October 27, 2018 - November 2, 2018
How to check what Facebook hackers accessed in your account
hackers have been able to see the last person you cyberstalked, or that
party photo you were tagged in? According to Facebook, the unfortunate
answer is “yes.” (AP Photo/Ben Margot, File)
New York (AP) -
Could hackers have been able to see the last person you cyberstalked, or
that party photo you were tagged in? According to Facebook, the
unfortunate answer is “yes.”
On Friday, the social network said
fewer users were affected in a security breach it disclosed two weeks
ago than originally estimated - nearly 30 million, down from 50 million.
In additional good news, the company said hackers weren’t able to access
more sensitive information like your password or financial information.
And third-party apps weren’t affected.
Still, for users already uneasy
about the privacy and security of their Facebook accounts after a year
of tumult, the details that hackers did gain access to - gender,
relationship status, hometown and other info - might be even more
Facebook has been quick to let
users check exactly what was accessed. But beyond learning what
information the attackers accessed, there’s relatively little that users
can do - beyond, that is, watching out for suspicious emails or texts.
Facebook says the problem has been fixed.
The company set up a website that
its 2 billion global users can use to check if their accounts have been
accessed, and if so, exactly what information was stolen. It will also
provide guidance on how to spot and deal with suspicious emails or
texts. Facebook will also send messages directly to those people
affected by the hack.
On that page, following some
preliminary information about the investigation, the question “Is my
Facebook account impacted by this security issue?” appears midway down.
It will also provide information specific to your account if you’re
logged into Facebook.
Facebook said the hackers accessed
names, email addresses or phone numbers from these accounts. For 14
million of them, hackers got even more data - basically anything
viewable on your account that any of your friends could see, and more.
It’s a pretty extensive list: user name, gender, locale or language,
relationship status, religion, hometown, self-reported current city,
birthdate, device types used to access Facebook, education, work, the
last 10 places you checked into or were tagged in, your website, people
or pages you follow and your 15 most recent searches.
An additional 1 million accounts
were affected, but hackers didn’t get any information from them.
The company isn’t giving a
breakdown of where these users are, but says the breach was “fairly
broad.” It plans to send messages to people whose accounts were hacked.
Facebook said the FBI is
investigating, but asked the company not to discuss who may be behind
the attack. The company said it hasn’t ruled out the possibility of
smaller-scale attacks that used the same vulnerability.
The company said it has fixed the
bugs and logged out affected users to reset those digital keys.
Facebook Vice President Guy Rosen
said in a Friday call with reporters that the company hasn’t ruled out
the possibility that other parties might have launched other, smaller
scale efforts to exploit the same vulnerability before it was disabled.
Patrick Moorhead, founder of Moor
Insights & Strategy, said the breach appeared similar to identity theft
breaches that have occurred at companies including Yahoo and Target in
“Those personal details could be
very easily be used for identity theft to sign up for credit cards, get
a loan, get your banking password, etc.,” he said. “Facebook should
provide all those customers free credit monitoring to make sure the
damage is minimized.”
Thomas Rid, a professor at the
Johns Hopkins University, also said the evidence, particularly the size
of the breach, seems to point to a criminal motive rather than a
sophisticated state operation, which usually targets fewer people.
“This doesn’t sound very targeted
at all,” he said. “Usually when you’re looking at a sophisticated
government operation, then a couple of thousand people hacked is a lot,
but they usually know who they’re going after.”
October 13, 2018 - October 19, 2018
What comes next in Facebook’s major data breach?
Matt O’Brien & Mae Anderson
New York (AP) -
For users, Facebook’s revelation of a data breach that gave attackers
access to 50 million accounts raises an important question: What happens
For the owners of
the affected accounts, and of another 40 million that Facebook
considered at risk, the first order of business may be a simple one:
sign back into the app. Facebook logged everyone out of all 90 million
accounts in order to reset digital keys the hackers had stolen - keys
normally used to keep users logged in, but which could also give
outsiders full control of the compromised accounts.
Next up is the
waiting game, as Facebook continues its investigation and users scan for
notifications that their accounts were targeted by the hackers.
What Facebook knows
so far is that hackers got access to the 50 million accounts by
exploiting three distinct bugs in Facebook’s code that allowed them to
steal those digital keys, technically known as “access tokens”. The
company says it has fixed the bugs.
Users don’t need to
change their Facebook passwords, it said, although security experts say
it couldn’t hurt to do so.
doesn’t know who was behind the attacks or where they’re based. In a
call with reporters on Friday, CEO Mark Zuckerberg - whose own account
was compromised - said that attackers would have had the ability to view
private messages or post on someone’s account, but there’s no sign that
“We do not yet know
if any of the accounts were actually misused,” Zuckerberg said.
The hack is the
latest setback for Facebook during a tumultuous year of security
problems and privacy issues. So far, though, none of these issues have
significantly shaken the confidence of the company’s 2 billion global
This latest hack
involved bugs in Facebook’s “View As” feature, which lets people see how
their profiles appear to others. The attackers used that vulnerability
to steal access tokens from the accounts of people whose profiles came
up in searches using the “View As” feature. The attack then moved along
from one user’s Facebook friend to another. Possession of those tokens
would allow attackers to control those accounts.
One of the bugs was
more than a year old and affected how the “View As” feature interacted
with Facebook’s video uploading feature for posting “happy birthday”
messages, said Guy Rosen, Facebook’s vice president of product
management. But it wasn’t until mid-September that Facebook noticed an
uptick in unusual activity, and not until this week that it learned of
the attack, Rosen said.
“We haven’t yet
been able to determine if there was specific targeting” of particular
accounts, Rosen said in a call with reporters. “It does seem broad. And
we don’t yet know who was behind these attacks and where they might be
nor credit card data was stolen, Rosen said. He said the company has
alerted the FBI and regulators in the United States and Europe.
Jake Williams, a
security expert at Rendition Infosec, said he is concerned that the hack
could have affected third party applications.
Williams noted that
the company’s “Facebook Login” feature lets users log into other apps
and websites with their Facebook credentials. “These access tokens that
were stolen show when a user is logged into Facebook and that may be
enough to access a user’s account on a third party site,” he said.
late Friday that third party apps, including its own Instagram app,
could have been affected.
was on Facebook, but these access tokens enabled someone to use the
account as if they were the account-holder themselves,” Rosen said.
News broke early
this year that a data analytics firm once employed by the Trump
campaign, Cambridge Analytica, had improperly gained access to personal
data from millions of user profiles. Then a congressional investigation
found that agents from Russia and other countries have been posting fake
political ads since at least 2016. In April, Zuckerberg appeared at a
congressional hearing focused on Facebook’s privacy practices.
The Facebook bug is
reminiscent of a much larger attack on Yahoo in which attackers
compromised 3 billion accounts - enough for half of the world’s entire
population. In the case of Yahoo, information stolen included names,
email addresses, phone numbers, birthdates and security questions and
answers. It was among a series of Yahoo hacks over several years.
later blamed Russian agents for using the information they stole from
Yahoo to spy on Russian journalists, U.S. and Russian government
officials and employees of financial services and other private
In Facebook’s case,
it may be too early to know how sophisticated the attackers were and if
they were connected to a nation state, said Thomas Rid, a professor at
the Johns Hopkins University. Rid said it could also be spammers or
“Nothing we’ve seen
here is so sophisticated that it requires a state actor,” Rid said.
“Fifty million random Facebook accounts are not interesting for any
October 6, 2018 - October 12, 2018
Beyond fake news? Facebook to fact check photos, videos
says it’s expanding its fact-checking program to include photos and
videos as it fights fake news and misinformation on its service. (AP
Photo/Marcio Jose Sanchez, File)
New York (AP) -
Facebook says it is expanding its fact-checking program to include
photos and videos as it fights fake news and misinformation on its
Malicious groups seeking to sow
political discord in the U.S. and elsewhere have been embracing images
and video to spread misinformation.
The company has been testing the
image fact-checks since the spring, beginning with France and the news
agency AFP. Now, it will send all of its 27 third-party fact-checkers
disputed photos and videos to verify. Fact-checkers can also find them
on their own.
Facebook will label images or video
found to be untrue or misleading as such.
Facebook says the fact-checkers use
visual verification techniques such as reverse image searching and
analyzing image metadata to check the veracity of photos and videos.
How Apple’s Safari browser will try to thwart data tracking
19, 2018, file photo shows the Safari app on an iPad in Baltimore. New
privacy features in Apple’s Safari browser seek to make it tougher for
companies such as Facebook to track you. (AP Photo/Patrick Semansky)
New York (AP) -
New privacy features in Apple’s Safari browser seek to make it tougher for
companies such as Facebook to track you.
Companies have long
used cookies to remember your past visits. This can be helpful for saving
sign-in details and preferences. But now they’re also being used to profile
you in order to fine-tune advertising to your tastes and interests.
Cookie use goes beyond
visiting a particular website. As other sites embed Facebook “like” and
“share” buttons, for instance, Facebook’s servers are being pinged and can
access your stored cookies. That means Facebook now knows you frequent
celebrity gossip sites or read news with a certain political bent. Ads can
be tailored to that.
Here’s how Safari is
getting tougher in dealing with that.
more grace period
Safari used to wait 24
hours from your last visit to a service before blocking that service’s
cookies on third-party sites. That effectively exempted Facebook, Google and
other services that people visited daily. Now, Safari will either block the
cookie automatically or prompt you for permission.
Apple says Safari will
still be able to remember sign-in details and other preferences, though some
websites have had to adjust their coding.
reveal seemingly innocuous information about your device, such as the
operating system used and fonts installed. Websites use this to make minor
adjustments in formatting so that pages display properly.
historically made a lot of information available, largely because it seemed
harmless. Now it’s clear that all this data, taken together, can be used to
uniquely identify you. Safari will now hide many of those specifics so that
you will look no different from the rest.
It’s like a system that
digitally blurs someone’s image, said Lance Cottrell, creator of the privacy
service Anonymizer. “You can tell it’s a person and not a dog, but you can’t
recognize a person’s face,” he said.
For instance, Safari
will reveal only the fonts that ship with the machine, not any custom fonts
When visiting a
website, the browser usually sends the web address for the page you were
just on. This address can be quite detailed and reveal the specific product
you were exploring at an e-commerce site, for instance.
Now, Safari will just
pass on the main domain name for that site. So it would be just “Amazon.com”
rather than the specific product page at Amazon.
Closing a loophole
Some ad companies have
sought to bypass restrictions on third-party cookies - that is, identifiers
left by advertisers - by using a trick that routed them through a series of
websites. That could make a third-party cookie look like it belonged to a
site you’re visiting. Safari will now try to catch that.
Many of the safeguards
will be limited to cookies that Apple deems to be trackers. That’s being
done to reduce the likelihood of inadvertently blocking legitimate