The security breach was announced on September 28 by Facebook and affected at least 50 million users. The attackers exploited bugs in the platforms “View As” privacy feature, which occurred in July 2017, when Facebook introduced a new video uploader.
The uploader feature appearing as active in the “View As” feature and created an access token, which was not supposed to happen. Access tokens provide a key to keep users logged into their accounts and to provide access to other platforms. This is a convenience to reduce the need to enter login credentials.
What to do now? Reconsider the use of the Facebook login feature. Using the login feature of platforms or reusing the same password across various is not work the risk taken for the small amount of convenience.
Check your privacy settings and credential recovery options on Facebook and your other platforms. Ensure you know how they are configured and update them. Facebook had a security update post in their developer’s blog suggesting user visit the “Security and Login” tab on the sites settings menu to review platforms connected through Facebook.
Change your password to something hard to guess and unique. This breach apparently did not get passwords but access tokens instead. It will do no harm to update your password on Facebook and your other platforms.
Enable 2FA (two-factor authentication) using a third party app like Google Authenticator or Authy, both of which are free. Two-factor authentication requires you do something to verify identify beyond supply a password. There is the option to receive an e-mail or text message but using an app may reduce the risk from the 2FA messages being intercepted.
Turning on notifications for every login to your accounts across platforms could seem like over kill, in the beginning. It does settle down once you establish the pattern of where and when you login. Knowing that helps to keep you informed.
- Image: Pixabay, LoboStudioHamburg