CERT-In Advisory
CIAD-2018-0027
Facebook Security Breach
Original Issue Date: October 03, 2018
Severity Rating: High
Description
On 28 September 2018, Facebook Inc published a security update regarding a data breach that affected almost 50 million users account.
The attackers exploited a vulnerability in Facebook's "View As" feature to gain unauthorized access of user accounts that lets users see what their own profile looks like to someone others profile. The attackers used Facebook's APIs to access personnel details of user account.
This vulnerability allowed attackers to steal the user's access tokens, which they could then use to gain access to the Facebook account and other third-party websites that the user had logged into using his/her Facebook credentials.
The attackers could leverage the vulnerability to access the personal information stored in user's Facebook accounts, using such information, scams and phishing attempts could look more credible.
Facebook has also reset the access tokens of the 50 million user accounts that were affected and another 40 million accounts that have been subject to a "View As" look-up in the last year. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.
Security Best Practices
- It is a good practice that Users should change their password frequently.
- Users are encouraged to enable two-factor authentication and notification for better account security.
- Users may consider using secure password and a trusted password manager
- Facebook has identified which users were impacted and forced logout of those users. If you have been logged out of Facebook account, please re-login the account as instructed.
- Users should be vigilant to phishing attempts such as unsolicited or suspicious calls and emails. Scammers could even falsely claim to have sensitive data from the hack, demanding a ransom in exchange for not releasing it.
- Users can visit the "Security and Login" tab within the site's settings menu, where they can see a list of any services where they¿re signed in with Facebook login and can sign out if no longer want to use it through Facebook.
- Users can also see on which devices they are logged into Facebook, disconnecting any they don¿t recognize or don¿t want logged in. They can also check their recent posts and Facebook messages for any signs that their accounts might have been used in spamming or phishing attacks.
References
https://newsroom.fb.com/news/2018/09/security-update/
https://nakedsecurity.sophos.com/2018/09/28/big-facebook-breach-50-million-accounts-affected/
CERT-In Advisory on "Safeguarding Personally Identifiable Information on Social Networking Sites (CIAD-2018-0012)"
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|