Facebook announced a data breach on Friday, Sept. 28, in which the personal information of 50 million user accounts was put at risk due to a vulnerability in the social network's code.
The attack potentially exposed personal information and gave hackers the ability to take control of users' profiles. Since discovering the breach, Facebook has fixed the vulnerability and has informed law enforcement to investigate.
Was My Facebook Account Affected?
About 50 million Facebook users were affected by the code vulnerability, which gives hackers the ability to steal "access tokens" that allow users to stay logged into their accounts.
(When you sign in to a site or app with your username and password, your browser or device typically receives a digital key known as an access token that lets you stay logged in without having to re-enter your credentials every time. That token does not actually store your password.)
Fraudsters could use these access tokens to not only take over users' Facebook profiles but also have the ability to access third-party accounts like Airbnb, Spotify or Uber that use Facebook credentials to log in. (See also: Is It Safe to Use Facebook to Login on Other Sites?)
Though 50 million accounts were targeted, Facebook reset the access tokens on a total of 90 million accounts as a precautionary measure. If your account was affected, you would have been logged out of Facebook and would need to log back in with your password the next time you visit the site.
What Personal Data Could Have Been Compromised in the Facebook Attack?
According to Facebook, attackers tried to target certain information, including users' names, genders, and hometowns listed in their profiles. But it's not yet clear if that or any other user information was actually compromised before Facebook fixed the vulnerability.
Though the access tokens targeted in the attack could potentially be used to log into third-party sites, Facebook announced on Oct. 2 that its investigators don't believe such third-party sites were affected.
How Do I Protect Myself as a Facebook User?
If you were one of the 90 million users whose access tokens were reset by Facebook, you would have been logged out of your account and will need to log back in. You should have received a notification about this on the top of your Facebook news feed. But even if you were not affected, this is a good time to take the following steps to ensure your identity and personal information is protected:
1. Conduct a Device Audit
To find out if anyone has improperly accessed your Facebook account, click on "Settings" on Facebook. Next, go to the "Security and Login" tab. There, you will see a list of all the devices, locations and the most recent dates that you have logged into Facebook.
If you see any that you do not recognize, you can remove that device from being logged in. Facebook will also take you through a step-by-step process to secure your account if this is the case. You can also log out of all sessions.
2. Reset Your Facebook Password
According to Facebook, there is no need to reset your Facebook login password. However, there is no harm in doing so—and it might be a good idea if you have a weak password or have noticed any suspicious activity.
Consider resetting your Facebook password to one that is unique and not used on any of your other sites or apps. To do so, go to "Settings," then "Security and Login," and click "Edit" on the "Change password" section. See Experian's recommendations on creating a secure password here.
3. Enable Two-Factor Authentication
For the most security, it's smart to turn on two-factor authentication. This security feature requires a unique code sent by a text message, call, or email, in order to log into your account after entering your password.
That way, even if someone obtains your password, they can't log into your account without the code. To enable two-factor authentication in Facebook, go to "Settings," then "Security and Login," where you will see the option to turn it on.
4. Check Which Sites and Apps Use Facebook for Login
If an attacker has access to your Facebook access token, they have the ability to get into your Facebook account—and also any other site or app you have used Facebook to log in with, such as streaming services, apps or games, and more. Even though Facebook has since announced that third-party sites using Facebook logins were not hacked, it's still smart to decouple your logins for the most security.
To find out which apps and sites use your Facebook login, go to "Settings" and then "Apps and Websites." There you will see a list of all active, expired and removed websites and apps that use your Facebook login. You can remove any or all of these apps. You may want to update the passwords on these services, as well.
How Can I Safeguard My Identity Going Forward?
Data breaches have become an unfortunate part of life in our digital world. In 2017 alone, there were 1,579 data breaches exposing nearly 179 million records. That's why it's important to remain vigilant to protect your identity online and off. (See also: Here's What You Should Do After a Data Breach)
1. Be Aware of Online Scams
Start by being aware of phishing scams in which fraudsters use the information they know about you—like your name or hometown (information that may have been accessed in the Facebook breach)—to get you to divulge other personal data through email. Scammers do this by embedding hyperlinks into emails or text messages that direct you to sites intended to collect your personal information or install malware onto your computer or phone.
As a rule of thumb, do not click on links sent through email or text, especially if they are asking you to give up personal information. There are several variations of phishing scams—including spear phishing, angler phishing, and smishing—but the bottom line is you should always be vigilant when being asked to enter any personal information online or via text.
2. Consider a Free Fraud Alert
If you're worried that you are a victim of identity theft, consider filing a free initial fraud alert on your credit file that remains active for one year through the Experian fraud center. (File it with one credit bureau and you're good to go because the bureaus will share such alerts with their counterparts.) The fraud alert notifies lenders pulling your credit report to take extra steps to verify your identity.
3. Monitor Your Credit and Identity
If you're concerned about your personally identifiable information being out there, you should check your free Experian credit report for errors or suspicious accounts. Run a free dark web scan as well to find out if information like your Social Security number, phone number or email addresses are on the dark web.
Remember, the initial fraud alerts mentioned above do not block access to your credit reports. One way to do that is to freeze your credit reports, a free measure that prevents lenders from issuing new credit in your name altogether.
- Allows you to easily lock or unlock your report in real time, with no waiting period.
- Provides daily monitoring of your credit file, which means you will be alerted about any key changes, including new account openings.
- Provides up to $1 million in identity theft insurance: If you become a victim of identity theft, you can be covered for the unreimbursed costs of restoring your identity, like fraudulent electronic fund transfers, lost wages, legal fees and travel expenses.
- Gives you access to your Experian credit report and FICO® Score, along with all the other benefits of Experian membership, such as dark web monitoring, which lets you know if your information is found on the dark web.
4. Protect Your Children
Run a free Child ID Scan to find out if your child's Social Security number is out there or if there is an Experian credit file in her name, which could be a sign of fraud.
For more information on keeping your identity safe on social media, check out:
- Is It Safe to Use Facebook to Login on Other Sites?
- 9 Ways to Stay Safe on Social Media
- How to Manage Your Privacy Settings on Social Media
Editorial Disclaimer: Opinions expressed here are author's alone, not those of any bank, credit card issuer, or other company, and have not been reviewed, approved or otherwise endorsed by any of these entities. All information, including rates and fees, are accurate as of the date of publication.