On September 16th, 2018 Facebook techs recorded an unexplained spike in traffic. On September 25ththey determined there was a significant security breach, which was publicly announced on the 28th. The Facebook team was able to identify 50-million accounts that were directly affected by the attack and an additional 40-million accounts that interacted with the feature where the vulnerability existed.
The Facebook team reset the access tokens on these accounts. The access token is the digital key that keeps you logged into Facebook so that you don't need to re-enter your password every time you use the app. However, they do not yet know the full scope and impact of this enormous security breach.
Here are some precautions you can take to protect your account.
1. Look for a notification from Facebook.
If you are one of the 90-million affected accounts, you will have been logged out of the platform by now. Facebook is placing a notification on the top of your feed, not emailing you directly. Keep a close eye on your account, as well as third-party apps, for any suspicious activity. Again, Facebook claims to have minimized the impact of the attack by resetting the access token on your account, but better safe than sorry.
2. Disconnect and reconnect third-party apps.
Thus far, Instagram is the only third-party app that Facebook thinks may have been affected by the attack. As a precaution unlink Instagram from your Facebook account, then relink it to your account. Facebook claims there was no impact on WhatsApp users.
3. Logout from Facebook on unfamiliar devices.
If another device has been used to login into your account (like that of a hacker), it will show up in your security and login settings under "Where You're Logged In". If you see any such activity log out of the unknown device immediately.
How to log out from other devices:
- Go to your Security and Login Settings.
- Go to the section "Where You're Logged In". You may have to click See More to see all of the sessions where you're logged in.
- Find the session you want to end and log out of it.
- Clicking Log Out will immediately log you out of Facebook on the chosen device.
4. Use two-factor authentication.
Two-factor authentication will prevent anyone from logging into your account from an unknown device. If Facebook doesn't recognize the device, it will prompt you to via SMS or an authentication app to use a one-time code to login to your account.
How to turn on two-factor authentication:
- Go to Settings > Security and Login
- Scroll down to and open Use Two-Factor Authentication
- Click Get Started
- Select your preferred method to receive the authentication code: Text Message (SMS) or an app like Good Authenticator or Duo Mobil to generate login codes.
5. Change your password.
While Facebook says this may be unnecessary since it was not the password that was stolen, but the access token, it's never a bad idea to change your password from time-to-time. Be certain to include a variety of symbols so hackers are unlikely to guess what your password is.
6. Use a unique username and password on third-party apps.
If you use your account to log into other websites like Spotify or Instagram, create a separate log-in for each instead.
Most of these precautions are wise steps to take regardless of the impact of this particular attack. Hacker's aren't going away, so always do your best to remain one step ahead of them.