Latest Facebook hack and why 2-step verification isn’t enough
Did you get logged out of your Facebook account around the last Friday, September 28th? Yeah, me too…
Turns out, it wasn’t just an error, but a sign of data breach. Of around 50 million Facebook users. The security team decided to reset access tokens of 90 million accounts in total, just in case. They issued an official note, but it doesn’t tell us much.
To protect your security, we may have recently logged you out of your Facebook account. On September 25th, 2018, we discovered an attack on our system where attackers stole Facebook access tokens. Access tokens are the equivalent of digital keys that attackers could then have used to take over other people’s accounts. By logging people out, we prevent attackers from using the tokens to access these accounts.
What you should know is that passwords didn’t actually leak out (which is a good news), but access tokens did. That’s why Facebook decided to reset these. When an attacker obtains such token of someone’s account, he can do many things (but only these which don’t require entering a password), so he could, for example, read any messages, view any posts from the timeline (even those “hidden” by using the “Just for me” visibility option), view some account details such as e-mails, connected apps and so on.
When talking about apps, it’s now worth mentioning that when an attacker has access to the access token, he can also use the apps (or websites) that use Facebook connect. That means not only your Facebook account might be in danger, but also other apps and websites that you use with Facebook. And now apply those conditions to around 50 million accounts that have been affected by this case. This is big.
And even if you have the 2-step verification enabled on your account, which you should, that wouldn’t help in this case because of the reasons mentioned above. That’s why it’s so important to understand and remember that when some service is free, in reality, you are the product. And as soon as you start to treat everything that you upload to the internet, even on your “private” profile, as public — you’ll definitely sleep better in case of accidents like this. Because these will keep happening in the future for sure, trust me.
If you want to make your personal conversations more secure and private, instead of Facebook Messenger, start using Telegram or Signal (which is recommended even by Edward Snowden). For fully encrypted e-mail service with PGP encryption built-in, try ProtonMail. If you want to secure your internet connection, start using some paid VPN service (the free ones aren’t really secure and their speed is limited). I recommend NordVPN, which claims not to store any logs. Treat your data with more care and you’ll thank yourself one day. Because privacy really matters.
Originally published at blog.adriankwiatkowski.eu on September 30, 2018.