Can You Hack It? The Facebook Data Breach And You

Are you still on Facebook?  Have you checked your account lately?  (Who am I kidding—of course you have.  Most people check it a million times a day.)  Have you been logged out suddenly in the past couple of weeks, though?  Have you gotten a friend request from someone you thought you were already friends with?  If you’re confused, you’re not alone.  But we can sit down and untangle this so that we can see the lay of the land.  Grab a cup of coffee, compadre.

The Breach

Does anyone ever see the sign in page anymore?

Facebook has admitted to the biggest security breach in the company’s history.  Attackers accessed approximately 30 million Facebookers’ phone numbers and e-mail addresses, and also managed to gather even more information from about 14 million people.  For the 14 million hit hardest, attackers were able to gather information regarding usernames, genders, location, relationship statuses, birthdates, phone numbers, check-in points, and all kinds of other goodies.  That’s a LOT of information.

How Did They Do It?

From what we know, the hackers exploited something called “access tokens” along with bugs in the computer code that makes up Facebook.

When you enter your username and password on a website or an app, like Facebook, your web browser or your device (smartphone) is set something called an “access token” that keeps you logged into your account so that you don’t have to put in your information every time you log in.  This is actually why Facebook logged some 90 million users out of their accounts—to reset the tokens.

When Did It Happen?

That’s the tricky question.  When you’re talking about a data breach, a lot of times an attacker can be inside the system undetected for a long time before they’re spotted.  If you’ve ever wondered why it’s important to keep your computer security up to date (even at home), this is a pretty good reason.  You may not know an attacker is trying to get into your computer until it’s too late.  In most cases where a data breach is discovered, the attacker has actually been poking around in the system for a while before they’re found out.  The time can vary—days, weeks, months—but they are rarely found out right away.

The vulnerability in the Facebook access tokens was introduced in July 2017—but Facebook didn’t find out about it until September 2018, over a year later.  And they only discovered the problem because they noticed an “unusual spike of activity,” not because they caught the vulnerability in the code themselves.

The investigation continues, deep in the Matrix…

Who Stole My Facebook?

Right now, with the investigation still on-going, the only information that Facebook is releasing is basically “we don’t know.”  So far, the news outlets are saying that the evidence does not point to a nation-state being the source of the attack, so our information probably isn’t in the hands of the Russian or Chinese governments.

What Do I Do?

It’s important to note that the attackers only used the access tokens—they didn’t actually snag anyone’s passwords (that we’re aware of, anyway).  BUT.  If you haven’t yet, it’s a good idea to go ahead and change your password anyway.  You really should be doing that on a regular basis, but sometimes life gets in the way.  And when you change your password, DON’T base it on any personally identifiable information (like the information that could possibly have been extracted—names, birthdates, addresses).  For example, you probably don’t want to have a password like “Stacysmom1234” or “1234NewtonStreet.”

What About Duplicate Accounts?

This part isn’t so much about the Facebook data breach—this one is for J.D. and my dear father-in-law.  He called us and said that he thought his Facebook account had been hacked because friends of his were getting Facebook Friend Requests from him, even though they were already Friends.  He was very upset about this, understandably so.  If you’ve seen this lately, you’re not alone.  There are lots of people putting up posts claiming that they’ve been “hacked” because duplicate accounts are popping up with someone claiming to be them.  (There’s something very “meta” about this idea.  Maybe we can make a sequel to Inception based on this concept.)

If you have people asking you about friend requests that you have not sent, but that appear to come from you, more than likely you have not been hacked.  The term “hack” refers to using a computer to gain unauthorized access to data in a system.  Like thieves breaking into your house and gaining access to your stuff, hackers break into your account and gain access to your information.  However, there is a little bit of a difference between hacking and spoofing.

Most likely, these Facebook accounts haven’t been “hacked” in the strict definition of the word.  It’s more likely that these duplicate accounts are “spoofs” of the original.  Someone creates an account that looks like you, based on the information that you’ve already put out there and is accessible to everybody.  They didn’t break in and steal it—you’ve already had it on display.  And by pretending to be you, these spoofers are trying to social engineer their way around Facebook, looking to farm your friends for information.  That probably sounds intimidating, but it doesn’t have to be.

Rule One—The Doctor Lies.  (No, not your doctor.  THE Doctor.)  But Rule Two is:  Don’t accept friend requests from people you don’t know.  And Rule Three:  Don’t accept friend requests from people you’re already friends with!  If you think something looks fishy, it’s probably phishy.

Facebook is great—we love watching cat videos and following the antics of Ditch Kitty and Cole and Marmalade on their pages.  Unfortunately, this string of bad luck Facebook appears to be having this year is not exactly giving us the warm fuzzies.  Hopefully, Zuckerberg and crew will learn more about the importance of security through this.  But maybe Facebook users also need to demand more responsibility, more security measures from the company in order to keep the “community” free and fearless.


As always, the Wordsmith does not get paid for any mentions or shout-outs we give in this post. If you like what you read, please subscribe to our e-mail list (we’ll send you an e-mail every time a new post is published, and we never share your information with outsiders). You can also follow us on Facebook and Twitter.