A few weeks ago, Facebook had to admit that up to 50 million accounts were accessed by hackers, and after an investigation, they’ve created a tool to let you know if you were affected.
For those that had no idea that this happened, essentially hackers abused a security hole in the “View As” feature on your profile that let you check whether your profile had private information visible to other people, friends, or the general public. Ironically this feature, designed to help you protect your privacy, had a huge bug that would actually temporarily log you in as the other user. Hackers then figured out how to harvest tons of information this way.
Facebook has now confirmed that hackers stole access tokens for “only” 30 million people, not 50 million. For 15 million of those people, the hackers were able to get phone number, email address, or both. And for 14 million more people, the hackers were able to get a lot more information, like username, gender, relationship status, religious, birthday, and a ton of other information including things you’ve searched for.
We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.
You can check whether you were affected by visiting the update page on Facebook’s Help Center and scrolling down to the bottom, where you’ll see a notice like this, which will indicate whether you were or weren’t hacked. As you can see, my account was not accessed.
So What Does This Mean for Me?
It’s worth noting that details like those accessed by hackers are often used to guess security questions and access other, more useful, accounts. There has been a huge increase in CryptoBlackmail, where hackers steal information about you, and then send you detailed threats to expose private information about you if you don’t pay them.
We know that the Facebook hackers were not able to steal any of your passwords, and they did not use these access tokens to get into any other third-party accounts.
If you were affected, the main thing that you should consider is that information that was accessed about you could be used to answer security questions on other sites to reset your password. You should never use common facts about yourself as the answer to security questions, and if you have, you should change them.
And just like every other day of the week, it’s time to start considering using a password manager if you haven’t already—iOS 12 has fantastic autofill that makes it a no-brainer. And to further protect your accounts, make sure you’re using two-factor authentication everywhere, even if it’s just the SMS variety.