10 New Facts About the Facebook Data Breach S’poreans Should Know About

Lest you’re not aware, it hasn’t been exactly a good year for Facebook.

Other than being accused of distributing fake news (unwillingly, of course), the Cambridge Analytica scandal has made a dent in the social media’s credibility, resulting in a #DeleteFacebook campaign.

It doesn’t help that top executives are leaving the social media giant, too, with the latest ones being the founders of Instagram (Facebook owns Instagram).

Late last month, Facebook notified users about a massive data breach that supposedly affected 50 million users, and 90 million users were logged out as a precaution.

Well, now, there has been a new development and depending how you see it, it’s either good news or bad news.

How Did it All Started?

It all started (sort of) from 28 September 2018, when Facebook notified users that on 25 September 2018, they discovered a security issue that affected 50 million users. Back then, they did not have much information other than the fact that the hacker had stolen “Access Tokens”: something like a digital key that keep a person stay logged-in.

The vulnerability was in Facebook’s “View As” feature, which has been shut down immediately.

Because of this, Facebook force-logged out 90 million accounts. In other words, if you found yourself logged out all of a sudden late last month (and curse and swear ‘coz you’ve forgotten your password), chances are you’re one of the 90 million users.

What was the Damage Back Then?

On 2 October 2018, a few days after the data breach, Facebook found that third-party logins weren’t accessed.

Now, what are they talking about?

Some people often use the “Use Facebook to Login” feature in certain apps, so they won’t need to create a new account for a new app they are using. For example, one might have used a Facebook account to create an Instagram account, therefore he or she won’t need to use another email to register an Instagram account.

As the Access Tokens were stolen, people were concerned that the hackers managed to gain access to those accounts too.

So, third-party apps are safe.

Wait. Maybe not.

However, Not All Are Safe

Big companies like Spotify or AirBnB would usually use the “best practices” to integrate the Facebook login feature in their app, so these accounts are safe. However, there might be some developers who didn’t follow the rules to use the Facebook logins; that would have put users at risk.

Then again, let’s face it: those developers aren’t likely to be developing legit apps, so these apps most likely aren’t in the Google Play Store or iTunes (yes, they do screen apps).

So if you’ve an app that uses Facebook login and the app isn’t exactly one that you dare to show to others…then you’d better change your password.

Affected Users

As mentioned, while 50 million users were affected, 90 million users’ accounts were logged out as a precaution. So if you’re logged out, your account has a 55.5% chance of being compromised – though that’s set to change with the latest announcement.

It’s not 50 million accounts: it’s 29 million accounts being compromised

Facebook has just updated the public about the attack last month, and it’s disturbing to say the least.

The exact number turns out to be 29 million: in other words, if you’re logged out last month, there’s a 32% chance of your account being compromised. But there’s no need to guess: in the next few days, Facebook would notify users who are affected by the data breach.

So, what was stolen from these accounts?

14 Million Users had their personal details compromised

14 million users had details like birth dates, employers, education history, religious preference, types of devices used, pages followed and recent searches and location check-ins taken. You might be wondering: hey, some of these are in public domains, aren’t they?

Apparently not: some users have set their privacy setting so high, one can merely see their username and profile picture. So these details are apparently pretty personal.

For details like devices used and recent searches, they can only be known by the user themselves. So yeah, very personal details were lost.

So what, you might ask. Read on first, because the world isn’t as safe as you think it is.

15 Million Users Had Less Details Compromised

The other 15 million users had their name and contact details (i.e. email or phone number) stolen.

Well, as mentioned, if one has his or her contact details private, this is a massive loss of privacy.

So, what are the attackers do with these info?

Personal Details Could be Used for Phishing Attacks

So, let’s say my colleague below here works for Baddy Feed, and he has his Facebook account compromised.

 

View this post on Instagram

 

How long can a pack of cai png stay in room temperature before it goes bad? Technically speaking, cooked food would go bad after two hours, so it’s always best to consume within two hours. However, if there’s a need to keep it longer, just don’t open it: the trapped heat can make it last slightly longer. Read more in our app. Link in bio. Cai Png King in the post: @notzhihao #factoftheday #caipng #sgfood #sgfoodies #foodsg #sgig #sg #singapore #sgigfood #sgfoodporn

A post shared by Goody Feed (@goody.feed) on Oct 5, 2018 at 3:31am PDT

(BTW that’s our Instagram account; follow us can?)

The attacker might send an email to him with a Baddy Feed email address (that can be spoofed), asking for information…from another person whose Facebook account is also compromised. The attacker might ask for a password for a non-sensitive stuff (e.g. password for his office com), and the password could be used for his other personal accounts, too.

In one smooth move, the attacker had access to all his online accounts.

All these could be done automatically with a software, so as long as 1 out of 1,000 fall for it, it’d have a hit. And with 29 million accounts compromised, you can see why it is disturbing.

No Messages or Financial Data Stolen

Most of us would wonder if our mushy messages have been stolen: well, the good news is that the stolen data is limited to personal details, so there’s no concern for that.

And of course, no financial data were stolen. If that is stolen, it would have been a breaking news, man.

What Next?

Facebook VP has mentioned that the attack is not motivated by the U.S. mid-term Congressional election that’s happening next month; the attackers are however not revealed (or found) yet.

Facebook said they would “do everything we can to earn users’ trust”, while regulators all over the world have launched investigations into the data breach.

In the meantime, you might or might not receive a message from Facebook on whether you’re one of the 29 million users, and what details have been stolen.

But whether you’re affected, you should change your password, because how many times have you been told to change it regularly?