Following a massive breach that compromised tens of millions of accounts, Facebook has started sending out custom messages to inform people if or how they were impacted. Users who have yet to receive a custom notification from the social network can manually check whether their account got hacked, and what data might have been leaked. Here’s how.
First, some background. As many of you probably read in the news last week, between September 14 and September 27 an unknown attacker used daisy-chained vulnerabilities in the platform’s View As feature to snatch authentication tokens of tens of millions of users.
The initial count was 50 million to 90 million compromised accounts. After further investigation, Facebook said only 30 million accounts were in fact compromised.
In an update posted to the Facebook newsroom, Guy Rosen, VP of Product Management, said:
“We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.”
Rosen proceeds to explain how the breach happened, though most people reading right now are probably more interested to know if they themselves have been hacked. Those eager to learn more about the breach can visit Rosen’s post and read it through. For those of you who are here to check whether you’ve been hacked – and what the hackers have on you – continue reading below.
How to check if your Facebook profile was hacked
- First, you need to log into Facebook on the same platform you’re about to use to perform the check. It doesn’t matter which platform you’re on (desktop, mobile, iOS, Android, etc.), as long as you’re logged into Facebook.
- Second, you can confirm if your account was compromised by visiting this page that Facebook set up for the purpose.
- The page contains some updates on the ongoing investigation, as well as a custom message for every logged-in visitor that lands on that page. Scroll to the bottom and look for one of these three messages (different ones could appear as well):
What data did the hackers access?
- If you’re in the first boat, you are safe – your credentials and profile data have not been compromised.
- If you find yourself in the second boat, hackers have likely compromised your account, but your data should still be safe.
- If, however, you’re in the third boat, things are not so rosy. As the third screenshot shows, Facebook displays quite an unnerving message for those users whose profile data has, in fact, been compromised.
Facebook claims that, for half of the compromised accounts (15 million people), attackers accessed these two sets of information:
- name
- contact details (phone number, email, or both, depending on what people had on their profiles)
Another 14 million people have had the same sets of information stolen, plus the following:
- user name
- gender
- locale/language
- relationship status
- religion
- hometown
- self-reported current city
- birth date
- device types used to access Facebook
- education
- work
- the last 10 places they checked into or were tagged in
- website
- people or Pages they follow
- the 15 most recent searches
Only 1 million people – of the 30 million hacked – had no information stolen or otherwise compromised, the investigation revealed.
For the 14 million users whose data was mined, cyber-crooks can now use that information to deploy identity theft attacks, targeted (spear) phishing attacks, SMS or phone scams, or even attempt to take over their other accounts based on the information they’ve gathered (i.e security questions).
There’s some good news too, if we can call it that. Messages sent and received using the popular Facebook Messenger were not compromised during this attack. According to the company, the same should apply to Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, and advertising or developer accounts.
However, there is one exception:
- If a person was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers
“In the coming days, we’ll send customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls,” Facebook promised Friday.
As noted above, those messages are starting to go out but not everyone has received them yet.
How to proceed next
Now that you are armed with this information, proceed with your fingers crossed to Facebook’s security checker. If you’ve read through this whole post, here’s the URL again to save you some scroll time.
Facebook says that, even if your data was compromised, changing your password won’t improve the situation. That’s correct. The attacker(s) stole not passwords but access tokens, which they could use to take over people’s accounts without needing their actual credentials.
If, for one reason or another, you have trouble accessing your account, Facebook offers this handy knowledge base article as a quick remedy.
And lastly, some additional info that might help those worried about their data falling into the wrong hands:
- Facebook has been alarmingly clumsy handling user data in the past year, leading many to abandon the platform
- Bad actors have developed quite an affinity for breaching data custodians (i.e corporations that sit on vast pools of customer information) to support fraud and extortion
- Never use a social network or unencrypted messaging client to write or share something that you would not want leaked in a breach, even years later
- Use end-to-end encryption and two-factor authentication on every platform that offers it
