At the end of September, Facebook admitted that it had experienced the largest hack in the company’s history: It said up to 50 million Facebook users’ personal information may have stolen, and that it was investigating an additional 40 million accounts in case they were potentially compromised, too. On Friday, the company clarified that only (relatively speaking, of course) 30 million people were affected by the hack, though 1 million of those people didn’t have any information stolen. The attack was possible through a vulnerability in Facebook access tokens, which allow users to stay logged into the social network in their browser and access other sites using their Facebook login.
Facebook says that the hackers, who haven’t been identified, accessed the names and contact details of 15 million people. That could include their phone numbers and email addresses, depending on what information they had shared on Facebook. For the other 14 million people, the attack was much worse. In addition to contact information, hackers also stole their gender, relationship status, language, religion, birthdate, education, places they checked into on Facebook, current city, hometown, the pages they follow, and perhaps most creepily, their 15 most recent searches.
Facebook is now informing users whose accounts were compromised by adding notes to their News Feed. But even if you haven’t seen a notice, you should check. Here’s how you can do it:
1) Log into Facebook and visit this help page. It’s a security notice detailing how the Facebook hack worked and how many people were affected.
2) Scroll to the bottom of that page to find an information box in light blue. That should tell you whether you were hit by the attack.
Facebook says the security flaw has now been patched. But if your account was indeed compromised, you need to take some immediate precautions to protect your other digital accounts from phishing attacks—that is, when a hacker tries to coax users into divulging personal account details, like a password or credit card number. Phishing allows hackers to commandeer an account or steal money.
To get a sense of how this information could be used, ask yourself: How many times have you confirmed your identity—say, with a bank—with your birthday, phone number, or hometown? You can change your email and maybe your phone number, but you can’t change your birthday, or other identifying information that the hackers accessed.
If you’re on the Facebook list, take the time soon to change up your passwords on your most used accounts and don’t recycle any of your passwords. This is only a precaution, since we still don’t know what the attackers did with the data they stole. Even if you weren’t hacked this time, it’s good security hygiene to change your passwords regularly. The best way to keep track of all this information is to install a password manager on your phone and desktop.
And this advice is for everyone: Be sure that whenever it’s available, you’ve enabled two-factor authentication, which requires an additional code texted or provided by a separate security app in order to login.
We’ll continue to follow this story as it develops and provide helpful information to our readers as we learn more. Future Tense has a whole series from 2017 on how to stay safe online with contributions from some of the top cybersecurity experts in the country—check it out. It’s totally worth your time.