In September 2018 Facebook revealed that it had experienced a data breach that was thought to have impacted around 50 million accounts. Overnight Facebook has now revised the estimate of impacted users to 29 million accounts.
Details provided by Facebook about the nature of the breach have not changed. Facebook first detected the breach on 25 September 2018. The breach was believed to have occurred between 14 and 27 September 2018. The breach was malicious and the attackers exploited detected vulnerabilities relating to Facebook user token information. These tokens allow users to access their Facebook accounts without having to perform the login process each time. This information was accessed via Facebook and not the users’ devices – in other words, it is believed that the information was not stolen because a user had their device hacked.
What information was compromised?
Facebook has indicated that for around half of the impacted user accounts (around 15 million users), the token access enabled the compromise of name and contact information(such as email address and phone number). For 14 million other account holders, the attackers were able to access the same information in addition to username, gender, location, language, relationship status, religion, hometown, current city, birthdate, education, work, places where they checked in or were tagged, website, people or Pages followed, recent searches and device types used to access Facebook. There were a further one million account holders where the attackers were able to access the tokens, but did not access any other details.
What are the risks relating to this information for users?
There are two predominant risks IDCARE has identified for users that have been exposed in this breach. The first relates to the risk to third-party accounts and services where the Facebook account credentials are also used as an accepted form of enrolment or authentication. There has been a significant growth in third party apps and online services that accept Facebook username and logins as their own log in credentials. Users are encouraged to review these accounts and if necessary (and possible) amend their security settings. The period that this exposure was most at risk was between 14 September 2018 and 28 September 2018 – the period from when the attackers gained access to the tokens to when Facebook force logged out around 90 million user accounts.
The second key risk relates to identity theft and what is known as “social engineering” risks. For users who had username, gender, location, language, relationship status, religion, hometown, current city, birthdate, etc. compromised, this information can present identity theft and related fraud risks. Whilst this information alone presents minimal risks of identity theft – most often other credential information is needed by criminals – this information does present an opportunity to socially engineer engagements between criminals and users in order to elicit more risky personal information. IDCARE receives reports on this type of criminal engagement every day from across the Australian and NewZealand communities. Social engineering remains amongst the more common form identity theft and related risks materialise.
For example, there is a current phishing campaign reported to IDCARE from impacted community members that relates to the provisioning of old passwords to users and an extortion attempt to try and convince recipients that the criminals have even more details and that without payment these details will be exposed by the criminals publicly. IDCARE assesses that this phishing campaign has leveraged from data acquired from prior data breaches impacting other social networking services. This remains an enduring future risk for the users of Facebook caught up in this most recent breach.
IDCARE advice to impacted users on what to do
Run anti-virus on all of your Internet-enabled devices and ensure you have updated your applications and operating systems.
Log out of Facebook, change your password and consider initiating second- factor authentication.
Log out of all other connected applications and services that rely on your Facebook username and password and log in using your new password.
Be very careful responding to emails, social media communications, and text messaging that ask you to open links or attachments.
Look for any unusual activity relating to your Facebook and relevant third party applications, such as log in and usage histories, posts or changes to rules, user access or related settings that do not accord to your own usage.
Limit the amount of personal information you store and share on Facebook and related social media.
Remove all personal information, including identity credential information, sent and received on your email accounts.
Keep checking Facebook for any further updates about this breach.
IDCARE is here to provide you with specialist support and guidance when faced with a cyber and identity related issue. Contact one of our Identity & Cyber Security Case Managers to learn more about our Support Services and how we can help you.
IDCARE as a registered charity does not ask individuals to donate or pay for our front line services. We are not a charity that can receive tax deductible donations. We rely on organisations that care enough about you to care about us to keep our charitable service going. Proudly these organisations are displayed above and on our Subscriber Organisations page. If you are asked for payment from someone claiming to be from IDCARE, please report this to us using our Report Phishing email.
IDCARE has access to the Department of Social Services’ Free Interpreting Service, delivered by the Translating and Interpreting Service (TIS National). Access to the Free Interpreting Service is provided to assist you to communicate with non-English speaking people who hold a Medicare card. Please note that the service does not extend to New Zealand citizens or residents who do not hold an Australian Medicare card, or to tourists, overseas students or people on temporary work visas.
New Zealand Relay provides services to help Deaf, hearing impaired, speech impaired, Deafblind and standard phone users communicate with their peers. A TTY user connects to New Zealand Relay via a toll-free number and types their conversation to a Relay Assistant (RA) who then reads out the typed message to a standard phone user (hearing person).
The RA relays the hearing person's spoken words by typing them back to the Textphone (TTY) User.
The National Relay Service (NRS) is an Australian government initiative that allows people who are deaf, hard of hearing and/or have a speech impairment to make and receive phone calls.
The NRS is available 24 hours a day, every day and relays more than a million calls each year throughout Australia.