Blog Post  Facebook Breach

Facebook recently suffered a significant data breach with hackers gaining access to the accounts of millions Americans.  According to Facebook, hackers exploited a software flaw in the ‘View As’ option (which lets users to see what their profile looks like from the perspective of another user) and were able to steal “access tokens.” Access tokens are what makes it possible for you to remain signed into your social media accounts on your devices.

Facebook has said that they reset the access tokens for accounts and fixed the vulnerability. However, they recently announced that data from 29 million user accounts, including names, email address, phone numbers, birthdates, and even information about where users checked into, was obtained as a result of the intrusion.

Facebook will be notifying those users whose accounts were compromised. In the meantime, it may be a good idea for all consumers to change their passwords and review their privacy settings. Facebook hasn’t said there is a need to do this, but in general, it is good practice to frequently update the passwords for all social media and online accounts, such as banking and utilities.

Interestingly, many people have also been reporting in the days since the announcement of the breach that their account has been hacked, and warning their current friends not to accept a friend request from them. Facebook has said the two are unrelated and that the “hack” is really just a cloning scam.

A cloned Facebook account is when frauds use the information from your current Facebook page (your name, photos, likes) and create a separate account. Usually the scammers then message your friends and ask for personal information or money (we’ve told you about this type of scam before—refresh your memory here: https://blog.mass.gov/consumer/massconsumer/social-butterflies-beware-watch-out-for-fake-facebook-friend-requests/)

The message users are receiving reads something along the lines of “I received another friend request from you. You should check your account and forward this so you can warn others.” Any time someone tells you they received a friend request from you that you did not send, be suspicious as it’s very possible that your account was cloned. It sounds scary, but don’t panic. A simple way to check if you might be the victim of Facebook cloning is to search your name (and similar variations of it). If you come across duplicate profiles, report them to Facebook.

Remember, a cloned account doesn’t necessarily mean your account has been hacked and Facebook officials have said there has not been spike in cloned accounts. Use caution when accepting friend requests from people you don’t know and NEVER share personal or financial information on the site. It’s also smart to avoid filling out those quizzes that ask questions such as your favorite pet and mascot in high school as those questions are often used as security questions for financial accounts if you can’t remember your password.