Similar to the Instagram data breach we reported here, Facebook, the most popular social networking platform in the world, is in hot water for its lax policies on data management and the privacy of its userbase. With 1.4 billion active users daily sharing updates, pictures, and videos, it’s important that their sensitive information stays safe. As hackers are getting more sophisticated and requiring less input from unsuspecting victims, something as simple as your phone number landing into the wrong hands can lead to all your personal information being compromised.
How Was Facebook Hacked?
On April 3, 2021, the information of more than 530 million Facebook users was published to a well-known hacking forum. While the leak appears to have been the result of a vulnerability that was patched in 2019, the slightly dated information still poses a huge risk to those individuals that created a Facebook account before 2020. Within the forum post, hackers responsible for the breach freely shared the phone numbers, email addresses, dates of birth, and even locations of compromised accounts.
While there are many ways in which cybercriminals could use this data, it’s speculated that scammers have already begun to wield this information in online impersonation and phishing scams. In addition to these fraudulent schemes, one cybercriminal has used this information to create an automated bot that allows phone numbers to be matched with corresponding Facebook IDs to give hackers immediate access to compromised accounts for as little as $20. That said, while the risk is real, Facebook has yet to contact individuals that were exposed by the attack.
But this isn’t the first time Facebook has faced backlash regarding its policies that require individuals to enter their phone number when creating an account. In 2012, Facebook began requiring individuals to confirm their phone numbers for account recovery. Additionally, in 2019, Facebook added the ability to use phone numbers as a means to look up user profiles. In both cases, the social networking site didn’t allow users to opt-out.
Was My Facebook Hacked?
Noting that Facebook has done little to notify its userbase of the breach, most people may not realize their data has been compromised until days, weeks, or even months after the event. That said, a simple way to check if your email or phone number has been compromised is to visit haveibeenpwned.com. Upon entering your phone or email address, the system will quickly run the information through its list of known breaches to determine if any accounts have been compromised.
How to Protect a Facebook Account
If you suspect that you’re a victim of the most recent Facebook breach, it’s important to act quickly and secure the information you can by following the steps below.
Remain Vigilant About Phishing Scams
Phishing attacks are confidence scams, typically sent via email, where attackers pose as a reputable person or organization in hopes of stealing information or gaining access to a network. To train individuals on the tell-tale signs of these attacks, phishing prevention systems can create harmless emails posing as an online meeting invitation or document sharing links. By checking to see which individuals click on these emails sent through the training software, an organization’s leaders can pinpoint vulnerable employees and provide further training to prevent a real breach. To learn how phishing testing can be deployed across your business’s network, contact Rocket IT using the form at the bottom of this page.
Use a Passphrase
Instead of simply using your pet’s name, try implementing a 16-character passphrase containing a mix of letters, numbers and symbols. To generate a passphrase that is both complex and easy to recall, consider making your password reflective of a current goal. For example, “LoseTenPoundsBy2022!” contains all the characteristics of a strong password. To learn more about the benefits of using passphrases, click here.
Use a Password Manager
Should a data breach leave your password exposed, it’s important to ensure that any negative effects are contained within that one account. Once a hacker has both your email and password on file, he or she is likely to use those login credentials in an attempt to access other online portals you may be affiliated with. Therefore, it’s crucial that you use a unique password for each of the accounts you create.
While, upon first thought, you may doubt your ability to keep track of all these passwords, know that password managers makes the process quite easy. By using one of these services, an individual can store all their passwords in one secure location; only needing to remember a single master password. While there are a variety of these services available, Rocket IT has put together a guide to walk you through the selection and installation process.
Set up Facebook’s Multifactor Authentication
Whereas most application logins ask that individuals enter a password, employing a Multifactor authentication (MFA) service requires an individual to provide yet another method of identification to login. Most commonly, this secondary verification is tied to an individual’s smartphone and may utilize biometric verification, push notifications, or a static PIN.
Some applications, such as Authy or Microsoft Authenticator, may also use tokens generated directly on the device, allowing you to bypass potential security issues with SMS based MFA. Follow the steps below to turn on MFA for Facebook.
First open the Facebook app on your phone. Go into the Settings & Privacy and click on Security and Login.
Under Two-Factor Authentication, click “Use two-factor authentication.” Facebook will then ask if you’d like to protect your account with an authentication app, text message (SMS), or a security key. As mentioned previously, Rocket IT recommends using an authentication app as the most secure method. Finally, you can choose whether you want to set up a third-party authenticator on the same device or manually.
Turn on Facebook login alerts
For Facebook specifically, it is recommended to turn on login alerts, update the “How People Find and Contact You” controls, and complete regular privacy checkups to see where your account is vulnerable.
To turn on login alerts, go into Facebook’s Security and Login settings. Click on “Get alerts about unrecognized logins” and choose if you would like to receive your alert through Facebook notifications, Messenger, or email. Every time a new device logs into your account, you will receive an alert to approve or deny the activity.
Change Facebook’s Find and Contact Setting
Although searching a user’s phone number or email address is a quicker way to find people you know on Facebook, it also allows data to become compromised or easily obtained by hackers if this information is made widely available. Luckily, Facebook has given you some control over how your profile is found.
Go into Facebook’s Privacy settings. In the “How People Find and Contact You” section, update your
Set Up Facebook Privacy Check Reminders
To set up a Facebook privacy check reminder, click the menu Icon and head to Facebook’s Privacy Shortcuts. Next, select “Review a few important privacy settings” and click the three dots in the top right to access the “Set Up Reminders” feature. Finally, choose how often you’d like to get reminded to do a Privacy Checkup.
Enable App Tracking Transparency on iPhones
Since many of us access Facebook via our smartphone, we are unaware of how exactly Facebook is tracking our information or if it’s even stored safely. Simply browsing the app allows Facebook to track your individual behavior.
In an effort to shine more light on how companies are targeting you with advertising, Apple has created an “App Tracking Transparency” feature to give you more control over who has access to your browsing data and habits. Once enabled, companies must get your explicit permission through a pop-up notification before they can track you across websites and apps owned by other companies.
By controlling which apps get access to your data, you can safeguard against your sensitive information being exposed in a Facebook breach like the recent one.
Check Where You’re Logged Into Facebook
Facebook keeps a list of all devices that are logged into your account and shows the locations as a quick way to check if your account has been compromised. You can force every device to sign out and, if you see suspicious activity, immediately change your password to make your account more secure.
To see all devices that you ever used to sign into Facebook, tap the Facebook menu icon, select Settings, and click Security and Login. In the menu that populates, you can either manually sign out of each unauthorized device by clicking the three dots and selecting “Log Out” or you can log out of all devices by clicking “Log Out Of All Sessions” at the bottom of the list. If there are any concerns that your account has been compromised, you should click “Secure Account” to change your password and review all activity.
How Does Facebook’s Breach Impact Me?
Anytime your personal information is available for use without your consent, your risk of being exposed through a cybersecurity breach increases. Attackers can use your Facebook-associated phone number or email address to steal more details from you through malicious links, trick you into transferring money, hack your other accounts, and even steal your identity.
These threats are just as important to businesses; a simple phishing attack can lead to millions of dollars in lost revenue and a tarnished reputation. Rocket IT offers a phishing prevention system to train you and your employees how to effectively prevent and respond to phishing attempts. If interested, please call