Facebook announced at the end of last week that around 50 million people’s accounts could have been accessed by attackers. I was one of those people – were you?
Were you one of the 90 million people – yes, you read that right – who found themselves suddenly logged out of Facebook on Friday afternoon? If so, you are one of the people whose account could have been compromised by a security flaw discovered by Facebook on Tuesday last week.
What seems to have happened is that Facebook was alerted to a vulnerability in the View As function which could allow someone complete access to your account.
Facebook says it’s fixed the bug and that by forcing affected users to log out and log in again, they’ve also locked out any unauthorised person who had access to your account via the vulnerability.
However, as with previous privacy breaches, the damage had already been done before the alarm was raised: Facebook spotted the problem last Tuesday, but it’s thought the vulnerability was potentially active from July last year.
That’s bad, because someone with access to your account can not only see everything on your profile – from your photos and your posts on your own wall to all your datapoints, including where you work, your date of birth etc – but also everything your friends share with you.
This network effect could put millions more people’s data at risk. I have more than 1,200 friends on Facebook (I know, I know, but I’ve been there since the very earliest days and it’s as much a professional tool for me as a personal one) and it concerns me deeply that an attacker could have had access to all their profiles, too.
This visualisation of the connections between my Facebook friends (above) very clearly illustrates how our Facebook networks reach far beyond our immediate circles – and gives a sense of the potential impact of someone getting unauthorised access to a Facebook account.
The other concern is that so many people also use their Facebook accounts to log in to third-party websites, from services such as Spotify and Tinder to shopping and travel websites.
It seems that attackers who accessed Facebook users’ profiles via this vulnerability could also potentially have access to any other websites a user was logged in to.
I don’t use my Facebook account to sign in to third-party websites and services, but many do, and I understand why: it saves you having to create a separate account and remembering separate passwords.
In short, this is potentially an enormous breach, and many people will be thinking again about how much they trust Facebook.
Just over half of American users have adjusted their Facebook privacy settings in the wake of the Cambridge Analytica scandal, a Pew study found recently, with around a quarter of those saying they had deleted the app from their phones. This was an interesting point of discussion when I joined Simon Jack on Radio 4’s PM (from 16’25) on Saturday.
But deleting the app doesn’t necessarily mean leaving the site altogether, of course – and we won’t know if user numbers have dropped until Facebook releases its user statistics for the third quarter of this year.
For the time being, it appears Facebook’s active user numbers are still increasing: in the second quarter of the year, the figure was 2.23bn monthly active users, up from 2.19bn in the first quarter.
How to protect yourself
First, you should check to see where you’re logged in. From there, you can log out of all the devices – phones, tablets, smartphones – that you currently have logged in.
Second, if you use Facebook (or indeed any other social app such as Google or Twitter) to log in to third-party sites, you should set up separate accounts with those and delete the accounts you had linked to Facebook. That’s a pain, however: on Spotify, for example, you’ll lose all your playlists and downloaded music.
Facebook says there’s no need to reset your password, as it doesn’t reveal that to anyone logged in, but there’s no harm in doing so if you’d feel safer. We have a detailed guide on choosing secure passwords.
And if you do decide you want to delete your account, or just take a break from Facebook, it’s a simple enough process.
So how do you feel after this breach? Will you be sticking with Facebook, or are you thinking of deleting it once and for all? What could Facebook do to restore your trust?