Update: 15.10.2018
Do you still remember how Facebook announced that millions of their user info might have been stolen due to a bug in their system that had been left unpatched for a year? You might be happy to hear that Facebook finally released their final count: Only 30 million users were affected after all. Like for real. No guessing involved.
According to Facebook the attackers “used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people.”
Then “the attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.”
That’s the gist of it. Facebook will inform you if you were affected, so if you don’t get any news you can relax: you should be fine.
Original article: Facebook hacked: 90 million accounts at risk
Facebook is huge. Most people know it. According to the company itself it has 2.2 billion monthly active users. The mere size of the social network makes any data breach like the Cambridge Analytica one pretty much a disaster. Now Facebook announced that they discovered that their systems got hacked – and the information of 50 million users compromised.
“View as” feature exploited
In a post disclosing the hack of a large chunk of their users, Facebook also gave some insights as to how the hack had happened. Apparently a feature that should normally enhance the user’s security – the “View as” one – got exploited. This feature allows people to basically see their Facebook profile the way it looks like to specifically user groups, like colleagues or family members.
Apparently it was possible to circumvent the “read only” setting of this feature and then create a digital token that would allow cyber criminals to access accounts without even having to enter a password. What’s even worse: This token would not only allow access to Facebook but to any page the affected users logged into with their Facebook account, for example Instagram, your local news website, or any other page that would allow this feature.
Tokens reset
Facebook reacted fast. They discovered the issue around a week ago and since then fixed the exploit and reset the access tokens of 50 million affected users. That’s not all though: The issue was apparently present since 2017. The social network did not observe any suspicious activity until recently but has nonetheless reset 40 million tokens on top of the 50 million ones, just to be sure. So anyone accessing their profile via “View as” in the last year, got also logged out of Facebook and had to relog in order to reset their token.
Privacy disaster
Considering how much data Facebook collects – after all that’s how the company makes money – someone having access to probably more than 50 million user accounts is horrendous. If you are afraid that something like this could have happened to you (or may in the future with other online companies) there are a couple of things you can do to protect yourself:
- Do not use the Facebook login for other accounts: While super convenient it also proves to be a problem when your Facebook account gets hacked – as the above example clearly shows. If you have issues coming up with good passwords or remembering them afterwards use a password manager.
- Use 2 factor authentication: It may not be the most convenient option but it makes sure that your account stays yours. Even a hack like the Facebook one will not affect you.
- Where you affected: Whenever you hear of a data breach, make sure to check out if your account was in it. Sure, Facebook made it easy: everyone who got logged out might be a potential victim of the hack. Other security breaches are not that obvious. Take a look at the Avira Identity Scanner. If you find your mail address in the database it’s high time to change your passwords and perhaps even look for help from security professionals.
This post is also available in: German
