Account hacking
HACKERS WERE ABLE TO ACCESS NAMES, BIRTH DATES AND OTHER BIO DATA IN NEARLY HALF OF THE 30M ACCOUNTS THAT WERE AFFECTED
Facebook admits leak exposed sensitive data, including name and birthdate |
Facebook has revealed 30 million accounts were affected in a data breach last month. The company said hackers were able to access personal information for nearly half of those accounts.
That information included name, relationship status, religion, birthdate, workplaces, search activity, and recent location check-ins. The company had initially said 50 million accounts were affected.
According to Facebook VP of Product Management Guy Rosen, attackers were able to access name and contact information for half of the hacked accounts.
For 14 million, the attackers were also able to scrape virtually all the other data available on members’ profile pages. One million victims got away without any information being stolen.
Rosen says the attackers did not access any credit card information associated with members’ accounts, and that the company has not received any reports of stolen information being available on the dark web — portions of the internet requiring special software to reach.
The social network also found no evidence that attackers used the stolen tokens to access any third-party apps, including those that use Facebook’s single-signin to log in. It also did not impact users on other Facebook properties such as Messenger, Instagram, WhatsApp, or Oculus.
Facebook plans to notify members over the next few days as to what information may have been taken, and alert them to be on the lookout for suspicious emails, text messages, or calls.
Asked whether Facebook would pay for some kind of identity theft monitoring service for affected users — as breached companies often do — a spokeswoman said: “Not at this time.”
Seed accounts
The hackers began by using a series of seed accounts and attacking the accounts of friends, then friends of friends, and so on down the line, eventually amassing a group of 400,000 compromised accounts.
Using some of these accounts, they managed to steal access tokens for an additional 30 million before they were stopped.
Rosen says Facebook first noticed a spike in unusual activity on September 14.
By the 25th, it had identified that activity as an attack.
Two days later, Facebook had plugged the hole and reset users’ tokens, preventing attackers from accessing any further information. By then, the damage had already been done.
Upon request from the FBI, Facebook declined to offer any information as to who might be behind the attack, or whether users in specific regions were targeted.
If any of the victims reside in Europe, it could trigger significant penalties under the EU’s General Data Protection Regulation, notes Pravin Kothari, CEO of security firm CipherCloud.
“Not knowing all of the details about when the breach was discovered and who was impacted, the possible outcomes may be worse than we know today,” he says.
“We’ll have to see what Facebook discloses about potential liability, if any exists. The calculations of the potential fines under GDPR are a bit mind-boggling.”
Facebook first noticed a spike in unusual activity on September 14. By the 25th, it had identified that activity as an attack. Two days later, Facebook had plugged the hole and reset users’ tokens, preventing attackers from accessing any further information.
If any of the victims reside in Europe, it could trigger significant penalties under the EU’s General Data Protection Regulation, notes Pravin Kothari, CEO of security firm CipherCloud.
The attackers didn’t access any credit card information associated with members’ accounts, and that the firm has not received reports of stolen data being available on the dark web.
Because the vulnerability has existed since July 2017, Facebook has not ruled out the possibility that smaller attacks on its token system went undetected before September. It is currently investigating.
Facebook has created a security notice page where users can check whether their account was impacted by the data breach.
Dand your personal details fed into a data bank that can be shared with anyone for the asking, should there be a breach of confidentiality.
Hasbini said nothing illustrates this better than the recent data breach at Facebook globally or at a car booking service within the UAE. “The Facebook security incident affected almost 29 million users. Cambridge Analytica received user data including names, dates of birth, interests, photos and friend lists without the users’ consent or knowledge. Back in April, a car booking service in Dubai also admitted to a breach that compromised the personal data of 14 million customers. However, they stated later that they didn’t find evidence of fraud or misuse related to this incident.”
Dr Richard Ford, chief scientist at Forcepoint, said such breaches illustrate a fundamental truth of the new digital economy. “When I share my personal data with a company, I am putting my trust in your ability to protect that data adequately. Users need to continually evaluate the type of data they share and the potential impact a breach of that data could cause, to become an active participant in protecting their own online identities.”
What the implications are
As Reda Hegazy, senior legal adviser and arbitrator at Al Suwaidi & Company Advocates & Legal Consultants, pointed out: “Many of our daily dealings to avail services require the disclosure of our personal information with different service providers, without any guarantee against misuse.”
But what does the law say? Hegazy said: “In the UAE now, we do not have a specific law that protects people’s personal data. But there are several UAE laws that maybe applied in this context, like the Cyber Crimes Law for misuse/abuse of electronic information, Civil Code for wrongful act against another
Ameen Hasbini,
senior security researcher at the cybersecurity major Kaspersky Lab, says keeping your passwords, financial and other personal information safe and protected from intruders is crucial. “People nowadays live in a digital-first society and share huge amounts of data every day, without even realising it. But that value is intangible until someone asks what it is worth, takes it away or holds it for ransom.”
Here are a few tips you can follow to stay safe and protect your online privacy: Always do a check
on the security settings of every social network you use. Scammers, who gather users’ private data, can use any personal information for fraudulent activities.
Secure your primary email
which is tied to the majority of your online accounts, such as banking services and other important sites.
Be careful when you post
any scans and photos online, especially when it comes to IDs, tickets and billing
documents. Criminals can misuse this information or steal your personal data, like banking credentials.
Don’t use open WiFi
networks.
They may appear to be secure; however, cybercriminals can create a similar network, with only a laptop and Wi-Fi adapter and steal logins and passwords of users.
Avoid unreliable passwords
.If you use weak combinations, which consist of letters only, you are not protected at all. Also, try not to use the same passwords for different accounts.
Ameen Hasbini |
Dr Richard Ford |
person’s privacy rights and the Penal Code which penalises a perpetrator who accesses another person’s data information and discloses it without consent. A victim may file a criminal complaint to investigate the violation. The police has a special division to investigate cybercrime offences.”
Implications of sharing information in public places using public networks can be serious.
“Once you connect your mobile phone or laptop using a public or unsafe network, which could be at a coffee shop, mall or airport, there is a possible danger that your device can be hacked, with your data being copied and used to log in to your bank account, Facebook account other personal accounts.”
Hasbini agrees. “Users need to exercise caution when it comes to revealing too much data about themselves online and keep in mind that any information, no matter how insignificant, can be misused. Much like you wouldn’t tell a passer-by on the street your home address and number, you need to take responsibility for the security of your private details and not assume it is secure and untouchable within a website or application.”
of respondents from UAE agree loss of data would be a disaster
are unconcerned about the risks they may face, says a survey
Reda Hegazy
or