UPDATE 10/25/2018: Updated figures and how to check if your account was affected.

A few days ago I found myself reading about Timothy Berners-Lee’s new decentralized web startup, Inrupt. The timing couldn’t have been better – only a few days after the huge Facebook data breach was announced. It’s as if TimBL himself had planned the coordinated attack, affecting 30 million Facebook users. This breach is a great microcosm – it perfectly demonstrates the problem with the current iteration of the internet.

Facebook has had a bad year-and-a-half, with at least 3 scandals shaking the tech giant to their core. First, it was the “fake news” scandal, then came word (and video) about Cambridge Analytica, and now, hopefully, to end the year, we hear that millions of users were put in jeopardy when the Facebook breach exposed their personal data to hackers. Quite the identity theft starter kit!

The Facebook data breach: what do we know?

At the moment, not much is known about the Facebook data breach – investigations into these things take time and patience. However, Facebook’s much-maligned CEO Mark Zuckerberg and others familiar with the situation paint the following picture:

  • The principal point of attack was Facebook’s “View As” feature, which had several vulnerabilities. As some of you may know, this feature was originally introduced precisely as a privacy tool, allowing users to view their profile as others (even those not in their friend list) would see it. The irony is a bit much, but here we are…
  • More than one vulnerability had to be exploited in sequence in order for hackers to gain access. Furthermore, the loopholes were previously unknown. In combination, this makes the Facebook data breach a rather sophisticated effort.
  • Attackers may have taken control of at least some accounts.
  • After gaining control of these Facebook accounts, attackers could have accessed linked services, such as Spotify, Instagram, and a whole host of others.

UPDATE 10/25/2018: How to know if you were affected

Initially, Facebook reported that the number of affected profiles was likely around 50 million. However, after the primary investigation and analysis, the number was revised to 30 million. What doesn’t change is the fact that this was the largest theft of data Facebook had ever seen.

According to Guy Rosen, Facebook’s VP of product management, the accessed and stolen data can be divided into three groups:

  • 1 million accounts, where personal data wasn’t accessed;
  • 15 million accounts, where usernames and contact information (phone numbers, emails, etc.) got stolen;
  • 14 million accounts, where hackers managed to access all personal data available on the profiles. Apart from the usernames and contact information, data on the following was stolen: gender, language, relationship status, religion, hometown, current city, birthdate, devices used to access Facebook, education, work, the last 10 places they checked into, website, pages followed, and 15 recent searches;

You may be wondering how to know if you were affected. There’s a way for you to check. Log in to your Facebook account and visit the Help Center. In there, you’ll find a detailed description of the data theft, including whether your account was affected by it or not.

Nevertheless, Facebook has also promised to directly inform all 30 million users about the breach and what may have been stolen from them. So, if you haven’t received any urgent notices yet, chances are your data wasn’t subject to this large-scale hack.

Protecting yourself from this and other Facebook breaches

facebook security

Aside from hoping that governments in the US and Europe will fine Facebook into oblivion, what can you do to protect yourself now and in the future?

Well, first of all, we urge you to change all of the passwords linked to your Facebook account – including those of email addresses. This is especially relevant if you were recently unexpectedly disconnected from Facebook (approximately 90 million users were logged out by Facebook as a precaution).

Secondly, don’t use your Facebook account to log into other services, because a Facebook security breach like this one can trigger a domino effect, compromising a lot more than just your FB.

And, finally, use one of the best VPN services and invest in a decentralized internet!

We’ll keep you informed as the story unfolds.