What information was compromised?

Facebook has indicated that for around half of the impacted user accounts (around 15 million users), the token access enabled the compromise of name and contact information(such as email address and phone number). For 14 million other account holders, the attackers were able to access the same information in addition to username, gender, location, language, relationship status, religion, hometown, current city, birthdate, education, work, places where they checked in or were tagged, website, people or Pages followed, recent searches and device types used to access Facebook. There were a further one million account holders where the attackers were able to access the tokens, but did not access any other details.

Facebook has provided some details which have been updated on its website at Facebook Security Notice

Facebook Security Incident Update
What are the risks relating to this information for users?

There are two predominant risks IDCARE has identified for users that have been exposed in this breach. The first relates to the risk to third-party accounts and services where the Facebook account credentials are also used as an accepted form of enrolment or authentication. There has been a significant growth in third party apps and online services that accept Facebook username and logins as their own log in credentials. Users are encouraged to review these accounts and if necessary (and possible) amend their security settings. The period that this exposure was most at risk was between 14 September 2018 and 28 September 2018 – the period from when the attackers gained access to the tokens to when Facebook force logged out around 90 million user accounts.

The second key risk relates to identity theft and what is known as “social engineering” risks. For users who had username, gender, location, language, relationship status, religion, hometown, current city, birthdate, etc. compromised, this information can present identity theft and related fraud risks. Whilst this information alone presents minimal risks of identity theft – most often other credential information is needed by criminals – this information does present an opportunity to socially engineer engagements between criminals and users in order to elicit more risky personal information. IDCARE receives reports on this type of criminal engagement every day from across the Australian and NewZealand communities. Social engineering remains amongst the more common form identity theft and related risks materialise.

For example, there is a current phishing campaign reported to IDCARE from impacted community members that relates to the provisioning of old passwords to users and an extortion attempt to try and convince recipients that the criminals have even more details and that without payment these details will be exposed by the criminals publicly. IDCARE assesses that this phishing campaign has leveraged from data acquired from prior data breaches impacting other social networking services. This remains an enduring future risk for the users of Facebook caught up in this most recent breach.

IDCARE advice to impacted users on what to do
  • Run anti-virus on all of your Internet-enabled devices and ensure you have updated your applications and operating systems.
  • Log out of Facebook, change your password and consider initiating second- factor authentication.
  • Log out of all other connected applications and services that rely on your Facebook username and password and log in using your new password.
  • Be very careful responding to emails, social media communications, and text messaging that ask you to open links or attachments.
  • Look for any unusual activity relating to your Facebook and relevant third party applications, such as log in and usage histories, posts or changes to rules, user access or related settings that do not accord to your own usage.
  • Limit the amount of personal information you store and share on Facebook and related social media.
  • Remove all personal information, including identity credential information, sent and received on your email accounts.
  • Keep checking Facebook for any further updates about this breach.

For more on Facebook security please see our Facebook Security Fact Sheet.

We also have Fact Sheets on;


Success Stories!

Other News

IDCARE is always active in the media from radio to TV, social media and news articles. Keep up to date with what's happening at IDCARE and in the media.

You can now report a phishing scam to IDCARE

Information sharing is an important way to help keep IDCARE informed.

more info

iappANZ Annual Summit – Melbourne 2018

Australian Information and Privacy Commissioner discusses latest quarterly report on the Notifiable Data Breaches scheme.

more info

Cathay Pacific Data Breach

Today Cathay Pacific publicly notified the probable compromise of personal and account related information of some 9.4m customers.

more info
Data Breaches

Success Stories!


IDCARE is here to provide you with specialist support and guidance when faced with a cyber and  identity related issue. Contact one of our Identity & Cyber Security Counsellors to learn more about our Support Services and how we can help you.   


1300 432 273
Mon - Fri : 8am - 5pm AEST


0800 201 415
Mon - Fri: 10am - 7pm NZST