The latest Facebook breach brings reinforcement of various lessons learned in the trenches by information security professionals. We now know the most prudent assumption is to assume breaches are in progress and to update our processes to deal with this certainty.
Two major reasons why we will continue to see large-scale breaches of this type are software complexity and centralization.
If you don’t care about the reasons why, skip to the bottom to learn how to check your Facebook account and protect yourself.
Firstly, software complexity increases exponentially as companies race to out-feature competitors. While the bugs associated with this latest breach relate to access tokens, the particulars are nearly irrelevant.
Focusing on the specifics of the hack aren’t helpful when taking a macro view of the root cause: the process of software development introduces bugs as a by-product. This means a limited number of defenders are in a constant cat and mouse game with hundreds, maybe thousands of hackers who may be attempting to gain access to a major service such as Facebook.
While attacker sophistication and the value of your data increase over time, persistence (the ability to maintain a foothold in the target company while remaining undetected) becomes the name of the name.
The specific Facebook vulnerability which led to this breach was introduced in July 2017, thus allowing the attackers a 14-month window of time within which to have full access to the data in any account — and data in accounts on other services which benefited from a Facebook login.
Secondly, centralization of identity services simplifies things for both developers (no need to write risky authentication code when you can transfer the risk to another service like Facebook!) and users (no need to remember/store logins for various sites).
However, this encourages bad security habits and creates single points of failure as we have seen with this breach. Facebook and other centralized services are quite attractive to threat actors and will always be high value targets.
Unfortunately, businesses are almost never fully forthcoming with regard to notifying users of the details of a breach. While the recent EU GDPR laws have improved the speed of notification, this now results in the world learning about a breach from an organization which is often under immense public pressure and scrutiny — without the benefit of a completed investigation.
Detailing each unauthorized access to any given account would be incredibly difficult or impossible for most companies, and you will almost certainly never receive this information if it is available without expensive litigation.
OK — What should I do?
Here is a suggested list of actions to make sure your Facebook account is safe and help limit the impact any single future cyberattack can have on your life.
1. Go to ‘apps and websites’, then ‘logged in using Facebook’. Remove everything. Change passwords for all external accounts.
2. Go to ‘security and login’, look under the tab labeled “where you’re logged in”. Remove all devices.
3. Sign back in from your trusted devices and take mental note of what they “look like” in the new device description (See #2).
4. Delete any sensitive messages/data, and review your friends list for anyone you don’t recognize.
5. Consider downloading your data and/or deleting your account :-)
In Other Places:
1. Ensure you are using two-factor authentication (“2FA”) on every service you use which allows it. It is highly preferable not to use SMS-based authentication. Instead, try the “Authy” app. If any service does not allow you to configure anything other than SMS, consider calling your phone company and adding a PIN to your account to prevent your number being ported out or any other changes made to your account, including SIM card swaps.
2. Use different passwords on different websites. If you’re hacked on one site, don’t let it affect the others.
3. Use a password manager to stay safe. Using a cloud service such as LastPass can make your life easier. Make sure you use 2FA to secure your account and use strong security settings.
4. Services which you signed up for through Facebook may allow you to “convert” your existing account to a non-Facebook login, such as your email address. Check your account settings within each service to be sure.
5. Make it a habit to fully investigate the security settings of each device and service you use, especially the first time you set it up.
6. Sign up for a personal breach notification service such as HaveIBeenPwned.com for all of your email addresses. Send notifications to your safest email address.
7. Consider purging sensitive messages/data regularly to limit your exposure.
Although following these tips means you will reduce your personal social “attack surface”, organizations will continue to experience public, large-scale breaches, and it’s impossible to tell who will be next.
May the odds be ever in your favor!