This guest post has been written by Nathan Acks of the state PIRG Internet Security team.
After these consumer tips, we have more background on the breach, and information on additional steps you can take.
Consumer Tips-Whether or not you believe your account was improperly accessed in this attack, here are some things you can do to help keep yourself safe:
- If you haven’t yet, freeze your credit report. There’s no indication that any financial information was exposed by this breach, but information from your Facebook profile could still be used to commit financial fraud. Freezing your credit report will make such fraud significantly more difficult.
- Change your security questions on other websites. “Security questions” are questions that banks and other institutions often ask you to set in case you forget your password. Unfortunately, security questions are often easy for an attacker to guess, and the information that was exposed in this breach makes this even easier. At the very least, you should change these security questions to reference “fake” but easy-to-remember information, rather than actual details of your life. If you use a password manager, you can should consider treating these questions as if they were themselves passwords, generating random answers and then storing them in your password manager.
Take a moment to check your Facebook timeline and messages for any unusual activity. While Facebook has not seen any indication that posts or messages were made by the attackers using victims’ accounts, double-checking for any unusual activity seems a wise precautionary step.
Consider limiting the information you keep in Facebook. As with any service, the more information you store in Facebook, the greater the potential consequences when a breach like this occurs. How much or little information (birthday, photos, etc.) you store in Facebook is an intensely personal decision; while revealing less on Facebook can help protect you, it also makes the service less useful for connecting with others.
Review any websites you used Facebook to log in to. You can retrieve a list of all websites currently linked to your Facebook account in the Apps and Websites section of your Facebook settings (unfortunately, not all of these may use Facebook for login, but this will at least provide you with a list of sites to check). If possible, consider disconnecting these websites from Facebook. If you use a password manager, consider using an independent username and password for these websites, rather than your Facebook identity.
On Friday Facebook announced a data breach believed to impact approximately 50 million, and possibly as many as 90 million, people. Facebook says that they have identified and fixed the issues used to gain access to these accounts; in order to ensure that potentially affected accounts can no longer be improperly accessed, they have forced potentially affected users to log back in to Facebook on all of their devices. If you recently found yourself logged out of Facebook without taking any action, then you may have been affected by this breach (Facebook should also have notified you in your feed, but this can be easy to miss).
Here’s what we know so far:
Facebook first detected unusual activity on September 16, and confirmed that a breach had occurred this past Tuesday, September 25. A fix that closed the attackers’ access was rolled out Thursday, September 27.
The identified flaw allowed the attackers to steal a what’s called an “access token”, which identifies valid logins for your account. With this token, the attackers may have been able to access your Facebook profile as if they were you, including information and photos that you may have uploaded but never shared. It’s also possible that they may have been able to make posts or send messages posing as you, or even access third party websites that you used Facebook to log in to. Facebook has identified approximately 50 million accounts that appear to have had their access token exposed.
It is currently unknown how long the flaw used by the attackers has existed. Facebook as identified an additional 40 million accounts which have activity associated with them that could have resulted in their access tokens being exposed since July 2017.
Currently Facebook believes that profile information was accessed by the attackers, but has not seen any evidence that they made any posts or messages using victims’ accounts. The forced log out of potentially affected accounts will eventually terminate attacker’s access to any third party websites, but how long this will take depends on how that website is configured.
Other Actions You Can Take:
Finally, you may want to consider turning on two factor authentication and restricting your privacy settings in Facebook. While neither of these changes would have prevented the just-announced breach, turning on two factor authentication will make it much harder for garden-variety cyber-criminals to break in to your account, and restricting your privacy settings will help control what information people you may not know can learn about you. Note that if you provide a phone number for two factor authentication Facebook will allow advertisers to target you with this information; regardless, we still recommend using two factor authentication because it is such a strong defense against other threats that Facebook forces users to trade privacy for security in this fashion is deeply regrettable.
U.S. PIRG has a list of general tips to protect your privacy. These include tips on how to take advantage of the new federal free credit freezes that prevent new account identity theft.
Senior Director, Federal Consumer Program, PIRG
Ed oversees U.S. PIRG’s federal consumer program, helping to lead national efforts to improve consumer credit reporting laws, identity theft protections, product safety regulations and more. Ed is co-founder and continuing leader of the coalition, Americans For Financial Reform, which fought for the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, including as its centerpiece the Consumer Financial Protection Bureau. He was awarded the Consumer Federation of America's Esther Peterson Consumer Service Award in 2006, Privacy International's Brandeis Award in 2003, and numerous annual "Top Lobbyist" awards from The Hill and other outlets. Ed lives in Virginia, and on weekends he enjoys biking with friends on the many local bicycle trails.