Facebook, already under siege by foreign agencies, the U.S. government, and privacy-rights activists across the globe, discovered a new enemy this week — one that it cannot yet name and one whose intentions are not immediately clear. While this is a developing story with many uncertainties, here’s what we do know about the data breach that exposed the personal details of nearly 50 million Facebook users.
What Facebook knows about the breach
Earlier this week, Facebook learned that cybercriminals hijacked millions of user accounts by exploiting multiple bugs in the site's coding.
The first vulnerability lay in the platform’s “view as” function, which allows users to see how their profile is displayed to other viewers. Ironically, this feature was first created to help users better control their privacy. The second bug was tied to Facebook’s video uploading program, first introduced in 2017. Collectively, these exploits allowed cybercriminals to gain access to nearly 50 million users.
The public became aware of the issue Friday morning when 90 million users were forced to log back into their accounts. This figure included the 50 million known victims, as well as 40 million additional accounts that were reset as a precaution.
Users who may have been affected by the breach were also alerted via Facebook notification.
What Facebook doesn’t know about the breach
As of the publishing of this article, there are more unknowns than knowns — including some of the most significant pieces of the puzzle. This includes:
- An exact count of how many users were involved
- The identity of the hackers
- The motivation of the attackers
- How the exploited accounts may have been misused
- How the personal details obtained could be used
Facebook’s statement on the breach
The timing couldn’t be worse for Facebook, which finds itself in a sea of growing controversy. The company made official statements through a variety of channels on Friday.
Guy Rosen, vice president of product management, attempted to calm affected users via an FB Newsroom post:
“We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security...People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened.”
Meanwhile, CEO Mark Zuckerberg reiterated Facebook’s commitment to privacy — a much harder sell today than it was a year ago — in a phone call with reporters.
“We’re taking it really seriously...We have a major security effort at the company that hardens all of our surfaces...I’m glad we found this. But it definitely is an issue that this happened in the first place.”
“The reality here is we face constant attacks from people who want to take our accounts or steal our information...we need to do more to prevent this from happening in the first place....security is an arms race, and we’re continuing to improve our defenses.”
New PrivacyArmor feature goes live today
InfoArmor has recognized that privacy and potential social takeover scenarios are becoming more popular, which is why we are introducing a new feature today in response to this news. We had originally planned to release our social account takeover feature in January 2019, but all PrivacyArmor Plus participants will now receive alerts for social account takeover.
Our social media Artificial Intelligence alerts users about posts made in their name that frequently indicate account takeover. It will also detect suspicious changes to an account name, username, profile image, or background image, changes that may indicate the account has been hijacked.
Social account takeover is part of our Social Media Monitoring feature will monitor Facebook, Instagram, Twitter, and LinkedIn. Those with family accounts will be able to monitor accounts across the whole family, they just need the family member’s login credentials for each site
Actions you should take
If you use PrivacyArmor's Social Media Monitoring feature and Facebook logged you out of your account, you will also need to reauthenticate your Social Media Monitoring connection to Facebook. If you haven't yet connected your social accounts to Social Media Monitoring, now is the time!
At this time, Facebook hasn’t indicated any action you can take to further protect your account. In fact, Rosen stated that there is no need for users to even reset their passwords. According to the tech juggernaut, passwords were not impacted by the security incident.
Finally, there are many best practices you should follow when it comes to managing your social media. You can learn about them in our complimentary guide, Protecting Your Privacy: Best Practices for Mobile, Social, and Search. We’ll keep you posted of any updates in the coming days.