Following a massive breach that compromised tens of millions of accounts, Facebook has started sending out custom messages to inform people if or how they were impacted. Users who have yet to receive a custom notification from the social network can manually check whether their account got hacked, and what data might have been leaked. Here’s how.
First, some background. As many of you probably read in the news last week, between September 14 and September 27 an unknown attacker used daisy-chained vulnerabilities in the platform’s View As feature to snatch authentication tokens of tens of millions of users.
The initial count was 50 million to 90 million compromised accounts. After further investigation, Facebook said only 30 million accounts were in fact compromised.
In an update posted to the Facebook newsroom, Guy Rosen, VP of Product Management, said:
“We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.”
Rosen proceeds to explain how the breach happened, though most people reading right now are probably more interested to know if they themselves have been hacked. Those eager to learn more about the breach can visit Rosen’s post and read it through. For those of you who are here to check whether you’ve been hacked – and what the hackers have on you – continue reading below.
How to check if your Facebook profile was hacked
- First, you need to log into Facebook on the same platform you’re about to use to perform the check. It doesn’t matter which platform you’re on (desktop, mobile, iOS, Android, etc.), as long as you’re logged into Facebook.
- Second, you can confirm if your account was compromised by visiting this page that Facebook set up for the purpose.
- The page contains some updates on the ongoing investigation, as well as a custom message for every logged-in visitor that lands on that page. Scroll to the bottom and look for one of these three messages (different ones could appear as well):
What data did the hackers access?
- If you’re in the first boat, you are safe – your credentials and profile data have not been compromised.
- If you find yourself in the second boat, hackers have likely compromised your account, but your data should still be safe.
- If, however, you’re in the third boat, things are not so rosy. As the third screenshot shows, Facebook displays quite an unnerving message for those users whose profile data has, in fact, been compromised.
Facebook claims that, for half of the compromised accounts (15 million people), attackers accessed these two sets of information:
- contact details (phone number, email, or both, depending on what people had on their profiles)
Another 14 million people have had the same sets of information stolen, plus the following:
- user name
- relationship status
- self-reported current city
- birth date
- device types used to access Facebook
- the last 10 places they checked into or were tagged in
- people or Pages they follow
- the 15 most recent searches
Only 1 million people – of the 30 million hacked – had no information stolen or otherwise compromised, the investigation revealed.
For the 14 million users whose data was mined, cyber-crooks can now use that information to deploy identity theft attacks, targeted (spear) phishing attacks, SMS or phone scams, or even attempt to take over their other accounts based on the information they’ve gathered (i.e security questions).
There’s some good news too, if we can call it that. Messages sent and received using the popular Facebook Messenger were not compromised during this attack. According to the company, the same should apply to Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, and advertising or developer accounts.
However, there is one exception:
- If a person was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers
“In the coming days, we’ll send customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls,” Facebook promised Friday.
As noted above, those messages are starting to go out but not everyone has received them yet.
How to proceed next
Now that you are armed with this information, proceed with your fingers crossed to Facebook’s security checker. If you’ve read through this whole post, here’s the URL again to save you some scroll time.
Facebook says that, even if your data was compromised, changing your password won’t improve the situation. That’s correct. The attacker(s) stole not passwords but access tokens, which they could use to take over people’s accounts without needing their actual credentials.
If, for one reason or another, you have trouble accessing your account, Facebook offers this handy knowledge base article as a quick remedy.
And lastly, some additional info that might help those worried about their data falling into the wrong hands:
- Facebook has been alarmingly clumsy handling user data in the past year, leading many to abandon the platform
- Bad actors have developed quite an affinity for breaching data custodians (i.e corporations that sit on vast pools of customer information) to support fraud and extortion
- Never use a social network or unencrypted messaging client to write or share something that you would not want leaked in a breach, even years later
- Use end-to-end encryption and two-factor authentication on every platform that offers it
Although packet switched networks were under research as early as the 1960s, only in the late 80s was the Internet released to the public for business activities. The internet has since grown from half a million email users in 1990, to a system connecting networks all over the world. It is now used for research, retail, payments, movie and music streaming and nearly anything else.
The internet is the world’s top source of information and communication. However its growth has also unleashed a world of hackers, generated the dark web and facilitated numerous cyberattacks on itself, governments, enterprises and private consumers.
Cybersecurity has become so important that even governments and law enforcement are looking into becoming more skilled in catching cybercriminals.
In 2016, 15.4 million US users fell victim to identity fraud schemes, a 16 percent increase from the previous year. This is why, every year in June, security researchers feel compelled to remind consumers about their online responsibilities so they can all have a problem-free Internet experience. Because it’s Internet Safety Month, here’s a reminder that your online actions have consequences. Let’s talk security and go over some important tips to help you avoid falling victim to cybercrime:
- Stay away from weak passwords. Make sure they are strong and complex by incorporating both upper and lowercase letters, numbers and punctuation marks. Keep a unique password for each account and never use the same password for multiple accounts.
- Web browsers are a perfect source for fraud, spyware and phishing attempts, but also for advertisers to track your activity. Make sure they are updated and that you are using the latest version. Never click on suspicious pop-ups and double check that all websites you access are https, which means they are secured through SSL/TLS encryption.
- Shopping online? Great! But watch out for duplicate web sites as hackers may attempt man-in-the-middle attacks to intercept your communication and steal financial data. Credit card theft and financial fraud are increasing, so be mindful when making online payments. Once again, make sure the payment is run through an encrypted https website.
- This bring us to another common problem: emails. Be suspicious of any emails, links and attachments sent from unknown sources or in the name of your bank, university or some Nigerian prince in distress. Don’t click on any of the links in the body, don’t download the attachment and do not wire money to the prince or give away personal information, as it could be later used for online scams.
- We can’t stress enough the importance of always running updates on all your software, operating system, apps, add-ons and web browsers. If you don’t, you will be vulnerable and prone to attacks.
- Each time you want to download an application on your computer or mobile device, double check that you are dealing with an official vendor, or you may end up with a sticky case of malware.
- Remember that your online behavior can’t be deleted, so it’s up to you to protect your digital footprint and be smart about the content you publish. It’s critical for you to develop some natural instincts to fight off scammers and keep your online data safe and private.
- How desperate are you to stay connected? In some countries, wireless services are available at cafes, restaurants, clubs and airports, while sometimes you might even find free Wi-Fi on the street. Just because it’s free, doesn’t mean it’s good for you to use, as hackers could be behind it just waiting for you to give away passwords, personal information or credit card details.