Facebook claims investigators have determined that hackers did not access other sites that use the social networking site’s single sign-on in a massive cyber attack that the company disclosed last week.
There had been fears that Facebook’s biggest ever hack, which affected 50 million users, also left people’s Tinder, Spotify and Instagram accounts exposed, among others.
This could mean many other major companies who use Facebook’s login service will have to reveal if they have been exposed to malicious activity.
However, today the firm said it has found no evidence of this.
Facebook logins are being sold on the dark web for just $3.91 (£3) each, a shocking report has revealed. Email logins sell for as little as $2.74 (£2.10) each, according to experts who analysed the value of 26 commonly used accounts
HOW DO YOU PROTECT YOURSELF?
The best way to protect yourself is to set up two-step authentication.
Two-factor authentication adds an extra layer of security to apps and websites by asking for both a password and a unique code when logging in.
Once verified, if anyone tries to log into their account they will be sent an autentication code via text message.
Even if a hacker has obtained the user’s email address and password, they won’t be able to access the account without this extra code.
While the extra layer of security isn’t completely hacker proof, it’s far more robust.
Also if users have different passwords for each account it means hackers will not be able to access all accounts in one go.
‘We analyzed third-party access during the time of the attack we have identified,’ said Guy Rosen, a Facebook vice president overseeing security, in a statement sent to Reuters.
‘That investigation has found no evidence that the attackers accessed any apps using Facebook Login.’
Facebook shares closed down 1.9 percent at $159.33 on Tuesday, in a third straight session of declines.
Sites that use Facebook Login told Reuters that they had not identified any signs that their users had been breached.
UK-based travel site SkyScanner and IKEA Group’s TaskRabbit site, which provides home repairs and furniture assembly, said they were investigating the potential impact on customers.
Ride-hailing giant Uber said it has closed active sessions using Facebook login credentials as it investigated the matter.
Last week Facebook discovered a massive security breach affecting 50 million user accounts – including those of Facebook boss Mark Zuckerberg and COO Sheryl Sandberg.
The social media giant said attackers exploited the site’s ‘View As’ feature, which lets people see what their profiles look like to other users.
The unknown attackers took advantage of a feature in the code called ‘Access Tokens,’ to take over people’s accounts, potentially giving hackers access to private messages, photos and posts – although Facebook said there was no evidence that had been done.
The attack marks the latest in a string of recent setbacks for Facebook, which is still recovering from the fallout over the Cambridge Analytica scandal earlier this year, which saw some 87 million users’ data shared with the research firm without their knowledge.
Users that were logged out of the service between 27th and 28th September are likely to have been impacted by the breach.
Facebook said it doesn’t yet know if information from the affected accounts has been misused or accessed, and is working with the FBI to conduct further investigations.
However, Mark Zuckerberg assured users that passwords and credit card information was not accessed.
The biggest ever Facebook hack that affected 50 million users also left peoples’ Tinder, Spotify and Airbnb accounts exposed
As a result of the breach, the firm logged roughly 90 million people out of their accounts earlier today as a security measure.
Just yesterday a shocking report revealed Facebook logins were being sold on the dark web for just $3.90 (£3) each.
Email logins sell for as little as $2.70 (£2) each, according to experts who analysed the value of 26 commonly used accounts.
They found the majority of someone’s online life could be available for just $970, which includes all usernames, passwords and email addresses.
According to a blog post by Cheshire-based firm Money Guru, which carried out the research, these details are frequently stolen to sell to companies with want to do targeted advertising.
‘There are few better ways to gain insight into someone’s life than their social media accounts’, researchers wrote.
‘These details are frequently stolen to sell to companies with little scruples about targeted advertising.
‘It’s also a fast track to identity theft as they can take control of your accounts, lock you out and cause serious reputational damage in a short space of time’, they wrote.
WERE YOU AFFECTED BY THE FACEBOOK BREACH?
Facebook said it logged out around 90 million users as a result of the hack.
Affected users will be prompted to log back in Facebook when they try and access the site.
Users are sent a six-digit code via email or to a mobile device that authenticates their identity, which they’re then instructed to enter on Facebook’s site.
After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.
Facebook also said it was temporarily turning off the ‘View As’ feature while it conducted a thorough security review.
As a result, some experts and officials have grown concerned about whether the firm can effectively manage and protect users’ data.
‘The implications of this are huge,’ Justin Fier, director of cyber intelligence at security company Darktrace, told Reuters.
The breach could also cause problems for Facebook with European privacy laws.
Facebook said it hasinformed the Irish Data Protection Commission about the breach, a step required by Europe’s GDPR regulations.
The commission said it received the notification, but expressed concern with its timing and lack of detail.
Virginia Sen. Mark Warner called the hack ‘deeply concerning’ and called for a full investigation.
‘…Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.
‘This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before – the era of the Wild West in social media is over,’ he added.
READ THE FULL STATEMENT FROM MARK ZUCKERBERG ON THE DATA BREACH
I want to update you on an important security issue we’ve identified. We patched the issue last night and are taking precautionary measures for those who might have been affected. We’re still investigating, but I want to share what we’ve already found:
On Tuesday, we discovered that an attacker exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people’s accounts on Facebook.
We do not yet know whether these accounts were misused but we are continuing to look into this and will update when we learn more.
We’ve already taken a number of steps to address this issue:
1. We patched the security vulnerability to prevent this attacker or any other from being able to steal additional access tokens. And we invalidated the access tokens for the accounts of the 50 million people who were affected – causing them to be logged out. These people will have to log back in to access their accounts again. We will also notify these people in a message on top of their News Feed about what happened when they log back in.
2. As a precautionary measure, even though we believe we’ve fixed the issue, we’re temporarily taking down the feature that had the security vulnerability until we can fully investigate it and make sure there are no other security issues with it. The feature is called ‘View As’ and it’s a privacy tool to let you see how your own profile would look to other people.
3. As an additional precautionary measure, we’re also logging out everyone who used the View As feature since the vulnerability was introduced. This will require another 40 million people or more to log back into their accounts. We do not currently have any evidence that suggests these accounts have been compromised, but we’re taking this step as a precautionary measure.
We face constant attacks from people who want to take over accounts or steal information around the world. While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place. If you’ve forgotten your password or are having trouble logging in, you can access your account through the @Help Center.
There’s more detail in Guy’s post below, and we’ll update you as our investigation continues.
Not long after the breach was announced, some Twitter users also began reporting that Facebook was blocking them from sharing links to stories about the hack from the Associated Press and The Guardian.
When users attempted to share the links, they were served a message that read: ‘Our security systems have detected that a lot of people are posting the same content, which could mean that it’s spam. Please try a different post.’
The move caused some to speculate that it was a result of Facebook suppressing negative coverage of itself. However, Facebook later confirmed to the New York Times that it was a result of an error with the firm’s spam detection tools.
Friday’s announcement sent Facebook’s stock plunging by as much as 3.4 percent in afternoon trading, adding to an already rough year for Facebook shares, which have fallen 6.7 percent so far this year.
Friday’s news sent Facebook’s stock down as much as 3.4 percent in afternoon trading, adding to an already rough year for Facebook shares, which have fallen 6.7 percent so far this year
Zuckerberg penned a post on his personal Facebook page about the incident, saying the issue was ‘patched last night’ but that the firm is working with law enforcement, including the FBI, to investigate the origins of the attack.
‘On Tuesday, we discovered that an attacker exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people’s accounts on Facebook,’ Zuckerberg wrote.
Access tokens don’t include a user’s password, but they do allow users to log into a Facebook account without needing it.
‘Our security systems have detected that a lot of people are posting the same content, which could mean that it’s spam,’ the notice said. ‘Please try a different post.’
Zuckerberg acknowledged in a statement to reporters that Facebook needs to take additional steps to prevent these kinds of issues from occurring in the future.
‘We’re taking it really seriously…We have a major security effort at the company that hardens all of our surfaces,’ Zuckerberg said in a call with reporters.
‘I’m glad we found this. But it definitely is an issue that this happened in the first place.’
Facebook doesn’t know whether the accounts were misused, and hasn’t yet found any evidence of them being misused.
FACEBOOK’S PRIVACY DISASTERS
Facebook made headlines earlier this year after the data of 87 million users was improperly accessed by Cambridge Analytica, a political consultancy.
The disclosure has prompted government inquiries into the company’s privacy practices across the world, and fueled a ‘#deleteFacebook’ movement among consumers.
Communications firm Cambridge Analytica had offices in London, New York, Washington, as well as Brazil and Malaysia.
The company boasts it can ‘find your voters and move them to action’ through data-driven campaigns and a team that includes data scientists and behavioural psychologists.
‘Within the United States alone, we have played a pivotal role in winning presidential races as well as congressional and state elections,’ with data on more than 230 million American voters, Cambridge Analytica claims on its website.
The company profited from a feature that meant apps could ask for permission to access your own data as well as the data of all your Facebook friends.
The data firm suspended its chief executive, Alexander Nix (pictured), after recordings emerged of him making a series of controversial claims, including boasts that Cambridge Analytica had a pivotal role in the election of Donald Trump
This meant the company was able to mine the information of 87 million Facebook users even though just 270,000 people gave them permission to do so.
This was designed to help them create software that can predict and influence voters’ choices at the ballot box.
The data firm suspended its chief executive, Alexander Nix, after recordings emerged of him making a series of controversial claims, including boasts that Cambridge Analytica had a pivotal role in the election of Donald Trump.
This information is said to have been used to help the Brexit campaign in the UK.
It has also suffered several previous issues.
2013, Facebook disclosed a software flaw that exposed 6 million users’ phone numbers and email addresses to unauthorized viewers for a year, while a technical glitch in 2008 revealed confidential birth-dates on 80 million Facebook users’ profiles.