Welcome to WebmasterWorld Guest from 54.161.116.225

Forum Moderators: not2easy

Featured Home Page Discussion

New Facebook Security Breach Hits Near 50 Million Accounts

     
5:53 pm on Sep 28, 2018 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4017
votes: 246


The FaceBook feature that allows users to see what their own profile looks like to others - the "View As" feature was exploited on Sept. 25, 2018 and is now being reported by FaceBook [newsroom.fb.com] after it affected nearly 50 million accounts.
... it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” ...This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.


FaceBook reports that they have fixed the issue and informed law enforcement. They have reset the security tokens of the known affected accounts plus an extra 40 million as a precaution.
As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.


They have also temporarily disabled the "View As" feature. They still do not know for certain the complete specifics of this attack, nor its perpetrators.

6:02 pm on Sept 28, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:147
votes: 31


50 millions, this is no longer an impressing number these days (sarcasm)
6:08 pm on Sept 28, 2018 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:7139
votes: 410


Most of them were probably bots..
6:11 pm on Sept 28, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4937
votes: 31


FB shares drop 3%

Given that they're worth over $400B, I wonder how much value could have been 'acquired' if that 50M had been in the billions? I suppose a chunk of the value is in how people interact in the site, or across the web where FB can see them.
6:26 pm on Sept 28, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 13, 2002
posts:14803
votes: 465


Kind of to be expected from a company whose slogan is, "Done is better than perfect."
6:29 pm on Sept 28, 2018 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4017
votes: 246


Since it allowed attackers to take over other people's accounts and it is still unknown whether or how they might have used the data that made available, it is anyone's guess what kind of changes may result on the part of users.
9:35 am on Sept 29, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12786
votes: 878


The biggest mistake a user can make nowadays is use their Facebook login credentials to sign in to other services or apps.

Ideally, never use the same username/password for more than one site. And never allow any browser to store your passwords.

All your username/passwords should be unique and change them each every 90 days. Write them down on a piece of paper, put it in a mayonaise jar and bury it in a 6' hole in your backyard at midnight (not during a full moon.)
10:05 am on Sept 29, 2018 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:7139
votes: 410


Pinterest insists that you ( in order for you to see what stolen images of yours are there ) create an account, and places a grey "modal" over the page that you land on with log in with facebook and login with google "ultra prominent"..the far safer and less "snoopy" create an account and log in options, are far smaller , almost ( but not quite ) hidden on the page..



[edited by: not2easy at 1:32 pm (utc) on Sep 29, 2018]
[edit reason] topic drift [/edit]

4:30 pm on Sept 30, 2018 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1178
votes: 307


While the breach is egregious and underlines a critical lack of security consideration and oversight on the part of FB it is not surprising. It is pretty much business as usual for FB and most other enterprise sites/platforms.

What jumped immediately to my mind were
(1) the value of an automated data mining crawl of those accounts and the sites that can be logged in via FB - will be interesting to follow what does or doesn't show up as available
in the dark underbelly.

(2) the vulnerability of the FB abused 2-factor phone numbers. And a couple other vectors. Cleanup of access vulnerabilities may not be as simple and straightforward as they think.

As the Web Churns is such an over the top soap opera it makes culebrones/telenovelas look bland.

It does provide lots of opportunities to indulge in popcorn though!
5:00 pm on Sept 30, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:147
votes: 31


It's the first breach since the GDPR was enforced (some accounts belong to EU citizens)... so the EU should address this according to the new GDPR rules, and sanctions.
10:54 am on Oct 1, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25609
votes: 773


When you're talking about significant data breaches, such as this, the E.U. will investigate.
Ireland’s Data Protection Commission, which is Facebook’s lead privacy regulator in Europe, said Saturday that it has demanded more information from the company about the nature and scale of the breach, including which EU residents might be affected.


[wsj.com...]

Users have to take responsibility, too, and it's not just down to "the state" to deal with these. Very slowly, users are waking up to the fact that using one system to link through to other services is not a good idea. They can also vote with their feet.

One day, Facebook will show declining stats, and not just because of breaches, but because of "trust" or lack of trust.
I've already seen people I know that have closed their accounts, some citing trust issues, some citing the time-suck element of social media.
2:14 pm on Oct 2, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:147
votes: 31



The number of potentially affected EU accounts is less than 10% of the 50 million accounts in total potentially affected by the security breach.

[twitter.com...]

It still represents ~5 millions EU users.
8:12 am on Oct 4, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25609
votes: 773


Facebook publishes and update on the data breach, and it's clear that this is probably being taken much more seriously, especially following the Cambridge Analytica debacle. To Facebook, credibility is on the line.

We have now analyzed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login.

Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens. However, out of an abundance of caution, as some developers may not use our SDKs — or regularly check whether Facebook access tokens are valid — we’re building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out.


This is a good reason to use official SDKs to help protect the services.
7:49 pm on Oct 8, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3587
votes: 44


It is bigger than FB has let on. In the last week I have seen so many FB accounts hacked it isn't funny. Even my wife said if you get an private message from someone don't open it. I asked her why, she said look at mine they were all hacked. She had a screen full of them. Bet it ends up 10 times the number FB has reported maybe more than that.
8:42 pm on Oct 8, 2018 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4017
votes: 246


There is a recent viral hoax of "fake" warnings from people on your Friends List who claim they received a new Friend Request from your account. There is an official FB warning at the top of the Newsfeed but the warnings hoax is widespread and growing.

If you got one of those messages, there are a couple of things you can do: First, check on your friend’s account and make sure it’s not a clone of their real account (if you search their name and find two completely identical accounts, that’s a pretty good sign that one is a clone). And if you were messaged by a “clone” of your friend, then report [facebook.com] that account to Facebook -- cloned accounts violate Facebook’s Community Standards.


Viral type alarming warning hoaxes are up since this news came out.
3:57 am on Oct 13, 2018 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4017
votes: 246


Update time because FaceBook says [newsroom.fb.com] they have now completed their investigations into what data was accessed and will be notifying users whose private information was found to have been accessed. They have not ruled out smaller scale attacks, so there may be more to report, but the findings from this initial stage after closing the loophole are available now.

From their report on the 30 million people whose data is known to have been accessed:
For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.


4:33 am on Oct 13, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12786
votes: 878


And if you were messaged by a “clone” of your friend, then report that account to Facebook -- cloned accounts violate Facebook’s Community Standards

There is another bot (or the same one) messaging everyone with an exact match message saying the other profile is fake and if you get a message from them, report it.

So the clone is trying to kill off the original. I've received 3 of those.

Supposedly there is a FB page to check if your username/password are among those breached.
7:39 am on Oct 13, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:147
votes: 31


Apparently, this is "only" 29 millions account.

[abcnews.go.com...]
8:36 pm on Oct 13, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:8684
votes: 693


The number has been further downgraded to "14 millions" and the FBI is investigating and asked FB to NOT reveal what they have learned. So, the question now is were these state actors, more merely criminal types? We already know they were rude.
8:39 pm on Oct 13, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:8684
votes: 693


Sadly, closed my FB account last month, so that means what little I ever let FB have might have been picked up in this event ... and since I am no longer on the product might never know what they might let me know. :)

Oh, well... life goes on.
10:33 am on Oct 15, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12786
votes: 878


...what little I ever let FB have...
Well that's the FB ruse, that they let you control how much personal info you disclose.

They, Facebook themselves, collect much more info on you than you agree to. It's been discovered that FB had your search history, home address, phone numbers, browsing history, etc that 3rd parties got their hands on for some users.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members