While we were all glued to the Kavanaugh Senate Hearings on Friday September 28, Facebook announced that 50M user accounts had been hacked. Right now, it’s not clear who was behind the attack, but even stranger is that we also don’t know who exactly has been affected by the security breach. As of 1:00PM ET on Monday, Facebook’s stock had dropped yet again (-.20%), which means 2018 might be shaping up to be a “bad hair day” for the social media giant.
Facebook engineers discovered something was wrong after they noticed an unusual traffic spike. An investigation into this heightened activity led engineers to discover that cyber attackers had found a loophole in the “View As” function of a user’s Facebook account—a function that allows users to see their own account as others see it.
Facebook’s VP of Product Management, Guy Rosen, explained more in a recent blog post: “This allowed them (attackers) to steal Facebook access tokens, which they could then use to take over people’s accounts.” Access tokens are the equivalent of digital keys that keep people logged into Facebook, so they conveniently don’t need to re-enter their password every time they use the app.
The social network said a change in Facebook’s code in July 2017 introduced this vulnerability, which the company spotted being exploited for the first time on September 16, 2018. “The vulnerability that we fixed was the result of three distinct bugs and was introduced in July 2017 when we created a certain new video uploader,” Rosen said.
Have we become too comfortable?
Some would say big internet giants like Google and Facebook do not care enough about your privacy. With security breaches looming left and right, just like the one that took place Friday, users cannot be too careful—and they definitely cannot trust that everything is as safe as it should be. In fact, researchers recently found that the phone number people provide when setting up two-factor authentication (2FA) and login alerts on Facebook is not only being used for security—it is also being used by advertisers to target ads.
As reported by Gizmodo, Facebook users who want to add an extra layer of security to their accounts are also sacrificing their privacy when they use their phone number to set up 2FA to receive an SMS login code. The same goes for people who provide a phone number for Facebook login alerts, which notify users via a supplied email or contact number when a new device logs into an account.
Facebook is not the only internet giant to use your personal information and browsing history to target you with ads. At a U.S. congressional hearing in April, CEO Mark Zuckerberg pledged to protect user data above all else and invest more resources in security. And Google is also under scrutiny for some of the same security and privacy concerns. In a recent episode of 60 Minutes, the news outlet reported Google’s Chief Privacy Officer, Keith Enright, was on Capitol Hill on September 26 to discuss the company’s usage of consumers’ personal data. Though Enright admitted Google has made mistakes in the past, he says they are working to prevent them in the future.
Tips for Keeping Your Facebook Account Secure
When it comes to protecting your Pii (Personally Identifiable Information) on the web, there are no guarantees anymore; however, there are some safeguards that the pros recommend. Here are just a few to remember:
- You can enable Login Notification so that whenever anybody (or a hacker) tries to login with your User ID and Password, you will receive a Notification on your cell phone and you will come to know that it’s time to change your password right now because the hacker has got your password and is trying to log in to your Facebook Account. To enable login notification: Go to Home -> Account Settings -> Security -> Login Notification. Put a Check Mark on your preferred option and click Save Changes button.
- Always check your Active Sessions. If you notice any unfamiliar location or device, it means your Facebook Account is at risk. Just click on End Activity and don’t forget to change your password after that. To check active sessions: Go to Home -> Account Settings -> Security -> Active Sessions.
- Enable Secure Browsing to make your account more secure. To set up secure browsing: Go to Home-> Account Settings -> Security -> Secure Browsing.
More best practices available here on the Facebook Community Page: