Photo by Negative Space
Facebook has acknowledged a security breach affecting 50 million users but says it has yet to determine whether the accounts were misused or any information in them accessed. Subsequently, the company admitted that the attackers would also have had access to any other account for which users had signed into using their Facebook account. This is precisely why we always recommend against using your Facebook, Google, or Twitter account to register with another Internet service—give every service its own username and password if possible.
In response to the breach, Facebook has reset the access tokens that enable users to avoid re-entering passwords on every use of the app, and it also disabled the View As feature that the attackers exploited. The owners of the 50 million affected accounts will have to log in to Facebook again, and as a precaution, Facebook reset the access tokens on another 40 million accounts.
A few additional thoughts:
- 50 million affected users is a lot in raw numbers, but it’s only about 2% of Facebook’s 2.2 billion active monthly users.
- Because of Facebook’s precautionary measure, if you’re forced to log in again, you have no idea if your account was in the 50 million that were affected or not. Despite Facebook’s claim to the contrary, we recommend changing your Facebook password if you do have to log in again. (And for goodness sake, if you don’t have a strong, unique password for Facebook, set one immediately!)
- We’ll be interested to see if Facebook ends up increasing the number of affected accounts, potentially by a lot. Not that 50 million is a good number, but it’s a whole lot better than 2.2 billion.
- Although we worry much more about what Facebook itself will do with all the data it hoovers up, situations like this bring into stark relief the fact that you should be extremely careful about what you choose to share on Facebook, given that the company cannot guarantee the security of your data.