Facebook hasn’t revealed a ton about the data breach in which hackers exploited code that could let them take over around 50 million user accounts. CEO…
Facebook hasn’t revealed a ton about the data breach in which hackers exploited code that could let them take over around 50 million user accounts. CEO Mark Zuckerberg explained that the company’s investigation is still in its early stages. But this latest rupture is another bruise for a company that has already been hammered by a series of privacy and security violations, leading to a Zuckerberg grilling before Congress back in April.
More: Facebook says accounts of nearly 50 million users were breached in attack
More: 5 key factors to note in SEC charges against Tesla CEO
More: Here are Amazon’s 5 best deals right now
More: Gig economy: Here’s how much you can make delivering for Grubhub, Uber Eats and DoorDash
Here’s what we know about this latest attack and what you should do about it:
Facebook says hackers exploited a vulnerability in the “View As” feature, which lets you see what your profile looks like to other people. Attackers were able to steal Facebook “access tokens” or the digital keys that keep you logged into Facebook so that you don’t need to re-enter your password every time you use the app.
The vulnerability apparently stemmed from a change made in July 2017 in the way video was uploaded on the site, which the social network says impacted “View As.” Having obtained such access tokens, the bad guys were able to steal more tokens.
Actually, for now, you won’t be able to use it. While it investigates what happened here and who was responsible, Facebook has temporarily turned off the feature.
The short answer is you can’t know for sure, but Facebook has taken precautionary steps. On Friday, it forced some 90 million people to log out of their accounts – representing the 50 million it knows were affected, plus 40 million other accounts that took advantage of the View As feature in the last year.
That’s a question many among Facebook’s 2.2 billion monthly active users are undoubtedly asking, and it is hard to blame anyone who doesn’t.
After all, this latest breach follows Facebook’s disclosure earlier in the year of an estimated 87 million people who had their profiles scraped and improperly shared with Cambridge Analytica, a political ad-targeting firm. During his testimony before Congress, Zuckerberg acknowledged that Facebook can amass data to construct what are being referred to as “shadow profiles” of you, even if you never opted in or joined Facebook.
That’s going to wig some of you out for sure.
More: How to delete your Facebook account (and the pros and cons of doing so)
Facebook did go to great pains to explain how and why it tracks non-users. You can read about such policies in this blog post from April, which privacy advocate Marc Rotenberg of the Electronic Privacy Information Center called at the time, “a giant surveillance warning label.”
Facebook claims you won’t need to change your password because of what has happened, but in my view, better safe than sorry.
Gary Davis, Chief Consumer Security Evangelist, at McAfee certainly recommends changing your password – and not only at Facebook, but at Instagram, Twitter and other social media accounts as well.
You hear this all time, but don’t use the same passwords at each place, either, something all too many folks do. McAfee research reveals a third of people rely on the same three passwords for every account they’re signed up to.
Follow other longstanding cybersecurity best practices. For Tyler Moffitt, senior threat research analyst at threat intelligence provider Webroot, such practices include “disconnecting any unnecessary apps or games in social media platforms, making sure two-factor authentication is enabled and never giving out personal or financial information in your profile or private messenger conversations.”
Visit Facebook’s Help Center – click the circled question mark near the top of the screen to get there –to change your password, implement two-factor authentication (Facebook will ask for a security code if it notices a log-in from an unusual device), or take other steps. Meanwhile, in the Security and Login settings, you’ll see a list of all the places that you log into with your Facebook account; Facebook lets you log out of all those places at once with a single click.
Email: ebaig@usatoday.com; Follow USA TODAY Personal Tech Columnist @edbaig on Twitter
Contributing: Jessica Guynn in San Francisco