/ Technology

Was your Facebook account accessed by attackers?

Facebook announced at the end of last week that around 50 million people’s accounts could have been accessed by attackers. I was one of those people – were you?

Were you one of the 90 million people – yes, you read that right – who found themselves suddenly logged out of Facebook on Friday afternoon? If so, you are one of the people whose account could have been compromised by a security flaw discovered by Facebook on Tuesday last week.

What seems to have happened is that Facebook was alerted to a vulnerability in the View As function which could allow someone complete access to your account.

Facebook says it’s fixed the bug and that by forcing affected users to log out and log in again, they’ve also locked out any unauthorised person who had access to your account via the vulnerability.

However, as with previous privacy breaches, the damage had already been done before the alarm was raised: Facebook spotted the problem last Tuesday, but it’s thought the vulnerability was potentially active from July last year.

Network effect

That’s bad, because someone with access to your account can not only see everything on your profile – from your photos and your posts on your own wall to all your datapoints, including where you work, your date of birth etc – but also everything your friends share with you.

This network effect could put millions more people’s data at risk. I have more than 1,200 friends on Facebook (I know, I know, but I’ve been there since the very earliest days and it’s as much a professional tool for me as a personal one) and it concerns me deeply that an attacker could have had access to all their profiles, too.

This visualisation of the connections between my Facebook friends (above) very clearly illustrates how our Facebook networks reach far beyond our immediate circles – and gives a sense of the potential impact of someone getting unauthorised access to a Facebook account.

Third-party problems

The other concern is that so many people also use their Facebook accounts to log in to third-party websites, from services such as Spotify and Tinder to shopping and travel websites.

It seems that attackers who accessed Facebook users’ profiles via this vulnerability could also potentially have access to any other websites a user was logged in to.

I don’t use my Facebook account to sign in to third-party websites and services, but many do, and I understand why: it saves you having to create a separate account and remembering separate passwords.

In short, this is potentially an enormous breach, and many people will be thinking again about how much they trust Facebook.

Facebook exodus?

Just over half of American users have adjusted their Facebook privacy settings in the wake of the Cambridge Analytica scandal, a Pew study found recently, with around a quarter of those saying they had deleted the app from their phones. This was an interesting point of discussion when I joined Simon Jack on Radio 4’s PM (from 16’25) on Saturday.

But deleting the app doesn’t necessarily mean leaving the site altogether, of course – and we won’t know if user numbers have dropped until Facebook releases its user statistics for the third quarter of this year.

For the time being, it appears Facebook’s active user numbers are still increasing: in the second quarter of the year, the figure was 2.23bn monthly active users, up from 2.19bn in the first quarter.

How to protect yourself

First, you should check to see where you’re logged in. From there, you can log out of all the devices – phones, tablets, smartphones – that you currently have logged in.

Second, if you use Facebook (or indeed any other social app such as Google or Twitter) to log in to third-party sites, you should set up separate accounts with those and delete the accounts you had linked to Facebook. That’s a pain, however: on Spotify, for example, you’ll lose all your playlists and downloaded music.

Facebook says there’s no need to reset your password, as it doesn’t reveal that to anyone logged in, but there’s no harm in doing so if you’d feel safer. We have a detailed guide on choosing secure passwords.

And if you do decide you want to delete your account, or just take a break from Facebook, it’s a simple enough process.

So how do you feel after this breach? Will you be sticking with Facebook, or are you thinking of deleting it once and for all? What could Facebook do to restore your trust?

Comments

No, thank goodness. It is safe to assume that any site anywhere on the net can be hacked and realise that any stored information out there on you, anywhere, can be accessed. Once this is accepted, risk assessment will dictate how and what you do on line. It’s convenience versus consequence and likelihood that the site is worth hacking.
You mention losing music and play-lists I would extend this to cloud storage too -not immune from hackers. It’s why I do like to hold CDs and DVDs in my hand. You can’t hack these. I can exist happily in a net environment where I don’t stand to lose life savings or have too much inconvenience if things crash. Those who rely on the web for their livelihood, services that make their lives possible and those who need to communicate with others reliably, need a trustworthy internet and it seems that this is rapidly becoming as leaky as a sieve. National infrastructure is also the first thing to suffer if hackers are successful and they do seem to be one step ahead of the defenders who patch things up after the damage has been done. The web world is changing and we -plural – nationally – need to find new ways of doing things rather than try and beat the criminals and spies. No doubt folk are engaged in finding these while others are looking at preventing them from working.

Decent cloud storage is almost impossible to hack. Any decent cloud storage provider will be “zero-knowledge”, whereby the provider doesn’t store your password. The password (ideally a very long passphrase) is known only by you and is used to encrypt your data before it is sent to the cloud. Any data stored in the cloud thereby can’t be read by the provider and the provider can’t even reset your password. Any cloud storage provider that you’ve heard of (e.g. Dropbox, Google Drive, iCloud) is almost certainly not zero-knowledge and should be avoided. It’s simple enough to Google and find those that are.

As someone once pointed out, I have nothing on my Facebook page. I joined to help promote a small society and occasionally provide some historical information or details of events. Now that the society pages are self-sustaining and generate useful publicity I not visit very often.

I use both Dropbox and iCloud, so that I don’t need to worry about which computer I am using. I have many photos and reports that will be of no value to anyone apart from me.

The article seems to have missed the later news that Facebook had been giving access [sold?] to people’s telephone numbers supplied to Facebook as a security measure. Nice one Facebook.

eff.org/deeplinks/2018/09/you-gave-facebook-your-number-security-they-used-it-ads

Perhaps Which? needs to step up to the plate on this abuse of EU regulations, and peoples legitimate expectations.

This comment was removed at the request of the user

This comment was removed at the request of the user

Our response here as further details emerge:

Alex Neill, Which? Managing Director of Home Products and Services, said:

“With further facts about Facebook’s data breach emerging, many users will be deeply concerned. It is critical that the company does all that it can to ensure the victims identified get clear information about what has happened and assists anyone negatively impacted.

“Anyone affected by the hack should consider changing their password, check credit reports and monitor bank and other online accounts. They may be vulnerable to identity fraud and should be wary of contact out of the blue as scammers may try to take advantage of it.”

This comment was removed at the request of the user