Almost 50M Facebook accounts at risk for theft after latest security breach

Posted:
in General Discussion edited September 2018
Facebook on Friday revealed that it recently uncovered a major security breach impacting close to 50 million users, which could result in the user's account being stolen by the thieves.

Facebook 1 Hacker Way


Hackers exploited a vulnerability in "View As," a feature that lets people see what their personal profile looks like to others. They were thus able to steal access tokens, which gave them the ability to hijack accounts.

The problem was discovered on Tuesday and has already been fixed. In a statement, Facebook noted that it's already informed law enforcement. The company has reset the access tokens for people known to have been affected, as well as another 40 million accounts that have been subjected to "View As" lookups in the past year.

"We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We're also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a 'View As' look-up in the last year," Facebook said in a statement. "As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened."

"View As" is being temporarily disabled while the company conducts a security analysis. The company already knows, however, that the security hole originated with a July 2017 change to video uploads.

It's not yet known if the hacked accounts were misused, or who the perpetrators were.

"We face constant attacks from people who want to take over accounts or steal information around the world. While I'm glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place," CEO and Facebook founder Mark Zuckerberg said on the service. "If you've forgotten your password or are having trouble logging in, you can access your account through the Help Center."

Facebook has dealt with multiple security breaches in the past. The most famous of these is probably the Cambridge Analytica debacle, when the public learned well after Facebook that CA had been building voter profiles by scraping data without consent. Facebook was taken to task by governments for failing to disclose the situation years ago.
«1

Comments

  • Reply 1 of 21
    Raise your hand if you're surprised by this.

    (It's the internet, I can't see you but I'm going to assume nobody is raising their hand.)
    lordjohnwhorfinmagman1979anton zuykovdavgregwatto_cobra
  • Reply 2 of 21
    Facebook's street address says a lot about them!
    macseekermagman1979anton zuykovSpamSandwichwatto_cobra
  • Reply 3 of 21
    sflocalsflocal Posts: 4,752member
    50 million is what to FB's 2 billion users?  It's more a sensationalized piece than anything else.  Yeah, FB's going to get hammered for it because will have a hissy-fit that hackers know they like cute kitten videos.

    My real concern is why there was barely a whimper when Equifax got breached, stealing financially-sensitive information including everything that can be used to open up financial accounts and loans in my name?  Where's the uproar there?
  • Reply 4 of 21
    SoliSoli Posts: 9,385member
    1) I guess this explains why I was forced to re-login into my FB app on my iPhone and on their website this morning.

    2) I have two-factor enabled and yet I've never had to use it to log into my account on any device. I find that concerning.

    3) If I never used the "View As" feature am I safe from this specific hack, or is everyone a potential victim?
    magman1979watto_cobra
  • Reply 5 of 21
    So glad I deleted my facebook account years ago. I sure don't miss the reminders that my friend needs help with her crops or found a lonely fish. What an effing waste of electrons and time.
    mac_dogdewmejcs2305olsracoleman29watto_cobra
  • Reply 6 of 21
    Soli said:

    3) If I never used the "View As" feature am I safe from this specific hack, or is everyone a potential victim?
    Hmmm, that makes me wonder...I used Facebook for 1 year in 2008 and then deleted my account. I never gave Facebook my phone number, but I’m sure almost everyone I know who uses Facebook HAS given them my phone number (and other information), in a less direct way. Does that mean that somewhere in that hacked data is information about me that could be used against my wishes, even though I haven’t provided that information to Facebook?
    edited September 2018 watto_cobra
  • Reply 7 of 21
    SoliSoli Posts: 9,385member
    sflocal said:
    50 million is what to FB's 2 billion users?  It's more a sensationalized piece than anything else.  Yeah, FB's going to get hammered for it because will have a hissy-fit that hackers know they like cute kitten videos.

    My real concern is why there was barely a whimper when Equifax got breached, stealing financially-sensitive information including everything that can be used to open up financial accounts and loans in my name?  Where's the uproar there?
    1) It doesn't matter if it was 1 million or 1 billion if you're one of the people whose data was stolen, and to claim that FB users only post about kitten videos in their feeds and their private messages is fucking stupid. For example, how many celebrities were targeted with their iCloud accounts and photos being hacked and leaked yet there are how many hundreds of millions or billions of iCloud accounts out there? Or, the 4 people who were dosed with nerve gas by a terrorist attack in England by the Russians, 4 of whom died; is that also not a big deal since there are nearly 7.5 billion people in the world? That's only 0.0000000403117% of the population so should we not care about that either? They probably liked kitten videos, too.

    2) Equifax has a huge deal. It was a major story for a long time which resulted in their CEO stepping down, Equifax building a system to see if you were one of the hacked—which itself became a story—and which caused countless comments on how to lock down all 4 major credit bureaus, as well as locking down IRS and SSA. If you didn't think the Equifax hack was a big deal than that's on you.

    In fact, here's what I compiled nearly a year and a half ago for people that asked me how to protect themselves so some of the data will have (hopefully) changed.

    Major Credit Bureaus:
    1. Equifax — https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
    2. Experian — https://www.experian.com/ncaconline/freeze
    3. TransUnion — https://freeze.transunion.com/sf/securityFreeze/landingPage.jsp
    4. Innovis — https://www.innovis.com/personal/securityFreeze

    Notes of internet from the experience:
    • It took me a total of 35 minutes to complete all of them.
    • Only Equifax and Innovis are free.
    • Three of the four have really poor website designs. [For example, Equifax wants a 4-digit year but only made the text window long enough to show 2 characters.]
    • Innovis has a solid design.
    • TransUnion and Experian charge $10. [Some states don’t let them charge anything.]
    • Experian gives you a 10-digit PIN.
    • Experian gives you an option to let them make a 10-digit PIN or you can create your own 10-digit PIN. 
    • TransUnion has you create your own 6-digit PIN.
    • TransUnion and Experian make you add an email address.
    • Experian allows you to use an email alias (e.g.: [email protected]) while TransUnion comes back saying that it’s not a valid email addy. [I used about 8 random characters for the alias to make it harder to obtain my email address through social hacking.]
    • TransUnion is the only one that requires you to also create an username, password, and security question (e.g: What is your first grade teacher’s name?). [I made all these random using 1Password’s password generator.]
    • Experian results in a page you can save as a PDF which contains your 10-digit PIN, the date you applied the Freeze.
    • Experian gives you an option to print the page that I saved as a PDF, which contains all the Equifax data, plus their phone number, two URLs, and a physical mailing address to assist in unfreezing your account in the future.
    • Innovis is the easiest to do and it's free. Literally under 60 seconds to fill out. Well, that’s because of 1Password auto-filling for me, but it’s just the one page.

    You may also want to create accounts at the SSA and IRS:
    1. https://www.ssa.gov/myaccount/
    2. https://www.irs.gov/individuals/get-transcript

    Note: If you wish to have your credit run you will need to find out what bureau(s) they''ll be using so you can have them temporarily unlocked.

    Pro Tip: You're not not locked out from looking at your own credit and you're allowed by law (in the US) to get a free, annual credit report. Instead of getting them all at once to make sure there's nothing hinky going on you can set up a calendar entry for each one every three months, which each entry repeating every year for each bureau.
    edited September 2018
  • Reply 8 of 21
    SoliSoli Posts: 9,385member
    Soli said:

    3) If I never used the "View As" feature am I safe from this specific hack, or is everyone a potential victim?
    Hmmm, that makes me wonder...I used Facebook for 1 year in 2008 and then deleted my account. I never gave Facebook my phone number, but I’m sure almost everyone I know who uses Facebook HAS given them my phone number (and other information), in a less direct way. Does that mean that somewhere in that hacked data is information about me that could be used against my wishes, even though I haven’t provided that information to Facebook?
    I think it's statistically likely that your data is out there. If not from a direct hack, from public records and definitely because FB keeps tracks of all that data. Remember that FB was copying all the contact data from Android users for years.

    Have you ever checked out these sites?

    PS: Even more scary are the (hypothetical) computers designed to look for a similar "voice" in the words you use, length of sentences, sentence structure, idioms, etc. Not unlike how telegraph operators could tell who was sending a message based on their telegraph style known as their "fist."
    edited September 2018 watto_cobra
  • Reply 9 of 21
    Soli said:
    sflocal said:
    50 million is what to FB's 2 billion users?  It's more a sensationalized piece than anything else.  Yeah, FB's going to get hammered for it because will have a hissy-fit that hackers know they like cute kitten videos.

    My real concern is why there was barely a whimper when Equifax got breached, stealing financially-sensitive information including everything that can be used to open up financial accounts and loans in my name?  Where's the uproar there?
    1) It doesn't matter if it was 1 million or 1 billion if you're one of the people whose data was stolen, and to claim that FB users only post about kitten videos in their feeds and their private messages is fucking stupid.

    2) Equifax has a huge deal. It was a major story for a long time which resulted in their CEO stepping down, Equifax building a system to see if you were one of the hacked—which itself became a story—and which caused countless comments on how to lock down all 4 major credit bureaus, as well as locking down IRS and SSA. If you didn't think the Equifax hack was a big deal than that's on you.

    In fact, here's what I compiled nearly a year and a half ago for people that asked me how to protect themselves so some of the data will have (hopefully) changed.

    Major Credit Bureaus:
    1. Equifax — https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
    2. Experian — https://www.experian.com/ncaconline/freeze
    3. TransUnion — https://freeze.transunion.com/sf/securityFreeze/landingPage.jsp
    4. Innovis — https://www.innovis.com/personal/securityFreeze

    Notes of internet from the experience:
    • It took me a total of 35 minutes to complete all of them.
    • Only Equifax and Innovis are free.
    • Three of the four have really poor website designs. [For example, Equifax wants a 4-digit year but only made the text window long enough to show 2 characters.]
    • Innovis has a solid design.
    • TransUnion and Experian charge $10. [Some states don’t let them charge anything.]
    • Experian gives you a 10-digit PIN.
    • Experian gives you an option to let them make a 10-digit PIN or you can create your own 10-digit PIN. 
    • TransUnion has you create your own 6-digit PIN.
    • TransUnion and Experian make you add an email address.
    • Experian allows you to use an email alias (e.g.: sfoca[email protected]) while TransUnion comes back saying that it’s not a valid email addy. [I used about 8 random characters for the alias to make it harder to obtain my email address through social hacking.]
    • TransUnion is the only one that requires you to also create an username, password, and security question (e.g: What is your first grade teacher’s name?). [I made all these random using 1Password’s password generator.]
    • Experian results in a page you can save as a PDF which contains your 10-digit PIN, the date you applied the Freeze.
    • Experian gives you an option to print the page that I saved as a PDF, which contains all the Equifax data, plus their phone number, two URLs, and a physical mailing address to assist in unfreezing your account in the future.
    • Innovis is the easiest to do and it's free. Literally under 60 seconds to fill out. Well, that’s because of 1Password auto-filling for me, but it’s just the one page.

    You may also want to create accounts at the SSA and IRS:
    1. https://www.ssa.gov/myaccount/
    2. https://www.irs.gov/individuals/get-transcript

    Note: If you wish to have your credit run you will need to find out what bureau(s) they''ll be using so you can have them temporarily unlocked.

    Pro Tip: You're not not locked out from looking at your own credit and you're allowed by law (in the US) to get a free, annual credit report. Instead of getting them all at once to make sure there's nothing hinky going on you can set up a calendar entry for each one every three months, which each entry repeating every year for each bureau.
    Did Equifax get fined or anyone go to jail for selling stock before disclosing the breach? Any changes in regulating the CR agencies? Real question. I tuned out of that whole debacle because I was so pissed off. Other than CEO stepping down, I can't remember anything else happening to Equifax and the industry.
    SpamSandwich
  • Reply 10 of 21
    SoliSoli Posts: 9,385member
    mistergsf said:
    Soli said:
    sflocal said:
    50 million is what to FB's 2 billion users?  It's more a sensationalized piece than anything else.  Yeah, FB's going to get hammered for it because will have a hissy-fit that hackers know they like cute kitten videos.

    My real concern is why there was barely a whimper when Equifax got breached, stealing financially-sensitive information including everything that can be used to open up financial accounts and loans in my name?  Where's the uproar there?
    1) It doesn't matter if it was 1 million or 1 billion if you're one of the people whose data was stolen, and to claim that FB users only post about kitten videos in their feeds and their private messages is fucking stupid.

    2) Equifax has a huge deal. It was a major story for a long time which resulted in their CEO stepping down, Equifax building a system to see if you were one of the hacked—which itself became a story—and which caused countless comments on how to lock down all 4 major credit bureaus, as well as locking down IRS and SSA. If you didn't think the Equifax hack was a big deal than that's on you.

    In fact, here's what I compiled nearly a year and a half ago for people that asked me how to protect themselves so some of the data will have (hopefully) changed.

    Major Credit Bureaus:
    1. Equifax — https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
    2. Experian — https://www.experian.com/ncaconline/freeze
    3. TransUnion — https://freeze.transunion.com/sf/securityFreeze/landingPage.jsp
    4. Innovis — https://www.innovis.com/personal/securityFreeze

    Notes of internet from the experience:
    • It took me a total of 35 minutes to complete all of them.
    • Only Equifax and Innovis are free.
    • Three of the four have really poor website designs. [For example, Equifax wants a 4-digit year but only made the text window long enough to show 2 characters.]
    • Innovis has a solid design.
    • TransUnion and Experian charge $10. [Some states don’t let them charge anything.]
    • Experian gives you a 10-digit PIN.
    • Experian gives you an option to let them make a 10-digit PIN or you can create your own 10-digit PIN. 
    • TransUnion has you create your own 6-digit PIN.
    • TransUnion and Experian make you add an email address.
    • Experian allows you to use an email alias (e.g.: [email protected]) while TransUnion comes back saying that it’s not a valid email addy. [I used about 8 random characters for the alias to make it harder to obtain my email address through social hacking.]
    • TransUnion is the only one that requires you to also create an username, password, and security question (e.g: What is your first grade teacher’s name?). [I made all these random using 1Password’s password generator.]
    • Experian results in a page you can save as a PDF which contains your 10-digit PIN, the date you applied the Freeze.
    • Experian gives you an option to print the page that I saved as a PDF, which contains all the Equifax data, plus their phone number, two URLs, and a physical mailing address to assist in unfreezing your account in the future.
    • Innovis is the easiest to do and it's free. Literally under 60 seconds to fill out. Well, that’s because of 1Password auto-filling for me, but it’s just the one page.

    You may also want to create accounts at the SSA and IRS:
    1. https://www.ssa.gov/myaccount/
    2. https://www.irs.gov/individuals/get-transcript

    Note: If you wish to have your credit run you will need to find out what bureau(s) they''ll be using so you can have them temporarily unlocked.

    Pro Tip: You're not not locked out from looking at your own credit and you're allowed by law (in the US) to get a free, annual credit report. Instead of getting them all at once to make sure there's nothing hinky going on you can set up a calendar entry for each one every three months, which each entry repeating every year for each bureau.
    Did Equifax get fined or anyone go to jail for selling stock before disclosing the breach? Any changes in regulating the CR agencies? Real question. I tuned out of that whole debacle because I was so pissed off. Other than CEO stepping down, I can't remember anything else happening to Equifax and the industry.
    There was at least one charge for inside trading.


    edit: Get the facts peppered with some comedy because that makes it easier to swallow…



    edited September 2018
  • Reply 11 of 21
    This stuff happens all the time and yet everyone wants to put everything up in the cloud. 

    Between all the various compromises reported over the last couple of years, almost every adult has probably had some level of private data exposed.
  • Reply 12 of 21

    ...
    edited September 2018
  • Reply 13 of 21
    sflocal said:
    [...]
    My real concern is why there was barely a whimper when Equifax got breached, stealing financially-sensitive information including everything that can be used to open up financial accounts and loans in my name?  Where's the uproar there?
    Yes, I would like to know why that got so little attention. But then it seems the credit companies and banks don’t ever get much negative press at all. Could it be the millions spent on advertising in the very media that doesn’t cover their embarrassing stories...?
  • Reply 14 of 21
    sflocal said:
    50 million is what to FB's 2 billion users?  It's more a sensationalized piece than anything else.  Yeah, FB's going to get hammered for it because will have a hissy-fit that hackers know they like cute kitten videos.

    My real concern is why there was barely a whimper when Equifax got breached, stealing financially-sensitive information including everything that can be used to open up financial accounts and loans in my name?  Where's the uproar there?
    You consider FB credentials getting out on the same level as your personal and financial identity. Which is exactly what Equifax left exposed ? That’s an interesting way of thinking. 

    I do ageee though. You barely heard anything when over half the country’s personal info was just left out there because of a shitty easily hack able website. I am still checking my credit report over that whole thing. 
    edited September 2018
  • Reply 15 of 21
    SoliSoli Posts: 9,385member
    dysamoria said:
    sflocal said:
    [...]
    My real concern is why there was barely a whimper when Equifax got breached, stealing financially-sensitive information including everything that can be used to open up financial accounts and loans in my name?  Where's the uproar there?
    Yes, I would like to know why that got so little attention. But then it seems the credit companies and banks don’t ever get much negative press at all. Could it be the millions spent on advertising in the very media that doesn’t cover their embarrassing stories...?
    jcs2305 said:
    sflocal said:
    50 million is what to FB's 2 billion users?  It's more a sensationalized piece than anything else.  Yeah, FB's going to get hammered for it because will have a hissy-fit that hackers know they like cute kitten videos.

    My real concern is why there was barely a whimper when Equifax got breached, stealing financially-sensitive information including everything that can be used to open up financial accounts and loans in my name?  Where's the uproar there?
    You consider FB credentials getting out on the same level as your personal and financial identity. Which is exactly what Equifax left exposed ? That’s an interesting way of thinking. 

    I do ageee though. You barely heard anything when over half the country’s personal info was just left out there because of a shitty easily hack able website. I am still checking my credit report over that whole thing. 
    Where you two in a coma during the Equifax debacle? That was constant wall to wall coverage across every news site for months.
  • Reply 16 of 21
    I'm not on FaceBook but my GF is...I was told by a programmer that anyone on FaceBook should change their DOB to one or two days before or after their actual DOB.

    He said it's a little thing, but it's one data point that bad people use, as well as tags on photos.

    Not sure if this worth or not.

    Thoughts?
    watto_cobra
  • Reply 17 of 21
    I'm not on FaceBook but my GF is...I was told by a programmer that anyone on FaceBook should change their DOB to one or two days before or after their actual DOB.
    The problem with adjusting DOB, even just a little, is that people frequently forget what they changed it to. Then, if the DOB is required to reset the password and it’s needed what happens? People forget the answers to their security questions all the time, imagine the trouble trying to remember a fake birthday?
    watto_cobra
  • Reply 18 of 21
    I deleted my Facebook account. I'm glad I did. Even when I used Facebook, I never used the feature to sign into other sites using the "Sign in with Facebook" feature. If you take security seriously, you will insist on registering a separate account with each website. Taking security seriously is not convenient, but it's worth it. 
    fotoformatracoleman29watto_cobra
  • Reply 19 of 21
    One more reason why Facebook and other websites like it, are better off dead.  Better off for humanity, that is.

    racoleman29watto_cobra
  • Reply 20 of 21
    croprcropr Posts: 966member
    Raise your hand if you're surprised by this.

    (It's the internet, I can't see you but I'm going to assume nobody is raising their hand.)
    I am raising my hand. 

    You are confused by 2 unrelated things: the practice of abusing the personal data of users of FB on one hand and the security of the data center of FB on the other hand.

    The former is the business of FB, the latter is hampering the business and that is why it surprises me that this breach has happened.   

Sign In or Register to comment.