Ancient Chinese Proverb: May You Live In Interesting Times.
Well welcome to interesting times.
Today, Facebook said that the accounts of 50 million users were compromised.
The hackers compromised the security “tokens” that Facebook uses to authenticate users and not the passwords themselves. Facebook revoked those users “tokens” to stop them from continuing to be used.
Later in the day Facebook said that they revoked another 40 million user’s tokens because they might have been compromised.
Finally, to put a cherry on top of things, Facebook admitted that any site that you log into with your Facebook ID may have been compromised too.
So now not only does Facebook have to investigate, but so do sites like Tinder, Instagram, Spotify, AirBnB and thousands of other sites.
Here is why this is interesting.
Hacks are old school. YAWN!
This is the first mega hack after the effective date of GDPR. Sure British Airways lost 380,000 credit cards, but this is 50-90 million users just on Facebook alone. We DO NOT KNOW if other sites were affected that share logins, but if they do, this could affect dozens to hundreds of companies and hundreds of millions of accounts. All of them COULD be fined under GDPR. If that happens, they will likely sue Facebook. Of course Facebook’s software license agreement with other sites like Tinder and Spotify probably says that they use the software at their own risk, but the courts MAY rule that this is negligence and not covered by that disclaimer. If such a disclaimer exists. Would companies like Spotify and AirBnB actually agree to terms like that? Maybe. That is why this is such an interesting day. BTW, my token was apparently hacked as login was revoked. So was Zuck’s. Karma. 🙂
Remember that fines could go (but likely would not go) as high as 4% of Facebook’s global revenue.
Facebook is already talking to Helen Dixon. Helen is Ireland’s Data Protection Commissioner and in a large sense, Facebook’s destiny in this breach – and their wallet – is in Helen’s hands. I would say, right now, her hands are full.
So what should you do?
Depends on your level of paranoia.
First, I would change my Facebook password and the password on any other sites that use the same password. Since we do not THINK that passwords were taken but rather tokens, this is a precaution.
Second, enable two factor authentication. Facebook’s two factor process is really simple. When you log in you get a pop up on your phone asking if it is you. If you click yes, you are logged in.
Third – and this is the most painful one – those sites that you log into with your Facebook userid and password – create a local account. I know. It is a pain in the ….. but so is having multiple accounts compromised. Even if they figure out in this case that didn’t happen, what about next time? Security. Convenience. Pick one and only one.
Information for this post came from Business Insider.