/ Technology

Was your Facebook account accessed by attackers?

Facebook announced at the end of last week that around 50 million people’s accounts could have been accessed by attackers. I was one of those people – were you?

Were you one of the 90 million people – yes, you read that right – who found themselves suddenly logged out of Facebook on Friday afternoon? If so, you are one of the people whose account could have been compromised by a security flaw discovered by Facebook on Tuesday last week.

What seems to have happened is that Facebook was alerted to a vulnerability in the View As function which could allow someone complete access to your account.

Facebook says it’s fixed the bug and that by forcing affected users to log out and log in again, they’ve also locked out any unauthorised person who had access to your account via the vulnerability.

However, as with previous privacy breaches, the damage had already been done before the alarm was raised: Facebook spotted the problem last Tuesday, but it’s thought the vulnerability was potentially active from July last year.

Network effect

That’s bad, because someone with access to your account can not only see everything on your profile – from your photos and your posts on your own wall to all your datapoints, including where you work, your date of birth etc – but also everything your friends share with you.

This network effect could put millions more people’s data at risk. I have more than 1,200 friends on Facebook (I know, I know, but I’ve been there since the very earliest days and it’s as much a professional tool for me as a personal one) and it concerns me deeply that an attacker could have had access to all their profiles, too.

This visualisation of the connections between my Facebook friends (above) very clearly illustrates how our Facebook networks reach far beyond our immediate circles – and gives a sense of the potential impact of someone getting unauthorised access to a Facebook account.

Third-party problems

The other concern is that so many people also use their Facebook accounts to log in to third-party websites, from services such as Spotify and Tinder to shopping and travel websites.

It seems that attackers who accessed Facebook users’ profiles via this vulnerability could also potentially have access to any other websites a user was logged in to.

I don’t use my Facebook account to sign in to third-party websites and services, but many do, and I understand why: it saves you having to create a separate account and remembering separate passwords.

In short, this is potentially an enormous breach, and many people will be thinking again about how much they trust Facebook.

Facebook exodus?

Just over half of American users have adjusted their Facebook privacy settings in the wake of the Cambridge Analytica scandal, a Pew study found recently, with around a quarter of those saying they had deleted the app from their phones. This was an interesting point of discussion when I joined Simon Jack on Radio 4’s PM (from 16’25) on Saturday.

But deleting the app doesn’t necessarily mean leaving the site altogether, of course – and we won’t know if user numbers have dropped until Facebook releases its user statistics for the third quarter of this year.

For the time being, it appears Facebook’s active user numbers are still increasing: in the second quarter of the year, the figure was 2.23bn monthly active users, up from 2.19bn in the first quarter.

How to protect yourself

First, you should check to see where you’re logged in. From there, you can log out of all the devices – phones, tablets, smartphones – that you currently have logged in.

Second, if you use Facebook (or indeed any other social app such as Google or Twitter) to log in to third-party sites, you should set up separate accounts with those and delete the accounts you had linked to Facebook. That’s a pain, however: on Spotify, for example, you’ll lose all your playlists and downloaded music.

Facebook says there’s no need to reset your password, as it doesn’t reveal that to anyone logged in, but there’s no harm in doing so if you’d feel safer. We have a detailed guide on choosing secure passwords.

And if you do decide you want to delete your account, or just take a break from Facebook, it’s a simple enough process.

So how do you feel after this breach? Will you be sticking with Facebook, or are you thinking of deleting it once and for all? What could Facebook do to restore your trust?

Comments
Member

No, thank goodness. It is safe to assume that any site anywhere on the net can be hacked and realise that any stored information out there on you, anywhere, can be accessed. Once this is accepted, risk assessment will dictate how and what you do on line. It’s convenience versus consequence and likelihood that the site is worth hacking.
You mention losing music and play-lists I would extend this to cloud storage too -not immune from hackers. It’s why I do like to hold CDs and DVDs in my hand. You can’t hack these. I can exist happily in a net environment where I don’t stand to lose life savings or have too much inconvenience if things crash. Those who rely on the web for their livelihood, services that make their lives possible and those who need to communicate with others reliably, need a trustworthy internet and it seems that this is rapidly becoming as leaky as a sieve. National infrastructure is also the first thing to suffer if hackers are successful and they do seem to be one step ahead of the defenders who patch things up after the damage has been done. The web world is changing and we -plural – nationally – need to find new ways of doing things rather than try and beat the criminals and spies. No doubt folk are engaged in finding these while others are looking at preventing them from working.

Member

Decent cloud storage is almost impossible to hack. Any decent cloud storage provider will be “zero-knowledge”, whereby the provider doesn’t store your password. The password (ideally a very long passphrase) is known only by you and is used to encrypt your data before it is sent to the cloud. Any data stored in the cloud thereby can’t be read by the provider and the provider can’t even reset your password. Any cloud storage provider that you’ve heard of (e.g. Dropbox, Google Drive, iCloud) is almost certainly not zero-knowledge and should be avoided. It’s simple enough to Google and find those that are.

Member

As someone once pointed out, I have nothing on my Facebook page. I joined to help promote a small society and occasionally provide some historical information or details of events. Now that the society pages are self-sustaining and generate useful publicity I not visit very often.

I use both Dropbox and iCloud, so that I don’t need to worry about which computer I am using. I have many photos and reports that will be of no value to anyone apart from me.

Member
Patrick Taylor says:
2 October 2018

The article seems to have missed the later news that Facebook had been giving access [sold?] to people’s telephone numbers supplied to Facebook as a security measure. Nice one Facebook.

eff.org/deeplinks/2018/09/you-gave-facebook-your-number-security-they-used-it-ads

Perhaps Which? needs to step up to the plate on this abuse of EU regulations, and peoples legitimate expectations.

Member

That story is very much on my radar, but I wanted to focus specifically on this data breach for the purposes of this convo.

Member

Vynor is absolutely correct . As Presidents downward use all three social media giants I use none nor have I any apps/programmes/programming relating to all three anywhere on my PC , I prefer human contact not virtual . As regards Cloud Storage many months ago I posted warning posters from using it as it can be hacked . I posted a technical reason how it happens , I also posted that the US government thinks its so leaky that it refused to use the ordinary cloud storage and put it out to tender resulting in Amazon/Google etc fighting for the US government military contract to create as supposed “impenetrable cloud storage ” . Dont UK citizens realise that all the big cloud storage is US owned and based ? Therefore ALL your data is accessible to all US government departments and they are far from perfect as I quoted some FBI employees making money out of the data held by citizens selling it to third parties . Read https://techcrunch.com/2018/03/22/cloud-act-omnibus-bill-house/ unless you have LOCAL storage like Russia insists on having from the US giants you have zero control over your data . Where the server is that is where the law applies . You think you are safe with Duck-Duck Go ? –nope, in small print it gathers your data , not your IP but your data will contain -location etc , I now use European based search engines which don’t hit me with obvious advertising of paid for websites . The US is spending $1.7 BILLION on PRIVATE cloud and just $118.3 million on Public –get it ? see https://www.wired.com/insights/2013/09/why-the-u-s-government-is-moving-to-cloud-computing/ . I have a mountain of tech info on this if anybody disagrees .

Member

Hours after I posted the above condemning public Cloud I got an email from a well known US malware /scamming/hacking advisor – Krebs —on hacking—cloud storage backing me up . What he describes is just the tip of the iceberg but is illustrative of the state of public cloud storage read https://krebsonsecurity.com/2018/10/when-security-researchers-pose-as-cybercrooks-who-can-tell-the-difference/ its also the reason the US government after all the “Trump–eting ” about this “wonderful new storage system” that would “revolutionise ” the storage of data (public ) will never use it themselves . Even the password keys can be hacked on public cloud—and have .

Member

Our response here as further details emerge:

Alex Neill, Which? Managing Director of Home Products and Services, said:

“With further facts about Facebook’s data breach emerging, many users will be deeply concerned. It is critical that the company does all that it can to ensure the victims identified get clear information about what has happened and assists anyone negatively impacted.

“Anyone affected by the hack should consider changing their password, check credit reports and monitor bank and other online accounts. They may be vulnerable to identity fraud and should be wary of contact out of the blue as scammers may try to take advantage of it.”

Member

Yes–its happened again –Facebook has leaked data , reports were dated 13th-25 September-2018 but were only reported to the public a day or so ago in December -2018.
Over 6.8 million uploaded photos using its Photo API exposed them to the “dreaded ” third party developers – 1500 apps built by 876 developers had access to them on Facebook Stories & Marketplace .
It is noteworthy that Facebook saves a copy of EVERYTHING a user does on the timeline box including unpublished statues and photos .

For any disbelievers – quote- Facebook engineer director Tomer Bar –
if someone uploads a photo but doesn’t finish posting it we store a copy for 3 days .
Just waiting for the next leak .