policy uses your interactions with Meta AI for personalized ads and content recommendations, which represents a significant expansion of how conversational data is monetized. Users concerned about privacy should understand exactly what is and is not protected. End-to-end encrypted messages on Messenger and WhatsApp cannot be read by Meta, meaning conversations with friends and family in direct encrypted chats remain private.
However, chats with Facebook groups, business accounts, and Marketplace sellers are not encrypted and may be collected by Meta for training AI and targeting ads. This distinction matters because users often assume all Messenger conversations have the same privacy protections when they do not. The practical implication is that sensitive conversations should happen only in end-to-end encrypted direct messages, not in group chats or conversations with businesses. If you negotiate prices on Marketplace or discuss personal matters in a Facebook group, assume that conversation may be analyzed. This is not a bug or oversight but a deliberate policy choice reflected in Meta’s updated terms of service.
Ad Settings and Data Partner Restrictions
Facebook’s advertising ecosystem relies on data from partners who track your activity across the web. Restricting this data flow requires navigating to your ad settings and turning off “Data from partners,” which prevents Meta’s advertising partners from sharing your activity data with Facebook for ad targeting. You can also disable targeting based on profile information like your school, employer, or job title. The tradeoff with these settings is that your ads will become less relevant rather than disappear.
You will see the same number of advertisements, but they will be based on less specific information about you. Some users prefer irrelevant ads as a privacy feature, while others find random advertising more annoying than targeted ads. Neither setting reduces the volume of advertising, only its precision. For users who want to go further, data removal services like Incogni or DeleteMe can submit removal requests to data broker sites that aggregate and sell personal information. These services address a limitation of Facebook’s built-in privacy settings: they only control what Facebook does with your data, not what happens to data that has already been sold to third parties or leaked in previous breaches.
What Breached Data Cannot Be Protected by Settings
A critical limitation of all Facebook privacy settings is that they cannot protect data that has already been leaked. The 2021 breach exposing 533 million users, the 2025 breaches affecting hundreds of millions more, and ongoing Infostealer malware campaigns mean that for many users, their email addresses, phone numbers, and potentially passwords are already circulating on dark web forums. No privacy setting can recall that information. What settings can do is reduce future exposure and limit what attackers can do with previously leaked data. Enabling 2FA means leaked passwords alone are insufficient for account access.
Restricting lookup options means attackers cannot easily find your profile using a leaked phone number. Clearing Off-Facebook Activity means future browsing is not linked to your compromised profile. These are defensive measures that assume some data is already exposed. Users should also consider whether their devices are compromised. Security experts specifically warn that changing passwords on an infected device is ineffective because Infostealer malware will capture the new credentials immediately. Running reputable antivirus software before making security changes is essential, particularly given the June 2025 breach that exposed 16 billion credentials specifically harvested by this type of malware.
Conclusion
The best privacy settings for Facebook after a breach focus on limiting damage from exposed credentials and reducing ongoing data collection. Enable two-factor authentication immediately, review and terminate unfamiliar login sessions, clear your Off-Facebook Activity, and audit connected third-party apps. These four actions address the most exploitable vulnerabilities that breaches create.
Adjust location settings, ad preferences, and lookup options based on how you actually use the platform and what tradeoffs you find acceptable. Remember that Facebook’s privacy settings only control future data handling, not data already leaked in the numerous breaches affecting the platform’s users. Combining in-app settings with external measures like password managers, antivirus software, and data removal services provides more comprehensive protection. As Meta continues integrating AI into its platforms under the 2026 policy changes, staying informed about which conversations are encrypted and which are collected for advertising becomes increasingly important for maintaining whatever privacy remains possible on the platform.