Facebook was under fire recently for a massive security breach that affected over 30 million users. The hackers were able to get access to the users’ login details. This was a big issue because it meant hackers had access to all the information one could get about a Facebook user which leads to all kinds of problems.
Explaining how people get ‘hacked’
There are plenty of ways one’s user account details can get breached. We’ll go over two methods here because they’re the most common. The first method involves scam websites. These websites look exactly like Facebook and have a similar URL to that of the site.
Just like the original, these sites ask for your login credentials in order to sign into the site. However, what happens is that by doing so, you’ve just given the hackers your details. In order to avoid this, always look at the URL you’re visiting. If it has anything but “facebook.com” in it, then it’s not the original website, no matter how convincing it may look.
The first method is a fairly straightforward one and quite easy to pull off. However, the second one is where things go beyond your control. The first one did require the actual user’s input, the second doesn’t need the user in any capacity. Website passwords, especially for big websites such as Facebook use what is known as a “hash function”.
Without going into the specifics of what a hash function is, it basically is a one-way function that converts your password into something else. For example, if your password was let’s say “abcd”, a hash function might hash it to “efgh”. Of course, hash functions, in reality, are much more complex, as they churn out a pretty unique string for each user password. The great property they have is that they are one-way functions, you can’t retrieve one’s password from the hash. Therefore, it’s not your password that the website stores, it’s the hash which enhances security.
However, the hash functions themselves aren’t sometimes so secure. Facebook is no stranger to breaches. Only a few months ago Mark Zuckerberg was under immense criticism following the reports of how the website keeps a track of everything the users do outside of Facebook. There are two possible ways to crack someone’s password, both involve brute-forcing. That’s why it’s always recommended to keep a strong password.
Brute-forcing involves trying as many combinations of a password as possible until you finally reach one that works. It’s easy to brute-force generic passwords which a lot of people keep. That’s why many websites stress that a good, long, and strong password is crucial. The second case is when the hash function itself is breached.
Although the function is one-way, it can be used to make the lives of the hackers easier. They can simply use it to hash all the possibilities brute-forcing brings and you’ll likely end up with a lot of people’s passwords this way. It’s a big security issue with a lot of people’s personal data a risk. Therefore, always keep good passwords and enable 2-factor authentication (2FA) wherever possible.
How to check if you were affected by the breach
The breach itself took place a month ago. However, Facebook launched an investigation into the matter and concluded that access tokens were compromised in the breach affecting over 30 million users. They explained the situation in its entirety over here. However, it also answers a very important question.
If you access this post while logged in, you can tell if your account was affected or not. Scroll down to the bottom of the post and there will be a heading “Is my Account impacted by this security issue?”. It’s a simple yes and no answer which will tell you whether your Facebook account was affected or not. For the people that have been affected, Facebook will be resetting their access tokens and will also be notifying the account owners. Of course, not many people follow their emails regularly, so affected users will also have a message like this on top of their news feed:
Now, there are a few scenarios. Either your account was not breached at all which means there’s nothing to worry about. However, if you do get a message about your account is breached, there are a few subcategories. Of the 30 million affected, 14 million are those people whose data was accessed quite extensively. Things that were accessed include username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate etc.
15 million users were those name and email/phone number were accessed. There’s a small 1 million whose account access tokens were breached but the hackers didn’t really retrieve any data from their accounts. If you are in any of the three categories described above, contact Facebook and take steps to secure your account.
What should one do if they were hacked?
The general rule of thumb is to change your password first. Facebook didn’t make it clear if passwords were stolen because they kept mentioning “access tokens”. However, to be on the safe side, it’s best if you change your password and monitor your credit cards for any suspicious activity.
You should also expect spam emails and calls as your contact info will likely be sold to different businesses and ad-targeting companies. The data is basically valuable to businesses as they can identify people’s interests according to the data they receive and target users accordingly. You can also receive phishing emails, linking to fake websites as I mentioned above.
As a final precautionary step, contact your bank/ cell phone provider and other places where you use your personal information if you’re part of the 14 million whose bio-data was stolen. That’s because this data is really powerful. The hackers can use your data to answer important security questions that’ll let them further bypass things like your bank account or email accounts. There are hundreds of things tied to your email accounts, if they get access to that then that introduces a whole new set of problems.
Revamp your security for your emails and credit cards. Enable 2FA wherever you can so that your security is maximized. 2FA is a highly secure method that’s hard to crack. It’s a much safer bet than the security options offered by many websites or companies right now. Secure everything and be on the lookout for any suspicious activity that’s being done through your accounts.