Another day, another Facebook hack. This time around, the accounts of some 50 million users were left vulnerable for over a year, with Facebook only identifying and fixing the problem on September 25. Find out exactly what happened, if you're affected, and what you can do to protect yourself in the future.
Facebook was breached? What happened?
Last Tuesday, Facebook identified a vulnerability in its "View As" feature.
According to VP of Product Management Guy Rosen, this vulnerability was introduced in July 2017, as part of an update involving video uploading. Put simply, it allowed attackers to gain "access tokens" for other user accounts.
In response, Facebook has reset the access tokens for all affected accounts.
How many people were affected?
While the number of 50 million has been bandied about, up to 90 million accounts were affected, due to the way the View As feature works. As a "precautionary step", Facebook has reset the access tokens for these additional 40 million accounts.
With Facebook embroiled in a massive data harvesting and privacy abuse scandal, following the Cambridge Analytica revelations, now is a good time to revisit all your Facebook security settings and think about what you're sharing on the world's most dominant social network. Here's our guide to Facebook security and privacy.
How do I know if I'm affected?
If Facebook believes your account is affected, two things will happen.
First, any active Facebook logins, such as on your desktop or phone, will be logged out, in addition to any apps or services that use Facebook Login. As such, you'll need to log in again.
Second, when you do log in, you'll see a message like the one below.
What's Facebook doing now?
The investigation is "still in its early stages" and the problem has been fixed, according to Rosen. The company has also disabled the View As feature for the time being, just to be safe.
How can I secure my account?
Due to the nature of the vulnerability, there was no option, or combination of options, that you could set to protect your account — short of deleting it. That said, there are steps you can take to make sure your Facebook account is as secure as possible.
- Make sure your Facebook password is both strong and unique.
- Enable two-factor authentication, preferably using a third-party authenticator.
- Log out of Facebook sessions on public computers. Note you can do this remotely.
- Avoid using Facebook "hacks" you find online.
I'm sick of Facebook. What can I do?
Given the mess with Cambridge Analytica, and now this latest breach, it might be time to rid yourself of Facebook entirely.
While there isn't much you can do to convince friends and family to commit their accounts to the digital graveyard, there's nothing stopping you from pulling the plug.
Deactivation is the soft option. It'll hide your profile and stop you from turning up in search results, but friends might still be able to see you in their friends list. And, it leaves you with the ability to come back.
Depending on your usage, you can still communicate via Messenger (for example, if you deactivate your Facebook account while Messenger is logged in on your phone). Deactivating Messenger therefore becomes a separate step.
To deactivate your account, go to Settings > General > Manage your account. From there, you can select "Deactivate your account".
Deletion is the nuclear option. Everything that's part of your Facebook account — posts, photos, videos, Messenger, etc. — will be removed forever. Unsurprisingly, you can't undo this (with one exception, which we'll cover).
The only things that will stay are messages you've sent to other users, as they're stored as part of their account.
To delete your account, go to Settings > Facebook Information > Delete Your Account and Information, and then click "Delete My Account". If you want, Facebook allows you to download your data beforehand.
Keep in mind deletion doesn't happen immediately. Facebook offers a 14-day grace period, where you can undo the deletion by logging back in and clicking "Cancel Deletion". Beyond this, however, your account will be nuked, though Facebook says it can take up to 90 days for everything to disappear.
Here we go again. Radware's threat research group recently announced that more than 40,000 Facebook users were duped into downloading a 'Relieve Stress Paint' application, via a crafty phishing email, that stole their login credentials and browser cookies while they pretend-painted in the app.