There's a new phishing scam targeting Facebook users, potentially giving the scammers access to all of a user's usernames and passwords.
It comes in the form of an email which appears to be from Facebook, telling users that their password has been reset. It invites them to open an attachment to get their new password.
But the attachment contains a password stealer which could potentially access every password used on that machine.
"This threat is potentially very dangerous considering that there are over 400 million Facebook users who could fall for this scam," says security firm McAfee.
Sharp-eyed users might notice there's something wrong. "Facebook would never send an email alerting a user that they changed his or her password," says McAfee. Instead, the company would direct the user to a password reset page by sending them a link.
"Another clue that can signal a user has received a spam email is the use of poor grammar and awkward phrases such as... the greeting 'Dear user of facebook'," says McAfee.
Users are advised to bin the email without opening the attachment.