Towards the end of September 2018 Facebook revealed it had been the victim of a hack which they initially thought affected 50 million users, but after investigations said only about 30 million Facebook users were affected by the security breach. The hackers apparently managed to access user access tokens of initially 400,000 Facebook users which allowed them to control their accounts and those of "Friends of Friends."
This was possible thanks to a security flaw in Facebook's "View As" feature which allows users to see what their own profile would look like to someone else.
"People’s accounts have already been secured by the action we took two weeks ago to reset the access tokens for people who were potentially exposed—no one needs to log out again, and no one needs to change their password. We’ll be explaining what information the attackers may have accessed as well as steps they can take to help protect themselves from any suspicious emails or text messages or calls that could potentially result from this kind of information being exposed," said Guy Rosen, Vice President of Product Management at Facebook.
Given how the hack worked, there were fears that it also affected 3rd party apps that use the "Log in with Facebook" feature as well. However, the social media platform reported that during its investigations 3rd party apps didn't seem to be affected.
How to check if you were hacked
Starting mid-October 2018, Facebook started publishing a customized message into some users News Feeds who were part of the 30 million accounts that were hacked. The message will vary for different users depending on how they were hacked and what information was accessed.
If you have yet to see such a message on your Facebook News Feed and want to check if you were affected, and how you were affected, by the hack then there is another way to check.
You need to first log in to Facebook and then go to this page. The first few paragraphs will provide you with some background information about the security breach and as you scroll down you will come across a section that reads Is my Facebook account impacted by this security issue? Below that heading, if you are not affected, you will see a message that says:
"Based on what we've learned so far, your Facebook account has not been impacted by this security incident. If we find more Facebook accounts were impacted, we will reset their access tokens and notify those accounts."
This message will also appear for the 1 million Facebook users whose access tokens were hacked but none of their data was accessed or taken.
For the remaining users who were affected by the hack, 15 million had their full name, e-mail address, and listed phone number accessed by the hackers. While the other 14 million Facebook users saw the hackers access, over and above their basic information, their Facebook username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
How to protect yourself
As a result of this Facebook hack, like with any hack involving the access of personal information, it is important to be alert to any phishing attempts. Given that in some cases hackers might have your personal details, the phishing attempts could appear legitimate and entice you by first establishing trust through stating some information they already know about you.
Facebook has said that it has reset the access tokens of all the affected users, however, as an added layer of caution you probably should change your Facebook password as well.
Cover image credit: Mark Zuckerberg speaking at Facebook's F8 developer conference.