In September 2018 Facebook revealed that it had experienced a data breach that was thought to have impacted around 50 million accounts. Overnight Facebook has now revised the estimate of impacted users to 29 million accounts.
Details provided by Facebook about the nature of the breach have not changed. Facebook first detected the breach on 25 September 2018. The breach was believed to have occurred between 14 and 27 September 2018. The breach was malicious and the attackers exploited detected vulnerabilities relating to Facebook user token information. These tokens allow users to access their Facebook accounts without having to perform the login process each time. This information was accessed via Facebook and not the users’ devices – in other words, it is believed that the information was not stolen because a user had their device hacked.
Facebook has indicated that for around half of the impacted user accounts (around 15 million users), the token access enabled the compromise of name and contact information(such as email address and phone number). For 14 million other account holders, the attackers were able to access the same information in addition to username, gender, location, language, relationship status, religion, hometown, current city, birthdate, education, work, places where they checked in or were tagged, website, people or Pages followed, recent searches and device types used to access Facebook. There were a further one million account holders where the attackers were able to access the tokens, but did not access any other details.
Facebook has provided some details which have been updated on its website at Facebook Security Notice
There are two predominant risks IDCARE has identified for users that have been exposed in this breach. The first relates to the risk to third-party accounts and services where the Facebook account credentials are also used as an accepted form of enrolment or authentication. There has been a significant growth in third party apps and online services that accept Facebook username and logins as their own log in credentials. Users are encouraged to review these accounts and if necessary (and possible) amend their security settings. The period that this exposure was most at risk was between 14 September 2018 and 28 September 2018 – the period from when the attackers gained access to the tokens to when Facebook force logged out around 90 million user accounts.
The second key risk relates to identity theft and what is known as “social engineering” risks. For users who had username, gender, location, language, relationship status, religion, hometown, current city, birthdate, etc. compromised, this information can present identity theft and related fraud risks. Whilst this information alone presents minimal risks of identity theft – most often other credential information is needed by criminals – this information does present an opportunity to socially engineer engagements between criminals and users in order to elicit more risky personal information. IDCARE receives reports on this type of criminal engagement every day from across the Australian and NewZealand communities. Social engineering remains amongst the more common form identity theft and related risks materialise.
For example, there is a current phishing campaign reported to IDCARE from impacted community members that relates to the provisioning of old passwords to users and an extortion attempt to try and convince recipients that the criminals have even more details and that without payment these details will be exposed by the criminals publicly. IDCARE assesses that this phishing campaign has leveraged from data acquired from prior data breaches impacting other social networking services. This remains an enduring future risk for the users of Facebook caught up in this most recent breach.
For more on Facebook security please see our Facebook Security Fact Sheet.
We also have Fact Sheets on;
How do you look after your cyber security when your toaster is connected to the WiFi?Read more...