Facebook first reported the breach on Friday, September 28 -- approximately three days after the full issue was allegedly first discovered, according to an official statement written by VP of Product Management Guy Rosen. There was an usual spike in activity detected by the site around the middle of September -- the 16th, according to remarks made by Rosen during a press call -- which led to an investigation and the full discovery on September 28th.
The hackers were able to steal from 50 million accounts and another 40 million may have been impacted
Jake Williams, the president of Rendition Infosec, says the log-in keys that hackers got on some 50 million user accounts would likely allow hackers to view private information and post on other people’s behalf.
THOSE USING THEIR BUSINESS EMAIL ADDRESS AS YOUR FACEBOOK LOG-IN EMAIL, ARE AT AN ENORMOUS RISK!!
Facebook says it doesn’t know who’s behind the attacks or where they’re based, but they know it was done using ‘Access Tokens’.
What's an access token? Essentially, an access token allows you to use one account (like Facebook, Twitter, or Google) to log into several different services or apps.
With the access tokens, hackers could take control of a person’s account, effectively allowing them to do things like read personal messages, post comments, and share information with other users. These access keys also let the attackers access any other services and third-party applications that someone used Facebook's login service to log in to and gain access to highly personal information, which is a bigger concern.
Although Facebook denies any evidence of this, by using access tokens, the hackers not only had the ability to access the Facebook accounts of the affected users, they also had access to any other service in which a person used their Facebook account to register — including Messenger and apps like Tinder, Spotify, and Airbnb. Instagram, which is owned by Facebook, may also have been affected. hackers could potentially have accessed everything from people’s private messages on Tinder to their passport information on Expedia, all without leaving a trace.
Even more staggering: You could be at risk even if you've never used Facebook to log into a third-party site. Say, for example, you logged onto a website with the same email address that's associated with your Facebook account. If an attacker tries to log onto that same website using Facebook's Single Sign-On, the researchers found that some sites—including fitness app Strava—will associate the two accounts.
If attackers have already used your Facebook credentials to log into one of your apps, they may still be there, depending on the app’s security settings.
How? Because some of the web’s most popular sites have not implemented basic security precautions that would have limited the fallout of the Facebook hack, according to a recent research paper out of the University of Illinois at Chicago. In a manual audit of 95 of the most popular web and mobile sites that offer Facebook Single Sign-On—from Uber and Airbnb to The New York Times and The Washington Post—the researchers found that only two required people to enter their Facebook passwords each time they logged in.
If they use tokens to attack third-party apps before the tokens were invalidated, things become much trickier. On many websites, researchers found that attackers could reset the account’s email and then set a password without knowing the account’s actual password. So even if single sign-on no longer works and the attacker no longer has access to that Facebook account, they could still maintain access to the third-party account.” When testing this attack scenario, Polakis and his fellow researchers accessed accounts on 29 of the web’s most popular sites and were still able to log into 22 of them, even after losing access to the Facebook accounts.
Changing your passwords may or may not help, depending on the application, but it’s a reasonable thing to do, says Polakis. If you fear you’ve already been compromised, you should also look for unusual activity on those accounts, he adds.
The full impact on users could be yet-to-be-determined or discovered -- and as more information is revealed, it could continue to impact the public perception of Facebook.
“Breaches don’t just violate our privacy. They create enormous risks for our economy and national security,” Rohit Chopra, a commissioner of the Federal Trade Commission, said in a statement. “The cost of inaction is growing, and we need answers.”
Facebook still collects your data, even when you’re logged out
When you visit a site or app that uses Facebook services, they receive information even if you’re logged out or don’t have a Facebook account. Many websites and apps use Facebook services to make their content and ads more engaging and relevant. These services include:
Social plugins (such as the Like and Share buttons) make other sites more social and help you share content on Facebook.
Facebook uses your IP address, browser/operating system information, and the address of the website or app you’re using to make these features work. For example, knowing your IP address allows them to send the Like button to your browser and helps them show it in your language.
Cookies and device identifiers help them determine whether you’re logged in, which makes it easier to share content or use Facebook to log into another app.
Facebook Login lets you use your Facebook account to log into another website or app.
Facebook Analytics helps websites and apps better understand how people use Facebook services and gives websites and apps data about how they are used.
IP addresses help them list the countries where people are using an app.
Browser and operating system information enable them to give developers information about the platforms people use to access their app.
Cookies and other identifiers help count the number of unique visitors. Cookies also help recognize which visitors are Facebook users, so they can provide aggregated demographic information, like age and gender, about the people using the app.
Facebook ads use Facebook Audience Network enables other websites and apps to show ads from Facebook advertisers. When they get a request to show an Audience Network ad, we need to know where to send it and the browser and operating system a person is using.
Cookies and device identifiers help determine whether the person uses Facebook. If they don’t, we can show an ad encouraging them to sign up for Facebook. If they do, Facebook will show them ads from the same advertisers that are targeting them on Facebook. Cookies can also use the fact that they visited a site or app to show them an ad from that business – or a similar one – back on Facebook.
Ad measurement tools enable websites and apps to show ads from Facebook advertisers, to run their own ads on Facebook or elsewhere, and to understand the effectiveness of their ads.
An advertiser can choose to add the Facebook Pixel, a computer code, to their site. This allows Facebook to give advertisers stats about how many people are responding to their ads — even if they saw the ad on a different device — without us sharing anyone’s personal information.
To control what data Facebook is collecting, the company directs users to its News Feed preferences and Ad preferences to remove unwanted advertisers and opt out of certain types of ads. You can disable the feature that lets Facebook provide targeted ads based on your browsing habits, and you can disable the option that lets other apps and websites use your Facebook interests to provide ads.
Read more information:
All content provided on our website is for informational purposes only. Strive Tax & Accounting, LLC makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site, will not be liable for any errors or omissions in this information nor for the availability of this information and will not be liable for any losses, injuries, or damages from the display or use of this information. Strive Tax & Accounting, LLC does not represent or endorse the accuracy or reliability of any information content distributed through, or linked, downloaded or accessed from any of the services contained on this website, nor the quality of any information or any other material displayed, purchased, or obtained by you because of an advertisement or any other information’s or offer in or in connection with the services herein. Any reliance upon the information shall be at your own risk. Strive Tax & Accounting, LLC reserves the right, in its sole discretion and without any obligation, to make improvements to, or correct any error or omissions in any portion of the service or the materials. The information is on an ‘as is’ basis, and Strive Tax & Accounting, LLC expressly disclaims and all warranties, express or implied, with respect to the information presented and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.