At the end of December 2025 I started getting notifications from Facebook saying someone was trying to log into my account.
One attempt came from Kenya. Another from Mexico. Facebook blocked both of them, but seeing those alerts back to back made me stop what I was doing.
My Facebook account is not just personal. It is tied to two business pages and some local groups I recently started. Losing access to that would be a real problem, not just an annoyance. So I took it seriously.
Changing the Password Was the Easy Part
I changed my password right away using my iPad to generate something strong. Long, random, not reused anywhere. That part was straightforward.
But I already knew a strong password alone is not really enough anymore. So I went into my security settings to look at everything else.
Two-Factor Was On, But the Setup Bothered Me
Two-factor was already enabled, which was good. The issue was how it was configured. My account was using text message codes as the second factor.
While I was digging into this I started reading about SIM swapping. That is when someone convinces a phone carrier to transfer your number to their device. If they pull that off, they can receive your text messages, including your two-factor codes. At that point your password and your second factor are both compromised.
Most people probably do not need to think too hard about this. But my phone number is public because of my businesses. It is on my website, on Google, easy to find. That changes the math a little.
SIM swapping is one of several tactics that have gotten more common and more targeted over the last few years. I put together a broader scam awareness resource on my Tech Assist site if you want more context on how these attacks work: scam prevention guide for Manatee County.
How I Used AI to Think It Through
I asked an AI to help me pressure-test my reasoning. Not to make the decision for me, but to confirm whether my concern about SMS was actually valid given my situation.
I described the setup: public phone number, business pages tied to the account, alerts coming from multiple countries. I asked whether SMS or an authenticator app made more sense.
It confirmed what I was already leaning toward and filled in a few details about SIM swapping I had not fully understood yet. That was enough. I have written a bit more about how I use AI to work through tech problems if that part is interesting to you.
Switching to an Authenticator App
I removed the text message option and switched to an authenticator app. The app generates a new six-digit code every 30 seconds directly on my device. It does not use my phone number at all.
Even if someone had my password and somehow hijacked my number, they still could not get in without that rotating code sitting on my phone. It took maybe five minutes to set up.
What Happened After
The login alerts stopped. I have not seen one since.
I do not know who was behind the attempts or where the password originally came from. Probably a data breach somewhere, maybe a site I used years ago with a reused password. There is no real way to trace it, and honestly that was not the point. The point was to close the door.
The one thing I keep thinking about is how easy it would have been to just change the password and move on. That felt like enough in the moment. But the SMS gap was real, and I might not have caught it if I had not gone looking.
This is the kind of thing I run into regularly, both on my own accounts and when helping clients. If you want to see how some of those situations play out, the insights section has more. And if you are helping a senior family member think through their own account security, the scam awareness guide on my Tech Assist site covers a lot of the same ground in plain language.