On Friday September 28th, Facebook announced a breach that impacted 50 million users. In this breach, malicious actors exploited a series of bugs, including a weakness in Facebook’s “View As” feature which allows users to see how their profile appears to others and malicious actors also stole digital keys which allow users to stay logged onto Facebook. These vulnerabilities allowed attackers to take over user accounts and possibly gain access to apps that users can login to through Facebook, such as Instagram and Spotify. Facebook has temporarily turned off the “View As” function and has otherwise stated that the vulnerabilities have been fixed.
Facebook further states that impacted users will see a message about the breach on top of their News Feed when they log back in. The FTC has advised users to be on the lookout for and consider the following:
- Imposter scams in which malicious actors pose as someone you know or a company you do business with. Remember that phone numbers and email addresses can be spoofed and a call or email that appears to be coming from a familiar phone number or person/entity may be coming from a malicious actor. Use discretion and never provide personal or sensitive information to callers even when threats are made or the call has a sense of urgency. When in doubt, phone the person/entity back at a contact phone number you independently obtain to confirm the information you’ve received via phone or email. For more information on phishing and phone scams, please see the following NYU IT Connect articles, Learn to Spot a Phony; Detecting and Avoiding Phone Scams and Phishing, Spear Phishing and Whaling.
- Consider changing your Facebook password even though Facebook has advised that it is not necessary and change your security questions as well, especially if the answers to your security questions can be found on Facebook. If you used the same password for other accounts (which is not a recommended practice), change these passwords too. For password recommendations and best practices, please see the following NYU IT Connect article, Under Lock and Passphrase.