Facebook announced last week that the world’s largest social network had identified “a security issue affecting almost 50 million accounts.” A vulnerability that has existed since June of 2017 allowed hackers to exploit the “View As” feature. This hack could allow criminals to “steal Facebook access tokens which they could then use to take over people’s accounts.”
In other words, 50 million accounts, about 2 percent of the site’s user base, could have hacked pretty easily, and some certainly were. Facebook has not released a full accounting of the breach yet. But it is clearly the largest in the site’s history.
Facebook logged the 50 million affected users out of their accounts, along with another 40 million accounts that had accessed that “View As” feature in the last year. After these users login again, a notification will inform you why Facebook has reset your access token.
Whether or not you were affected, right now is a good time for all 2.3 billion active Facebook users to make sure you’re taking a few security precautions.
Secure Your Facebook Account
1. Change your Facebook password.
To do this on a PC, log into your account, click on the down arrow in the upper right corner then go to “Settings” >”Security and Login” > Change password. Use a strong, unique password.
2. Log out of your account on any device or browser where you are logged in.
This is also on the same “Settings” >”Security and Login” page under “Where You’re Logged In”.
3. Set up two-factor authentication.
On the same “Settings” >”Security and Login” page, click “Use two-factor authentication”. Turn it on and F-Secure experts recommend you use an “Authentication App”.
4. Set up alerts for “unrecognized logins”.
This is also on the “Settings” >”Security and Login” page under “Get alerts about unrecognized logins”.
5. For extra privacy, turn off Apps, Websites and Games.
This limits what you can do on Facebook considerably, but it also makes it far less likely your data will be shared with third parties. You can do this on “Settings” > “Apps and Websites” > Under “Apps, Websites and Games”, click “Edit”.
How this Extends Beyond Facebook
All of these best practices for securing your Facebook accounts are important, but they would not have secured you from this hack. This because the convenience offered to users by “access tokens” could be exploited as a vulnerability.
“The exposed ‘access tokens’ are an alternate form of authentication, which users can generate for ‘applications’ to access your data,” said William Knowles, consultant at MWR – an F-Secure company. “These access tokens do not usually require multi-factor authentication as they are typically operated by these applications without human involvement.”
With “access tokens,” hackers had limited access to users’ private information — and not only on Facebook. “This was a trusted Facebook mechanism that was compromised, it may have been automatically granted a high level of access to customer data,” William said.
Hackers may have gained to access a variety of sites that use Facebook’s access token as a login, including Instagram, Tinder, and Airbnb.
“That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login,” Facebook reported in a second update.
Should You Log in to Other Sites Using Facebook?
You can check all the sites you use your Facebook account to log into by going to “Settings” > “Apps and Websites” > Under “Active Apps and Website”.
As a security measure, a “single sign-on” service such as Facebook (or Google) is better than a weak password or passwords used across multiple, different sites. Login security is difficult across multiple devices, apps, and browsers. Facebook invests far more in securing their login services than a small vendor is able to. If you have a strong Facebook password, you can outsource the login to it.
“This is the upside to a single sign-on service,” Sean Sullivan, F-Secure Security Advisor, said.
The downside is that there’s a single point of failure – a concern highlighted by the recent Facebook case.
If you have good password hygiene, he prefers not to use “single sign-on”, particularly with more critical accounts tied to financial information.
“There are also cases in which the single sign-on provider adds value, like social games,” Sean said. “So people should consider, and make an informed choice.”
William praised Facebook’s bug bounty program, an industry best practice involves the larger security community in helping to reduce the sites online attack surface.
“Such schemes, however, should also be paired with traditional security assurance activities, such as having gated validations — such as technical assessments — at different stages of the development life cycle, in order to minimize the likelihood of high-impact vulnerabilities making it onto production systems.”
This breach is also notable because it’s one of the largest to be announced after Europe’s GDPR regime has gone into effect.
“Facebook faces a potentially huge fine as a result of the data breach, but any decision will take into account its ongoing efforts to identify and fix any vulnerabilities before they ever impact end users, which are extensive,” William said. “It is also important to reiterate that at this stage, Facebook has not yet confirmed the extent of the data exposed as a result of the vulnerabilities.”
You should definitely always take basic security precautions but be aware that it’s impossible to eliminate all risks. When using a third-party service that’s free – including webmail like Gmail – you should assume that no one cares more about security than you do.
You could consider keeping anything that’s truly private, including information pertaining to your business, sensitive communications or photo you’d never like to see made public, off of Facebook or any service where you’re not paying to secure your data.