As companies both large and small (as well as mid-size organizations) have become victims of cyberattacks, IT security experts have warned that no one is immune to hacking and data breaches. That point was proven yet again recently when Facebook announced the largest breach in its history, affecting nearly 50 million users.
This announcement has prompted concern among Facebook users and spurred plenty of discussion about IT security. Here are the answers to a few essential questions about the incident.
1. How did the Facebook data breach happen? The hackers used a vulnerability in the “View As” option that allows users to see how others see their profiles, according to Facebook. By exploiting that vulnerability, the attackers were able to steal Facebook access tokens and get into users’ accounts. An access token is essential a digital code/key that keeps you logged into the Facebook app.
2. What has Facebook done to fix the issue? When the company announced the security issue, it had already fixed the vulnerability and alerted law enforcement. Additionally, Facebook reset the access tokens for the affected accounts as well as an additional 40 million accounts that experienced a “View As” look-up during the preceding year.
Anyone who was impacted would have to log back into their account after this reset and would receive a notification at the top of their News Feed about what happened. The company has also temporarily disabled the “View As” feature while it conducts a thorough investigation of the issue.
3. What does this mean for Facebook users? When Facebook announced the breach on September 28, the company stated that since it had only just begun an investigation, it had not yet determined whether any information from the affected accounts was accessed and/or if any of the accounts were misused. It’s also not yet clear who was behind this cyberattack.
4. What steps can Facebook users take to protect themselves and their accounts? In the wake of the breach, the Federal Trade Commission has recommended that users keep an eye out for imposter scams. If hackers got access to the information in your Facebook account, they could try to impersonate someone you know and attempt to trick you into giving them money or more personal information. Be wary of anyone who calls you suddenly asking for either of those things.
Second, the FTC states consumers should consider changing their passwords just to be safe. If you change your password, you should also update your security questions, particularly if your old ones could be answered using the info in your Facebook account.
However, Facebook might not be the only app you need to worry about, according to The Guardian’s article “Huge Facebook breach leaves thousands of other apps vulnerable.” Any third-party accounts that users log into using Facebook (e.g., Spotify) could also have been compromised (although Facebook has said third-party apps and services do not appear to have been affected, according to the BBC).
At this point, users should watch for unusual activity on any of their accounts that could have been affected and can also change their passwords for good measure, security experts told The Guardian. Additionally, it can help to turn on two-factor authentication if possible and disable auto-logins for Facebook and third-party authentication systems (e.g., Twitter).
5. Will the organization face any regulatory consequences? The Irish Data Protection Commission has launched an investigation into the Facebook breach, according to the BBC. Earlier this year, Facebook selected the Irish DPC to oversee its compliance with European Union privacy rules.
The Commission will examine Facebook’s compliance with the General Data Protection Regulation (GDPR), which obligates the social media company to establish appropriate organizational and technical measures to safeguard personal data.
If you’d like more information on data breaches and IT security, don’t hesitate to contact our team of expert techs. We work with a wide range of cybersecurity services and solutions and can offer insight into best practices for responding to data breaches and minimizing risk levels. Call us today at 877-599-3999 or email firstname.lastname@example.org.