What you need to know about new Facebook security issuesUpdated: October 17, 2018

It’s not been a good year for tech companies, as the scandals just keep coming, and users are now beginning to understand the extent to which the daily operations of these companies rely on their data. This is especially true of Facebook which reported its third data breach of the year on Friday, Sept. 28. Earlier that same week, independent research confirmed that Facebook used the phone numbers its users provided for two-factor authentication (2FA) in advertising campaigns. We’re going to cover both stories and put them into context of the broader tech industry. Keep reading to learn more about these two incidents and how they relate to you.

Facebook gave out your 2FA phone number (and other details you didn’t share)

Earlier this year, researchers from Northeastern University and a researcher from Princeton University collaborated to investigate how Facebook targets ads. Gizmodo, reporting on their findings, stating that the researchers found that “… when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins (sic) to a user’s account, that phone number became targetable by an advertiser within a couple of weeks.” Although Facebook notes that users bothered by this use of ad targeting can opt for some other 2FA method, the option to use anything other than SMS-based authentication was only available as of four months ago. In a twist of cruel irony, until recently, those who took the initiative to harden their account’s security by using 2FA were simultaneously undermining their own privacy – a trade-off that no one would have reason to assume they’d have to make.

The report also confirmed a hunch that many experts suspected. In addition to using 2FA phone numbers for advertising purposes, Facebook also made use of contact information not directly provided by users. That is to say, Facebook made inferences about users’ contact information by analyzing other users’ contact lists. For example, if your friend has your email and/or phone number in their phone’s contact list and they knowingly (or unknowingly) import this list to Facebook, the company will associate this information with your profile if it infers that this is your contact information, even if you didn’t personally upload any of these details. This process of association, dubbed “shadow profiling” by journalists and experts, was known to exist for years. Facebook, in fact, has shadow profiles for people who’ve never used Facebook and can associate both users and non-users’ identities with even the tiniest sliver of information.

While shadow profiles were a known part of Facebook’s ecosystem, this study confirmed that the information Facebook gained in this way was used for advertising. The worst part is that users seeking to remove the information from their shadow profile can’t because they’re not the ones who uploaded those details. They’d have to get their Facebook friend(s) to do so, assuming these friends even remember sharing their contact lists. Every person who shared this information would have to remove it from their profile in order for it to truly be gone, assuming Facebook doesn’t retain this information. Sadly, the convoluted nature of this system reveals one simple but terrifying truth – your privacy is no longer solely in your own hands.

Facebook was also breached by hackers

To make matters worse, Facebook reported one of its biggest breaches to date on Friday, Sept. 28. Some 50 million users might have had their data stolen. Unlike the Cambridge Analytica scandal, which was more of a leak, this incident is actually a breach and is one of the first incidents we know involving actors hacking to gain unauthorized access to information, rather than simply gaming Facebook’s rules to get more data than they were authorized to access.

This particular hack exploited three vulnerabilities that Guy Rosen, Facebook’s vice president of product management (who detailed the hack on a press call), considered relatively sophisticated. Individually, these vulnerabilities were rather minor, but combining all three required a degree of technical finesse. Facebook detected the attack because it started “see[ing] this attack being used at a fairly large scale,” Rosen said in the press call.

The vulnerabilities in question centered around Facebook’s “View As” function. As the ability to customize your Facebook profile’s visibility became more granular, people could customize their page in a way that allowed them to control privacy settings based on who was viewing their page. For example, if you were friends with a colleague you didn’t want viewing your more intimate posts, you could make it so that these posts were hidden from this specific person. To confirm these changes, you might use the View As feature to verify your associate couldn’t see the posts you’ve modified the privacy settings for. The vulnerabilities worked in such a way that someone exploiting the tool could have full access to an account, as if they were the user whose perspective they were emulating. Hackers doing this did not get access to information like passwords or credit card numbers, so victims technically don’t have to change those, but hackers did have access to whatever information was viewable to a user logged into their own account – that means chat logs, posts, photos and other content could have been stolen or edited. This might also have included access to accounts on third-party websites, as some users take advantage of the Login with Facebook feature, allowing users to connect their Facebook account to other services and apps, found all over the web. There is no information as of now, however, other than what the exploit is, the types of information that could have possibly been taken and the potential size of the breach. Although Facebook estimates that there were potentially up to 50 million accounts exposed in this hack, Facebook forcibly logged out 90 million users as it reset the login tokens for an extra 40 million accounts out of caution. We’ll update the post as more becomes known.

As of Friday, Oct. 12, Facebook claims the data breach only impacted 30 million users; however, the effects of the breach still remain as wide reaching with personally identifying information, including geolocation, being exposed.

How will these developments affect Facebook?

Experts and politicians have commented on just how severe this particular breach is; however, it remains unclear what comes next for Facebook. There’s a possibility that under the European General Data Protection Regulation (GDPR) the company could face some sort of penalty, assuming European officials find Facebook’s behavior or response insufficient under the law. Stateside, earlier in the very same week that these two stories broke, Congress held a technology and privacy hearing, where the industry’s largest companies testified. It has yet to be shown what will come of hearing, but it appears to at the very least signal that some U.S. lawmakers are exasperated and ready to take privacy seriously in light of what companies like Facebook are doing with consumer information. Additionally, in what might be an omen of what’s to come, the founder of WhatsApp as well as the founders of Instagram left Facebook – the former of whom was frustrated with what he saw as the privacy failures of his new parent company. Both companies were acquired by Facebook and have been a critical part of the company’s growth and expansion.

What can we learn from these incidents?

Whether you’re feeling apathetic or infuriated, there is a lot to learn from both of these incidents.

1. Don’t use 2FA SMS if possible. Although SMS-based 2FA is the least secure option when it comes to multifactor security, that doesn’t give Facebook a reason to share these phone numbers with advertisers. Still, this illustrates that other companies might be doing the same, which means you should take this as a sign to move to a more secure form of 2FA. Consider using an app, such as Google Authenticator, or, if you can manage, use a hardware-based authenticator. We talk about both options in our guide to two-factor authentication.

2. Gauge the extent of the damage. If you were one of the 90 million individuals who Facebook logged out, then that means you either were or could have been a victim. Experts are saying you should first access Facebook’s Security and Login page where you can check the devices that’ve accessed your account. Out of caution, you should end any active Facebook sessions on these devices while looking for any devices that may seem unfamiliar. Next, you’ll want to check the apps that are connected to your account which you can do under Apps and Websites (you can access this option from Facebook’s Settings page). It also won’t hurt to change your password.

3. Strengthen your Facebook security. Assuming you don’t intend to delete your Facebook (which arguably might not get rid of all the data they have on you), you should enhance Facebook security by turning on the Unrecognized Logins feature, which can be accessed from the Setting Up Extra Security section of the Security and Login page. For additional security, you should disassociate your Facebook account with your any third-party apps and simply avoid connecting your account with any else. Linking your Facebook account with others will increase your attack surface, and thus increase the number of ways a hacker can compromise your identity.

For more tech news, follow our technology blog, where we report on the stories most relevant to you.