Facebook and Instagram breach: what happened, and what to do about it


Written by:

It’s unclear how many were impacted by the recent Instagram breach, but the recent Facebook breach could have impacted up to 50 million users.

How was Instagram breached?

A flaw in Instagram’s software allowing users to download their data accidentally exposed passwords in plain text. The irony is that this software was created in order to comply with the UK’s Data Protection Bill. While Instagram did not say how many accounts were breached, but they indicated that the number was small. Instagram has since patched the bug and notified the impacted users.

How were the Facebook accounts breached?

Similar to Instagram, the breach ironically stemmed from a feature meant to improve user security. The “View As” feature, which was created to help users judge their privacy and sharing settings, inadvertently revealed the victims’ authorization security tokens, allowing hackers to gain access to these accounts.

Authorization tokens are the ‘keys’ that let you log into your account on your smartphone without having to type in your password. Hackers could have taken full control of the victims’ accounts; they could sign in as any user they wanted, with full privileges. The hackers were able to access profile information such as names, contact information, gender, relationship status, and location check-ins.

According to Guy Rosen, Facebook’s vice president of product management, the hackers could have also accessed associated accounts that had been using a Facebook login. This means that those apps that use a ‘login with Facebook’ option could have also been breached–think Spotify, Netflix, Hulu, Twitter, Pinterest–any account that lets you login with Facebook.

facebook breach facebook privacy

Sites like Spotify and Netflix try to link to your Facebook account, supposedly to make it easier to share with friends and tailor to your interests. Really, they want your valuable personal data.

facebook breach facebook privacy

Pinterest even puts the regular ‘log in’ button far out of the way- further incentivizing you to login with Facebook or Google.

Rosen said, “Now that we have reset all of those access tokens as part of protecting the security of people’s accounts, developers who used Facebook login will be able to detect that those access tokens have been reset, identify those users, and as a user, you will simply have to log in again into those third-party apps.” This statement alone (by Facebook, no less) underlines the risk in having your online accounts linked to Facebook.

Further, Facebook has also alerted law enforcement, indicating that the attack was malicious and executed by a third-party. Rosen noted that the scale and complexity of the hack would have required “a certain level” of expertise, and that the FBI was involved in the investigation. Dr. Lukasz Olejnik, an independent cybersecurity and privacy researcher, said, “Anyone involved in this hack knew what he was doing.”

What data was exposed in the Facebook breach?

While no credit card information was exposed, it is not clear to what extent the hackers preyed on the breached accounts. It is possible that they could have viewed private messages and posted on users’ pages, or even accessed accounts linked to Facebook.

That doesn’t mean that the breach was harmless. The personal information that you share on Facebook—vacation destinations, which friends you talk to most, and what books you read–might seem trivial, but is actually very valuable to cybercriminals.

According to Justin Brookman, the director of consumer privacy and technology policy for Consumers Union, says, “Accessing your private communications and posts by itself is pretty invasive, but that information could also be used to crack account security questions or to scam you and your friends.” This data can’t be directly exploited the way your credit card information can, but it’s the first step to a hacker gaining access to your bank account.

What is Facebook doing?

On September 28th, Facebook forced 90 million users to log back into their accounts to reset any affected authentication tokens. They disabled the ‘View As’ feature and resolved the three bugs that led to the breach.

Mark Zuckerberg, Founder, Chairman, and CEO of Facebook had his account breached in the attack, and posted this on his own Facebook page: “We do not yet know whether these accounts were misused but we are continuing to look into this and will update when we learn more.”

After the recent scandals that Facebook has faced with Cambridge Analytica and Russian election meddling, it’s frightening to think about why cybercriminals might want access to our Facebook profiles. It’s one thing to read about election meddling in the news–it’s another to know that your Facebook profile–and other social media profiles–were hacked.

facebook breach facebook privacy

Many users reported Facebook blocking them from sharing articles about the data breach. It seems as though this was especially true for those trying to share The Guardian’s report of the breach. Supposedly, Facebook’s ‘spam sensor’ flagged the posts because so many people shared the same story. Suspicious? Yes. Intentional? Probably.

How did people react to the Facebook breach?

  • In Europe, privacy regulators are considering a fine of up to $1.63 billion under GDPR. The Irish Data Protection Commission has demanded more information from Facebook about the scale and nature of the breach. This could be the first real test for GDPR, and how far it will go to punish a giant like Facebook.
  • In the US, two Facebook users began a class-action suit against Facebook just hours after the Facebook breach was announced.
  • The Vice Chairman of the Senate Intelligence Committee, Senator Mark Warner, has called for a “full investigation” into the breach. He stated, “Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures…This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users.”

What can I do to stay safe on Facebook and Instagram?

1. Logout and re-login to your accounts. Facebook has said that changing your password is not necessary, but if you’re not using a strong and unique password like the ones generated by Blur, you’re not safe.

2. Don’t re-use passwords. With a password manager like Blur, you can avoid using the same password for multiple accounts.

3. Don’t log in to other accounts or services using Facebook.  Linking accounts to Facebook, leaves you at risk during breaches like this, even if it is convenient.

Apps allow you to login using Facebook so they can pull data from your Facebook page. You can view and edit the apps connected to your Facebook account in the Apps and Websites section of your Facebook privacy settings.

facebook privacy facebook breach4. Review privacy and security settings on other sites.  Do you use the same security questions for every account? Change them. Make false answers or just use a random string of characters. You can keep track of them with Blur’s password manager.

5. Use DeleteMe.  DeleteMe is more effective than credit freezes and credit monitoring because it removes your personal information that’s already online, stopping hackers from obtaining any new information about you.

We have a complete list of Facebook privacy tips here.

About Abine

Abine, Inc. is The Online Privacy Company. Founded in 2009 by MIT engineers and financial experts, Abine’s mission is to provide easy-to-use online privacy tools and services to everybody who wants them. Abine’s tools are built for consumers to help them control the personal information companies, third parties, and other people see about them online.

DeleteMe by Abine is a hands-free subscription service that removes personal information from public online databases, data brokers, and people search websites.

Blur by Abine is the only password manager and digital wallet that also blocks trackers, and helps users remain private online by providing ‘Masked’ information whenever companies are asking for personal information.

One Reply to “Facebook and Instagram breach: what happened, and what to do about it”

  1. ReasonablyAwareUser says:

    Great implementation in 2018 when the server stores the password in plain text rather than salting and hashing. It looks like Facebook and Instagram also have all the best people.

Leave a Reply