If you’re one of the victims of the recently revealed hack of Facebook, you should be extra careful on the internet — and extra watchful of your other online and offline accounts.
The data hackers gleaned from the social network could be used for identity theft, and to access accounts ranging from those at banks and other financial institutions to online stores. It also could be used in so-called spear phishing attacks, in which hackers use the information they know about particular users to send them personalized messages that convince them to leak their passwords or other critical data.
“Given the scale of this — which was really surprising — and how much information was scraped … people can be legitimately concerned,” said Justin Brookman, director of privacy and technology policy at Consumers Union, the publisher of Consumer Reports.
Some 30 million accounts were compromised in the attack, which Facebook first announced two weeks ago. The hackers were able to gain access to names and phones numbers of nearly all of those users as well as personal details such as birth dates, relationship status, gender, and education and work histories for 14 million of them.
The exposure of those kinds of personal details can be particularly dangerous to people who are trying keep a low profile, such as those who have been the victims of domestic abuse or protestors worried about reprisals from their governments. It can also create problems for people who were trying to keep certain parts of their lives private from the wider world, such as their sexual orientation or their religious affiliations.
The data from Facebook could be used to access bank accounts
But it can be risky to everyday users as well. That’s because in the hands of malicious actors, this data can be used to hijack accounts on other services besides Facebook.
The password reset feature on many sites asks users to answer certain security questions. Those questions often ask for just the kind of personal details that were revealed in the Facebook hack, Brookman said.
But it’s not just online accounts that are at risk. Information such as names and birth dates can also be used to gain access to banking accounts or medical records over the phone, said John Simpson, director of privacy and technology at Consumer Watchdog, a consumer advocacy group. That kind of information “can be tremendously empowering” to hackers, he said.
“They can take that information and definitely parlay it into information that can scam the individual,” he said. “Potentially, there’s some real damage that can be done to people.”
Even the leak of just a phone number can pose a risk. To protect their accounts on various websites, many users have been turning on two-factor authentication, a security technique that often requires users when logging into their accounts to enter a special code in addition to their passwords. Many sites send that code via the SMS text messaging system to users’ cell phones.
Security researchers have known for years, though, that the SMS system is vulnerable to hacking attacks. By knowing a user’s phone number, a malicious actor could potentially intercept the two-factor authentication code and use it to gain control of the user’s account.
It could also be used in targeted email attacks
Another potential danger comes from spear-phishing attacks. Typically in such an attack, a hacker sends an email that induces a user to click on a link to a spoofed site and enter their login information. The malicious actor usually uses what they know about the target — their friends, their family, their life experiences — to convince them that the email is legitimate.
Even seemingly innocuous information about a person can be used in such attacks. The more data a hacker has about someone, the more believable they can make the email lure. One set of data that was exposed in the Facebook hack was the locations where users had checked in using Facebook’s app.
A hacker might be able to take that information and purport to be a representative of a target’s credit card company, potentially even saying that the company had noticed their card being used on the date and place of the check in, said Michelle Richardson, director of the privacy and data project at the Center for Democracy and Technology, an advocacy group.
“These guys are really crafty,” she said.
Because users often reuse passwords on multiple sites, they may find lots of their most sensitive and valuable accounts at risk if they fall victim to such a scam.
There are steps you can take to protect yourself
You can find out whether you were affected by the Facebook attack by logging into your account and going to a security page the company has set up. If you were affected, there are several steps you should take to protect yourself, security and privacy experts say:
- Put a freeze on your credit report with the major credit reporting agencies, such as Equifax. That will prevent criminals from using the information they gleaned about your from creating new financial accounts in your name. Thanks to a new law, credit freezes are now available for free.
- Keep a close eye on your financial statements to look out for mystery charges.
- Make sure you aren’t using the same password in multiple places, and create new, unique ones if you are. A password manager such as LastPass can make it easier to create and keep track of your login information for different sites.
- Turn on two-factor authentication whenever you can, but especially on your most sensitive or valuable accounts. Even those such systems can be vulnerable to hacking attacks, they’re still more secure than passwords alone.
Regardless of whether your account was affected, you might also want to consider deleting or deactivating your Facebook account, especially if you don’t use it often. If you plan to keep your account, you should also think about limiting what you share on it.
“People share stuff on their Facebook profiles they wouldn’t want shared with rest of world,” said Brookman. He continued: “There’s historical data that’s out there about you that could potentially be leveraged against you or used to hack your account or compromise your friends’.”
- Facebook’s privacy ‘bait and switch’ confirms your worst fears about its unstoppable advertising impulses
- The departure of Instagram’s cofounders is a bad thing for Facebook — but it could be even worse for the rest of us
- The FCC boss who repealed net neutrality says Google, Facebook and Twitter might need ‘transparency obligations’