Facebook Data Breach -- What To Do Next
I’m a freelance cyber security journalist covering USA, EMEA (Europe, Middle East & Africa).
ANKARA, TURKEY – SEPTEMBER 5: A person holds a mobile phone displaying Facebook application, on September 5, 2018 in Ankara, Turkey.
The other day, Facebook notified users of a massive data breach affecting over 50 million people. The breach had taken place three days earlier, on the afternoon of 25 September 2018.
The social media giant says it doesn’t know exactly what kind of information has been compromised. However, in an updated statement yesterday, it did admit the hack affected those who use Facebook to log into other accounts by way of a function 'View As.'
How do you know if you’ve been impacted?
If you’ve been affected by the breach, Facebook logged you out of your account yesterday. Chances are someone perhaps posted an inappropriate picture and you got admonished for it and upon inspection of you 'Security and Privacy' menu items under 'Account,' others in various states have "logged into" your account.The social network said it would also notify these people in a message on top of their News Feed about what happened.
However, an important thing to note: If you were logged out, you weren’t necessarily breached. Facebook has also logged out everyone who used the ‘View As’ feature since the vulnerability was precluded as a “precautionary measure”. The social network says this will require another 40 million people or more to log back into their accounts, adding: “We do not currently have any evidence that suggests these accounts have been compromised, or any data stolen.”
Has the issue been fixed?
According to Facebook, yes. It believes it has fixed the security vulnerability, which enabled hackers to exploit a weakness in Facebook’s code to access the ‘View As’ privacy tool that allows users to see how their profile looks to other people, publicly, on the net.
Attackers would then be able to steal the access tokens that allow people to stay logged into their accounts. Then, Facebook admits, they could use these to take over people’s profiles.
Facebook is also temporarily turning off the ‘View As’ feature while it conducts a “thorough security and privacy review”.
What should you do if you’ve used Facebook to log in to other accounts/apps etc.?
Facebook has admitted this could be an issue, but it can be hard to know what you’ve logged into using your account. This information can be found in your settings. First, go to ‘Apps and Websites’, then ‘log in using Facebook’.
There you will be able to find all the apps you have used Facebook to log into. It’s a good idea to remove these, or reset the password to a new passord, even if you think you haven’t been impacted by the breach. If you have been affected, ofcourse, you’ll also need to change the passwords for those accounts, to be in the safe side.
What can you do to secure your Facebook account?
Facebook says there’s no need for people to change their passwords. However, there is no harm in doing so, especially if there's a breach – ensuring that your new password is secure and that you do not use it to log into other accounts, just yet. You could also log yourself out of Facebook, even if you don’t think you’ve been impacted, using the ‘Security and Login’ section under ‘Settings’. This lists the places people are logged into Facebook or your account specifically, with a one-click option to log out of all of them, immediately. People who’ve forgotten their passwords can access Facebook’s Help Center to reset and change password. If you have been compromised and your profile hijacked, you may have trouble changing passwords, you may need help from someone in facebook with console permissions and priviledges.
If you haven’t already, you should also enable two-factor authentication, which again can be found in Facebook settings.
Of course, you could also delete your Facebook account altogether.
Does this breach come under GDPR?
Many of the 50 million customers breached will reside in Europe, so their data does fall under the EU general update to data protection regulation (GDPR). We don’t know exactly what information has been impacted, if any – fines are applicable for sensitive and personal data such as credit card details, which Facebook initially said has not been affected. However, if attackers have accessed personal messages, all kinds of sensitive information could have been breached and therefore compromised.
As Facebook investigates the breach, it will be interesting to see the regulatory impact. The number of accounts impacted dwarfs that of British Airways at 50 million versus 380,000 for example, but the nature of the information accessed is important.
For now, users need to ensure their own security and privacy, is tight. Breaches are happening every day and it’s important to use strong passwords or pass phrases and two-factor authentication at a bare minimum.
I am freelance cyber security journalist and editor with over a decade’s experience supporting and reporting on the issues impacting businesses both defense and commercial and the public sector. My interests…MORE
No comments:
Post a Comment