Last week, news broke out that hackers exploited a flaw in Facebook’s code that then allowed them to steal the access tokens of around 50 million accounts, the largest data heist in the company’s history.
According to Facebook, the flaw allowed the attackers to use a video uploading feature to exploit Facebook’s “View As” tool, a feature that lets you preview your profile as it appears to another user or to the public.
They then used this bug to siphon out the access tokens of millions of unsuspecting Facebook users.
Were you logged out of your account last week?
Out of precaution, Facebook had to log out around 90 million users to reset their access tokens, including users who used the View As feature in the past year.
Although Facebook said that it already notified law enforcement officials and patched the vulnerability, who can say for for sure that the issue is resolved? No one knows the full extent of the breach — not even Facebook itself, it seems.
It’s important to understand that as Facebook investigates, it may uncover that more accounts were caught up in the hack. Keep an on eye on your Facebook account, or better yet, follow the steps that we have outlined below for your safety.
If you got this email, the hackers have your login account and password
The Facebook hackers got Kim’s information, too.
This is an email you’re going to see if your information got grabbed in the hack. Note that Kim is being allowed to log in with a tap. If you get any similar-looking emails that require you to send any information, they might be email attackers taking advantage of this crisis to steal your information.
What are Facebook access tokens?
Facebook confirmed that the attackers managed to steal user “access tokens” and with these, they can use the affected accounts as if they were their own.
What are access tokens anyway? Access tokens keep you logged into your Facebook account on your gadgets over long stretches of time without having to re-verify your password. It’s like leaving your house keys under the doormat, so to speak.
Not only that, but these access tokens are also used by applications and web sites that you linked your Facebook account with. For example, have you ever signed up and logged in to services like Spotify and Airbnb with just your Facebook account? That’s your access tokens at work! However, this means that the scope of the breach can be potentially larger since these tokens can be used to access third-party services beyond Facebook itself.
That means that attackers can use your Facebook information to sign in to Spotify, Airbnb, Instagram and any other Facebook-connected app or service and have complete access to those too.
And this may just be the tip of the iceberg. Facebook said that the investigation has just started and there could potentially be more affected profiles.
“If we find more affected accounts, we will immediately reset their access tokens,” Facebook said in a statement.
What you need to do now
If you were one of users who were automatically logged out these past few days, you can still log back into Facebook with your old password. Once in, there will be a banner on your News Feed titled “An important security update.” This message will provide you a link that will provide you with more details about the breach.
Log out of all your Facebook sessions
Important: If you were not affected (yet), you should still be cautious about your Facebook account. As a precaution, it is recommended that you log out of your Facebook account on all your devices to reset your old access tokens.
Here’s how to log out of all your Facebook sessions.
Desktop: Click the upside-down triangle on the top right then click Settings >> “Security and Login.”
Mobile: Go to your profile page by tapping the “hamburger icon” (three horizontal lines) on the lower-right corner of the screen. Scroll down, tap Settings >> Account Settings >> Security Login.
Here, there’s a section called “Where You’re Logged In” where you can see all the devices with your active Facebook sessions. To log out of these places all at once, scroll down the list then tap Log Out of All Sessions. This will reset all your current access tokens.
Obviously, you’ll need to log back into each gadget you want to access your Facebook account from.
Next, change your password
After logging in, you should change your current password to be on the safe side.
To reset your Facebook password, go back to Settings >> Account Settings >> Security and Login then tap or click on Change Password. Note: Make sure it’s a unique password so crooks can’t use it for password reuse attacks.
Turn on two-factor authentication
Here’s another layer of security you can employ on your Facebook account — turn on Two-Factor authentication.
Here’s how you do this. Stay on Settings >> Account Settings >> Security and Login >> then scroll down to Use Two-Factor Authentication. Click Edit >> choose the method you want to use. You can either chose “Text Message” or “Authentication App.”
However, last week, TechCrunch revealed that Facebook is also using its users’ two-factor authentication phone numbers for targeted ads. According to the article, Facebook uses the “information people provide to offer a better, more personalized experience on Facebook, including ads.”
If true, this is troubling because it is yet another indication that Facebook is repurposing its users’ information, phone numbers used for security, nonetheless, for monetary purposes.
Because of this, I recommend using “Authentication App” instead of linking your phone number as your Facebook 2FA gadget. Instead of a text message, you can use an app like Google Authenticator to generate your 2FA login codes.
Turn on login alerts
After logging out, changing your password and setting up your two-factor authentication method, please “turn on alerts for unrecognized logins too.”
To turn on these alerts, go back to your Settings >> Security and Login then go to the “Setting Up Extra Security” section. Tap or click on the Edit button of “Get alerts about unrecognized logins” then turn Notifications, Messenger and Email alerts on.
Should you ever receive an alert from Facebook stating someone has logged into your account from an unrecognized location, it’s critical that you follow the instructions provided.
The email you receive will outline steps you should take to reset your password and secure your information.
Log out or disable third-party apps
Since access tokens are also used by third-party apps, it’s also recommended that you audit and remove all your third-party apps and services that you linked your Facebook account with.
Although it’s convenient, we suggest that you stop using your Facebook account to sign up and log in to third-party apps and services.
Disabling ALL third-party apps and services
1. Go to your Facebook Account Settings to access your Apps and Websites settings.
Desktop: Click the upside-down triangle on the top right then click Settings >> “Apps and Websites.”
Mobile: Go to your profile page by tapping the “hamburger icon” (three horizontal lines) on the lower-right corner of the screen. Scroll down, tap Settings >> Account Settings >> Apps.
2. On the Apps Settings page, to disable ALL third-party app access with one click, turn off your profile’s ability to interact with apps, websites and games (formerly called Platform)
Desktop: Click “Edit” on the “Apps, Websites and Games” then choose “Turn off.”
Mobile: Tap Edit on the “Apps, Websites and Games” section. Choose “Turn Off.”
Disabling individual apps and services
Keep in mind that turning off your ability to interact with apps will disable even the legitimate apps and services that you use. For example, if you linked your Facebook profile to login to or share with other services like Spotify, Airbnb or Twitter, you will lose that access.
With the recent changes in Facebook’s settings, it’s easier to review and remove your apps and websites.
In this section, you can also check apps and websites that are expired, meaning they’re still in your profile but they no longer have data access. You can also review apps that you have removed.
Desktop: On the same App Settings page, you’ll see a list of all the third-party apps and services you have authorized. To remove an app, simply click the “x” symbol in the right-hand corner of the app.
Mobile: On the same Apps and Websites page, tap “Logged in with Facebook.” Here, you’ll see all the apps that are active, expired or removed. Simply select an app to review its data access and visibility. To remove an app, tick off its checkbox then tap “Remove App.” Note: You can also check off multiple apps and remove them in one tap.
How about taking a break from Facebook?
After the Cambridge Analytica fiasco and now this massive data breach, it’s essential that you secure your Facebook data as much as possible.
But after the latest event, if you are feeling apprehensive about Facebook right now, you can take a break by either deactivating it or part with it for good by deleting it completely.
If you don’t want to leave but want to take a break, tap or click here for steps to take to deactivate.
Had enough of all the Facebook data security lapses? Here’s how to delete your Facebook account for good.
Kim’s take: Can Facebook be trusted anymore?
You need to know that Facebook isn’t watching out for you. It’s a business that will use its resources — you and me — to attract advertisers and make money. It pays lip service to your security, but then it does things that show us that we’re nothing but dollar signs to them.
Facebook is collecting everything on you, including all of your call and text data. Tap or click here for steps to turn off that tracking. And don’t rely on Facebook’s “privacy setting” choices. Checking those boxes does absolutely nothing.
Facebook needs to prevent these breaches before they happen. But is that even possible? Not likely.
For now, do what you need to do to protect yourself, and check your account. And watch out for the scam emails that are sure to follow that pretend they’re from Facebook and urge you to fix your account by clicking a link. That’s just another way to lose your information.
Tap or click below to hear Kim talk about why Facebook is alienating millions.