Yesterday, Facebook notified users of a massive data breach affecting over 50 million people. The breach had taken place three days earlier, on the afternoon of 25 September.
The social media giant says it doesn’t know exactly what kind of information has been compromised. However, in an updated statement yesterday, it did admit the hack affected those who use Facebook to log into other accounts.
How do you know if you’ve been impacted?
If you’ve been affected by the breach, Facebook logged you out of your account yesterday. The social network said it would also notify these people in a message on top of their News Feed about what happened.
However, an important thing to note: If you were logged out, you weren’t necessarily breached. Facebook has also logged out everyone who used the ‘View As’ feature since the vulnerability was introduced as a “precautionary measure”. The social network says this will require another 40 million people or more to log back into their accounts, adding: “We do not currently have any evidence that suggests these accounts have been compromised.”
Has the issue been fixed?
According to Facebook, yes. It believes it has fixed the security vulnerability, which enabled hackers to exploit a weakness in Facebook’s code to access the ‘View As’ privacy tool that allows users to see how their profile looks to other people.
Attackers would then be able to steal the access tokens that allow people to stay logged into their accounts. Then, Facebook admits, they could use these to take over people’s profiles.
Facebook is also temporarily turning off the ‘View As’ feature while it conducts a “thorough security review”.
What should you do if you’ve used Facebook to log in to other accounts/apps?
Facebook has admitted this could be an issue, but it can be hard to know what you’ve logged into using your account. This information can be found in your settings. First, go to ‘apps and websites’, then ‘logged in using Facebook’.
There you will be able to find all the apps you have used Facebook to log in to. It’s a good idea to remove these, even if you think you haven’t been impacted by the breach. If you have been affected, you’ll also need to change the passwords for those accounts, to be safe.
What can you do to secure your Facebook account?
Facebook says there’s no need for people to change their passwords. However, there is no harm in doing so – ensuring that your new password is secure and that you do not use it to log into other accounts. You could also log yourself out of Facebook, even if you don’t think you’ve been impacted, using the ‘security and login’ section in ‘settings’. This lists the places people are logged into Facebook with a one-click option to log out of all of them. People who’ve forgotten their passwords can access Facebook’s Help Center.
If you haven’t already, you should also enable two-factor authentication, which again can be found in Facebook settings.
Of course, you could also delete your Facebook account altogether.
Does this breach come under GDPR?
Many of the 50 million customers breached will reside in Europe, so their data does fall under the EU general update to data protection regulation (GDPR). We don’t know exactly what information has been impacted – fines are applicable for sensitive and personal data such as credit card details, which Facebook initially said has not been affected. However, if attackers have accessed personal messages, all kinds of sensitive information could have been breached.
As Facebook investigates the breach, it will be interesting to see the regulatory impact. The number of accounts impacted dwarfs that of British Airways at 50 million versus 380,000 but the nature of the information accessed is important.
For now, users need to ensure their own security is tight. Breaches are happening every day and it’s important to use strong passwords and two-factor authentication at a bare minimum.