I’ll dispense with the editorializing about Facebook and other internet giants playing fast and loose with our information and get down to the nitty-gritty of what you should know about the latest Facebook breach, which I initially wrote about (only) two weeks ago:
- Go to this Facebook link (while you are logged in to Facebook) to determine if you were one of the 30M that was affected by the breach: https://www.facebook.com/help/securitynotice
- Initial estimate of compromised accounts revised down from 50-90M to “just” 30M (OK, you got me, I can’t help myself).
- Approximately half (15M) of the compromised accounts had an extensive amount of information leaked, including data that most people would consider private, such as religion, relationship status, recent searches and geographical location.
- The other half (14M less the small percentage in the next line) had access to names and email addresses or phone numbers, or both.
- Three percent (about 1M) did not have any information exposed though their access tokens were stolen.
- Nobody’s Facebook passwords was stolen as part of this breach.
- Facebook cannot divulge motive or identities as it is working with the FBI, but based upon analysis of the attack, the hackers were organized and well-equipped to pull off the data heist. Translation: likely nation-state or organized crime-backed.
What this means for you
If you happened to fall into the bucket where a large amount of private information was exposed by Facebook, be extremely wary of targeted phishing attempts, usually sent by email. Because your information is now readily available to be cross-indexed with any numerous other items exposed in previous breaches, it’s trivial for cybercriminals to create very realistic emails that appear legitimate based upon the use of this stolen data, whether it be fake password reset notifications from widely used services like Office 365, Facebook, Gmail, SnapChat, or strangely familiar emails using that private data to trick you into revealing additional info or access to strangers pretending to be co-workers, friends or even family. Just to add insult to injury, if some of the leaked data is info you might use as an answer to the “Forgot your password?” questions many services use, hackers can now use that info to try and guess your answers to reset your password for their own nefarious purposes.
Just because your password wasn’t stolen in this breach doesn’t mean that it wasn’t exposed in any of the myriad breaches over the past several years. Visit this site – https://www.haveibeenpwned.com/password – to determine if it might be exposed, and if so, continued use of it will likely result in any account secured by the exposed password being compromised very soon.