Facebook is no stranger to malicious activity happening on its watch. From Cambridge Analytica to under-the-table data sales, there are plenty of examples of Facebook putting profits before security.
In fact, there is plenty of reason to believe that Facebook can and will sell your data again. Tap or click here to see how to stop Facebook from tracking you all over the web.
When it comes to Facebook scandals, hacks are rarely as controversial as data leaks. But new information surrounding a 2018 hacking incident may change all that. Thanks to a malware campaign, multiple accounts were compromised and forced to buy $4 million worth of advertisements. Then, hackers sat back and watched the money roll in. Here’s how it happened.
An unusual hack with obvious goals
Hackers tend to have a few common motivations for cyberattacks: ego, ideology and money. The last one is especially important since online accounts tend to hold tons of valuable data like credit card numbers and passwords.
Well, a major 2018 hack didn’t lead to anyone’s credit card numbers getting stolen — but $4 million of victim’s money was spent nonetheless. The hack, which had not been fully disclosed, has now been revealed by Facebook security engineers to be part of a widespread malicious ad scheme.
Here’s how it worked: A group of Chinese hackers used specially designed malware called SilentFade to break into several Facebook accounts. The malware was bundled with pirated software unrelated to Facebook, and once it installed itself on a victim’s computer, it scanned for login cookies and other ways to break-in.
Once the malware gained access to an account, hackers then used whatever payment information was on file to buy advertisements on Facebook. The ads were for a variety of sketchy products like health supplements, and the hackers were able to pull off their scheme for nearly two years.
After discovering the problem, Facebook shut down the operation and pursued legal action against the cybercriminals they believed to be behind the attack: The owners of the ad network the hackers bought ads from.
SilentFade was a highly sophisticated cyberattack, and it’s unknown how many accounts were compromised since 2016. Hackers were able to use malware to turn off notifications, so victims may have never known their cards were being charged. And if the hacks were widespread enough, a couple hundred thousand accounts’ worth of small charges could easily total $4 million.
Am I in any danger now? What can I do to protect myself from cyberattacks like this one?
The SilentFade hack is no longer active thanks to Facebook’s security actions. If your account was compromised, it’s no longer in danger of being used to purchase ads.
That said, the release of this information means it’s as good a time as ever to think about changing your Facebook password to something more complex. This goes double thanks to a new account option rolling out to Facebook users in the coming weeks.
Facebook Account Center is a new unified control panel that lets you post and change settings for all Facebook-owned accounts at once. This includes Instagram and Whatsapp, which will both share payment information with Facebook under the new account settings.
You can still have separate passwords for all three of your accounts (we recommend this), but if your payment information is the same, one account getting hacked could lead to abuse on the other two platforms.
Your best option to stay secure? Two-factor authentication, of course! With 2FA set up for your Facebook accounts, you can prevent unauthorized logins and get notified on your phone when someone makes an attempt. Without the code sent to your phone, they won’t have any way of getting in.
If it took Facebook this long to open up about this massive hack, what other cybersecurity nightmares could the company be hiding? Who knows what we’ll learn happened behind the scenes in the next several years.