What are the risks relating to this information for users?

There are two predominant risks IDCARE has identified for users that have been exposed in this breach. The first relates to the risk to third-party accounts and services where the Facebook account credentials are also used as an accepted form of enrolment or authentication. There has been a significant growth in third party apps and online services that accept Facebook username and logins as their own log in credentials. Users are encouraged to review these accounts and if necessary (and possible) amend their security settings. The period that this exposure was most at risk was between 14 September 2018 and 28 September 2018 – the period from when the attackers gained access to the tokens to when Facebook force logged out around 90 million user accounts.

The second key risk relates to identity theft and what is known as “social engineering” risks. For users who had username, gender, location, language, relationship status, religion, hometown, current city, birthdate, etc. compromised, this information can present identity theft and related fraud risks. Whilst this information alone presents minimal risks of identity theft – most often other credential information is needed by criminals – this information does present an opportunity to socially engineer engagements between criminals and users in order to elicit more risky personal information. IDCARE receives reports on this type of criminal engagement every day from across the Australian and NewZealand communities. Social engineering remains amongst the more common form identity theft and related risks materialise.

For example, there is a current phishing campaign reported to IDCARE from impacted community members that relates to the provisioning of old passwords to users and an extortion attempt to try and convince recipients that the criminals have even more details and that without payment these details will be exposed by the criminals publicly. IDCARE assesses that this phishing campaign has leveraged from data acquired from prior data breaches impacting other social networking services. This remains an enduring future risk for the users of Facebook caught up in this most recent breach.

IDCARE advice to impacted users on what to do

• Run anti-virus on all of your Internet-enabled devices and ensure you have updated your applications and operating systems.
• Log out of Facebook, change your password and consider initiating second- factor authentication.
• Log out of all other connected applications and services that rely on your Facebook username and password and log in using your new password.
• Be very careful responding to emails, social media communications, and text messaging that ask you to open links or attachments.
• Look for any unusual activity relating to your Facebook and relevant third party applications, such as log in and usage histories, posts or changes to rules, user access or related settings that do not accord to your own usage.
• Limit the amount of personal information you store and share on Facebook and related social media.
• Remove all personal information, including identity credential information, sent and received on your email accounts.
• Keep checking Facebook for any further updates about this breach.

For more on Facebook security please see our Facebook Security Fact Sheet.

We also have Fact Sheets on;

• Instagram Security
• Twitter Security
• LinkedIn Security