Claim:   A review of Facebook Active Sessions will reveal unauthorized users currently accessing one’s Facebook account.


MOSTLY FALSE


Example:   [Collected via e-mail, February 2015]


There is a rumor that while using Facebook from your mobile
device people can use your account, supposedly this can be checked by
Active Sessions under Security. Is this true?
 

I saw a post about on Facebook about “active sessions” stating
that people could hack your facebook. uUser claimed you should go under account settings then privacy and then
“active sessions” and that you could/should kick people off your FB page.

Is there any truth to this? I did not see the active sessions link



 

Origins:   Since Facebook introduced an account security feature enabling users to review and remove active sessions (instances in which a Facebook account is being accessed), confusing e-mail warnings about the feature have circulated, caused undue concern among many Facebook users.

Active sessions review is intended to allow users to monitor unauthorized use of their accounts, and

the technical instructions provided in the warning messages seen above are largely correct. If you navigate to your account’s security tab, scroll down to “active sessions,” and review the number of active sessions shown, you’ll be able to view a number of instances during which your account was accessed from what may have been (at the time) new devices. Facebook logs such “new” logins as noteworthy; however, the average Facebook user is unlikely to discover networks of hackers logged into his or her account this way.

Facebook has detailed the steps to access information about active sessions thusly:



How can I manage where I’m logged into Facebook?

The Where You’re Logged In section of your Security Settings page shows you a list of browsers and devices that have been used to log in to your account recently. Each entry includes the date, time and approximate location when signing in, as well as the type of device used to access your account. You’ll also see the option to End Activity and log yourself out on that computer, phone or tablet.


Many users who followed the directive were unsettled to discover that there were several “active sessions” attributed to their accounts, often connected to locations that seemingly didn’t match their current or recent Facebook activities. Facebook addressed those concerns on a help page devoted to understanding Active Sessions and explained why locations in that tab often appeared unfamiliar:



If you see a location that you don’t recognize, first check to see if this session is connected to your mobile device. Often, when signing in through a mobile device, you’re routed through an IP address that doesn’t actually reflect your physical location.

If you don’t recognize a location and it’s not connected to a mobile login, it could be because:

We have inaccurate information: We can only provide an approximate location so our information will be wrong sometimes.

You forgot to log off: If you think you’ve left yourself logged in on someone else’s device, click the End Activity link to the right of that session info to log yourself out.

Someone else has access to your Facebook account: If you think someone else is logged into your account, end the suspicious session by clicking End Activity (or Remove on mobile) next to the session info. After you end the session, change your password to secure your Facebook account.


So although Facebook’s active sessions feature does have the ability to reveal unauthorized use of a Facebook account, what Facebook users are generally seeing is a list of locations from which they themselves have accessed the social network, including from mobile apps, their schools, their workplaces, and their friends’ houses.

Last updated:   19 February 2015