Here are some simple steps every Facebook user should take to stay safe online.
What happened?
Facebook said hackers exploited a vulnerability in the website’s code linked to the ‘View As’ feature, which was designed to let users see what their profile looks like to other users. Using this, they were able to steal ‘access tokens’, which allow users to stay logged in on their account, and take over the accounts.
The vulnerability was made possible by a mistake in July 2017, when Facebook made a change to its video uploading features, the company said.
Facebook said the attack was discovered on Tuesday and it has temporarily turned off the ‘View As’ feature.
The company said the problem is now fixed but admitted it did not know who was behind the attack, how long hackers had access to accounts or whether accounts were misused.
How do I know if I have been hacked?
If you were asked to log back into Facebook or apps connected to it, such as Instagram, Tinder or Spotify, you may be one of the 50 million accounts affected.
However, there is currently no way to know for sure because Facebook logged out another 40 million accounts as a precautionary measure.
Facebook’s ‘Security and login’ page in your profile’s account settings has a feature which tells you where your account has been logged in from. If you see a login from a location you do not recognise, this may be a sign you have been hacked.
What can hackers do with my account?
Facebook accounts contain personal information which can be useful for hackers. In a call to reporters, Guy Rosen, Facebook’s VP of product management, said hackers would have been able to access information such as names, home towns and gender.
This information can be used by hackers to help access other accounts which use personal information for security questions.
Although Facebook is still unsure exactly what data was accessed and how it was used, Mr Rosen said no credit card information had been accessed and passwords were not taken.
What should I do if I was hacked?
Even if you were not logged out of Facebook on Friday, online security experts are advising users to improve their account security by changing their password, especially if it is used for multiple accounts.
If you use the same password for different social media accounts and websites, it is advised you change it to individual, complex ones. Long passwords which consist of nonsensical phrases, numbers and special characters, such as !#@, are considered safer than ones with phrases related to family members, friends and your personal life.
You may also be logged in to Facebook on multiple devices – for example, on both your laptop and the app on your phone. If Facebook has not already logged you out of every device, you can do it yourself by going to the ‘Security and login’ page, clicking on ‘See more’ in the ‘Where you’re logged in’ section and manually logging out of every account.
The ‘Security and login’ page also allows you to set up login alerts if your account is accessed from an unfamiliar location or browser, which can be sent via notifications, email or over Facebook Messenger.
Two-factor authentication
Facebook also offers a security feature which requires a unique verification code as well as your password to access your account. This code will be sent either by text or via a registered authentication app, such as Google Authenticator or Duo Mobile.
You will need to go to the ‘Security and login’ page in your Facebook account settings to set up two-factor authentication.
Does this just affect Facebook?
After Friday’s announcement, Facebook told reporters that because access tokens were stolen in the attack, hackers could have accessed third-party websites which use its accounts for logins. This includes apps such as Instagram, Tinder, Spotify and Airbnb which use Facebook’s ‘single sign-on’ feature.
It is wise for users who have used Facebook to make accounts on these apps to log out of them as well and log in again.
According to Wired, it is currently unclear how long stolen access tokens can be used or how easily hackers could use them to access third-party websites.
How worrying is this attack?
Facebook has sought to reassure users that the security breach has been fixed and said users are not currently in danger of being hacked. However, the breach is the largest in the company’s history and hackers could have taken full control of accounts.
Details are still limited about the scope and sophistication of the attack and until more is known, users should take all the steps they can to make sure their accounts are secure.
The Data Protection Commission (DPC), which enforces Europe’s data regulations, expressed concern when they were informed about the attack.
A spokesperson for the DPC criticised Facebook’s notification for lacking detail and said it was concerned ‘Facebook is unable to clarify the nature of the breach and the risk for users at this point’.
"The DPC continues to press Facebook to clarify these matters further as a matter of urgency," they added.
The Independent
More about: Facebook