USA TODAY International Edition
50M Facebook accounts hacked
Here’s what you need to know about the latest social-media security breach
Facebook hasn’t revealed a ton about the data breach in which hackers exploited code that could let them take over about 50 million user accounts. CEO Mark Zuckerberg explained that the company’s investigation is still in its early stages. But this latest rupture is another bruise for a company that has already been hammered by a series of privacy and security violations, leading to Zuckerberg being grilled before Congress back in April. Facebook says hackers exploited a vulnerability in the “View As” feature, which lets you see what your profile looks like to other people. Attackers were able to steal Facebook “access tokens,” the digital keys that keep you logged into Facebook so that you don’t need to re-enter your password every time you use the app. The vulnerability apparently stemmed from a change made in July 2017 in the way video was uploaded on the site, which the social network says affected “View As.” Having obtained such access tokens, the bad guys were able to steal more tokens. Here’s what else we know about this latest attack and what you should do about it:
Question: Should I not use the “View As” feature?
Answer: Actually, for now, you won’t be able to use it. While it investigates what happened, Facebook has temporarily turned off the feature.
Q: Is my own account safe?
A: The short answer is you can’t know for sure, but Facebook has taken precautionary steps. On Friday, it forced some 90 million people to log out of their accounts – the 50 million it knows were affected, plus 40 million other accounts that took advantage of the “View As” feature in the past year.
Q: Can I trust Facebook?
A: That’s a question many among Facebook’s 2.2 billion monthly active users are undoubtedly asking. After all, this latest breach follows Facebook’s disclosure earlier in the year of an estimated 87 million people who had their profiles scraped and improperly shared with Cambridge Analytica, a political ad-targeting firm. During his testimony before Congress, Zuckerberg acknowledged that Facebook can amass data to construct what are being referred to as “shadow profiles” of you, even if you never opted in or joined Facebook. That’s going to wig some users out for sure. Facebook did go to great pains in an April blog post to explain how and why it tracks people who don’t use Facebook.
Q: What steps should I take right away?
A: Facebook claims you won’t need to change your password because of what has happened, but it’s always better to be safe than sorry. Gary Davis, chief consumer security evangelist at McAfee, certainly recommends changing your password – and not only at Facebook but at Instagram, Twitter and other social media accounts as well. You hear this all time, but don’t use the same passwords at each place, either, something all too many folks do. McAfee research reveals a third of people rely on the same three passwords for every account they’re signed up for. Follow other long-standing cybersecurity best practices. For Tyler Moffitt, senior threat research analyst at threat intelligence provider Webroot, such practices include “disconnecting any unnecessary apps or games in social media platforms, making sure two-factor authentication is enabled, and never giving out personal or financial information in your profile or private messenger conversations.” Visit Facebook’s Help Center – click the circled question mark near the top of the screen to get there – to change your password, implement two-factor authentication (Facebook will ask for a security code if it notices a log-in from an unusual device) or take other steps. Meanwhile, in the Security and Login settings, you’ll see a list of all the places you’ve logged in with your Facebook account; Facebook lets you log out of all those places at once with a single click.