On Friday afternoon, Facebook issued an announcement that 50 million users were exposed in a security breach that allowed hackers to steal access tokens, which could be used to take over people’s accounts
Attackers exploited a flaw in the platform’s “View As” feature that allows users to view their own profile as a friend, the public, or a third party would see it in order to access digital keys known as access tokens that allow the user to reopen Facebook without having to log in again. While Facebook shared the hackers exploited “multiple issues in our code,” they did cite that the vulnerability stemmed specifically from a video upload feature released in July 2017.
Facebook discovered the vulnerability on Tuesday and has disabled the “View As” feature and patched the flaw. More than 90 million users were forced to log out of their account Friday morning. The company is continuing to investigate the event. It is unknown at this time who is responsible for the attack and what, if any, information has been exposed or compromised.
What Consumers Can Do:
While the ubiquity of breaches has led some consumers to the state of apathy, it’s more important than ever to be vigilant. Consider taking the following data breach safety measures to help reduce your risk:
- Log out of Facebook accounts as a precaution using the “Security and Login” section in the Settings tab and select all locations where you are logged in.
- While Facebook has not required password resets, we suggest updating passwords regularly as best practice in personal data security. If you have forgotten your password, use the platform’s Help Center.
- While little is known about the information compromised in the breach at this time, we encourage you to take this opportunity to review which third-party apps you have given permission to access your account. Read our blog on third-party apps for more information on how to review which third-party apps have access to your Facebook account.
- Sign up for an identity protection service that includes identity and credit monitoring if you haven’t already. Just be aware that not all monitoring services will protect you equally, so make sure you find a service with powerful monitoring capabilities and 24/7 full-service resolution assistance, should you ever find yourself the victim of fraud.
Comprehensive monitoring services should include internet surveillance, compromised credential monitoring, and credit monitoring. Most importantly, it should include alerts so that if a customer’s information is detected on the deep and dark web, they can work with resolution experts to take corrective action and minimize any damage. Some recommended information to monitor includes:
- Login credentials for various sites
- Social Security number
- Email addresses
- Date of birth
- Debit/credit card numbers
- Bank account numbers
- Insurance card/policy number
- Drivers’ license number
- Loyalty card numbers
- Affinity card numbers
- Passport number
In this age of continued breaches, identity protection is timelier than ever. Purchase Iris identity protection today to provide yourself with an extra layer of protection for your most valuable asset – your identity.