On Friday afternoon, Facebook issued an announcement that 50 million users were exposed in a security breach that allowed hackers to steal access tokens, which could be used to take over people’s accounts
Attackers exploited a flaw in the platform’s “View As” feature that allows users to view their own profile as a friend, the public, or a third party would see it in order to access digital keys known as access tokens that allow the user to reopen Facebook without having to log in again. While Facebook shared the hackers exploited “multiple issues in our code,” they did cite that the vulnerability stemmed specifically from a video upload feature released in July 2017.
Facebook discovered the vulnerability on Tuesday and has disabled the “View As” feature and patched the flaw.
More than 90 million users were forced to log out of their account Friday morning. The company is continuing to investigate the event. It is unknown at this time who is responsible for the attack and what, if any, information has been exposed or compromised.
What Consumers Can Do:
While the ubiquity of breaches has led some consumers to the state of apathy, it’s more important than ever to be vigilant. We encourage consumers to consider taking the following data breach safety measures to help reduce their risk:
- Log out of Facebook accounts as a precaution using the “Security and Login” section in the Settings tab and select all locations where logged in.
- While Facebook has not required password resets, we suggest updating passwords regularly as best practice in personal data security. If consumers have forgotten their password, they can use the platform’s Help Center.
- While little is known about the information compromised in the breach at this time, we encourage individuals to take this opportunity to review which third-party apps they have given permission to access their account. Read our blog on third-party apps for more information on how to review which third-party apps have access to individuals’ Facebook accounts.
If individuals do not already have identity protection, we strongly urge everyone to sign up for a service that includes identity monitoring and resolution services. However, everyone should be wary that not all monitoring services will protect them equally. We encourage individuals who are evaluating identity protection services, and businesses who are evaluating such third-party services to offer, to compare the monitoring capabilities and the quality of the customer service.
Comprehensive monitoring services should include internet surveillance, compromised credential monitoring, and credit monitoring. The monitoring should also include alerts so that if a customer’s information is detected, they can quickly assess and work with resolution experts to minimize any impact.
Some recommended information to monitor includes:
- Login credentials for various sites
- Social Security number
- Email addresses
- Date of birth
- Debit/credit card numbers
- Bank account numbers
- Insurance card/policy number
- Drivers’ license number
- Loyalty card numbers
- Affinity card numbers
- Passport number
To learn more about protecting your customers’ and employees’ data with Generali Global Assistance identity and digital protection, request a demo.