Consumer Reports has no financial relationship with advertisers on this site.
Consumer Reports has no financial relationship with advertisers on this site.
The Facebook data breach that affected almost 30 million users last month was different from other recent data breaches in a way that concerns security and privacy experts—and should worry consumers, as well.
It’s not just the sheer size that made the Facebook attack notable. Massive incidents such as the Equifax breach from last September were bigger. What's unusual is the kind of data exposed.
"It turns out the Facebook attack was worse than we thought—the fact that very sensitive data was exfiltrated from about 15 million users is staggering," says Justin Brookman, director of privacy and technology policy for Consumers Union, the policy and mobilization division of Consumer Reports.
The stolen data included religion, gender, relationship status, birthdate, location, and recent search search history for 14 million victims of the attack, Facebook says. An additional 15 million users had just their names and contact information stolen.
"To put this in perspective, can you imagine having access to the personal data of the entire population of New York, Chicago, and Los Angeles?" asks Pam Dixon, executive director of the World Privacy Forum, a public-interest research group. "That's about how many people lost personal information in this breach."
And while that information might seem almost trivial, according to security experts it’s not as benign as one might imagine. In fact, in some ways, these personal details may be even more consequential than the loss of a Social Security or credit card number.
“Most data breaches involve financial information, but your Facebook account can be misused in a number of ways that are harmful,” Brookman says. “Accessing your private communications and posts by itself is pretty invasive, but that information could also be used to crack account security questions or to scam you and your friends.”
A Gateway to Your Accounts
In the past, services that handle financial transactions and sensitive information generally asked you for a Social Security or driver’s license number to confirm your identity, says Dan Guido, founder of the cybersecurity firm Trail of Bits. “But it’s no longer possible to accurately identify people using those trust markers.”
In today’s digital world, that information is hard to safeguard—and it may have been compromised in previous data breaches. So banks and other services have moved toward using personal data—mother’s maiden name, pets’ names, the street you grew up on—to protect important accounts.
With some sleuthing, a determined cybercriminal might uncover some of these personal details on a Facebook page, assuming you leave your page open to public view in your privacy settings. But this breach delivered that data directly, giving hackers a head start for potential identity theft crimes.
Criminals could also use such data to build robust bios that become powerful weapons in phishing scams, where personalized emails trick consumers into revealing financial information or clicking on links that plant malware on their computers.
When a cybercriminal knows the haunts and hobbies of a potential victim—the kind of information collected about millions of the victims of the Facebook attack—it dramatically increases their odds of success.
“If they know specific things—my mom’s name, my kids’ names, their birthdates—they could easily look legitimate,” says Sam McLane, chief technology services officer at the cybersecurity firm Arctic Wolf Networks. Imagine a scenario where a thief pretends to be calling from a bank, using photos or location data from a social media account to obtain valuable account information. “They call and say, ‘This is Chase, and we notice that you went to Bob’s House of Tacos last Thursday,’” he says. “Suddenly, it makes it believable enough that I suspend my suspicions.”
The thing that could make Facebook data extra-valuable to criminals, says Ernesto Falcon, legislative counsel at the Electronic Frontier Foundation, is its accuracy. After all, it was entered into Facebook's computer systems by consumers themselves.
In contrast, personal details stolen in data breaches of retailers or data brokerages can be off-base, since it has been inferred from consumer behavior.
The Facebook data could also end up being used in ransomware or blackmailing attacks, warns Casey Oppenheim, founder of the data security firm Disconnect. “People do a lot of very personal things on Facebook,” he says. “They talk about things they wouldn’t want their employer or their spouse to know. Hackers can do nasty stuff with that.”
In the end, personally identifiable data will endure in a way that financial information may not. You can—and should—change passwords after a breach. Go ahead and cancel a credit card. You can even get a new Social Security number if your first one is stolen.
But the telling details on your Facebook account—your birthdate, where you were born, your first pet’s name—that is forever.
“Digital data is like a genie in a bottle,” Oppenheim says. “Once it gets out of the bottle, it’s extremely difficult—if not impossible—to get it back in.”
What You Can Do
"It's definitely worthwhile to see what information of yours was accessed as a result of this breach by following this Facebook link," CR's Brookman says.
More broadly, this is a good time to rethink what you post on social media. “Just because Facebook wants your hometown, your gender, and your birthdate, you don’t have to give it to them,” the World Privacy Forum's Dixon says.
One important step is to simply, well, lie. When you’re setting up an account, you don’t have to tell the whole truth. Who’s to know (besides you and a few close friends) if you substitute the date of your anniversary—or the publication date of the novel "1984"—for your birthday? The dozens of acquaintances who offer you birthday wishes every year will be none the wiser.
“Don’t put anything on Facebook that you wouldn’t want public,” Guido, of Trail of Bits, says.
And when answering those pesky account security questions, you can give an answer that’s not quite accurate but remains easy for you to remember. Maybe tell your bank that you were born in Green Bay (where your favorite team plays) rather than Sarasota, where you were actually born.
Brookman adds that an attack like this this should encourage consumers to adopt security best practices such as two-factor authentication, strong, unique passphrases, and credit freezes.
Finally, be skeptical of unexpected queries, even if they sound legit. If you get a phone call from a financial institution that raises your suspicions, call back using a number you find on your bank statement or the back of your credit card. If you get a suspicious-looking email, don’t open it. Just delete it.
Here are some additional ways to keep yourself safe from a phishing attack:
Examine the link. Before you click on a link, try hovering your mouse over it. This will reveal the full address, which can expose signs of fraud. An “.ru” on the end, for example, means the site was created in Russia; “.br” means Brazil.
Misspellings are another good tip-off to a fake website. If the URL reads “bankoffamerica.com,” it’s trouble.
Better yet, don't click on any link in an unsolicited email, or call any phone number. Just open a new browser window and go directly to the business's website.
Finally, if don’t assume that a website is legitimate just because its URL starts with “https.” Encryption is available to everyone.
Don’t open attachments. They may contain malware. And you should never type confidential information into a form attached to an email. The sender may be able to read the info you enter.
Guard your financial information. Be especially wary of emails asking for account numbers, credit card numbers, and wire transfer information. There’s no reason to share such info via message or a nonsecure site.
Turn on auto updates. This goes for computers, smartphones, and tablets. Up-to-date security software goes a long way toward stopping malware.
Use security tools. Install an antivirus program on your device and keep it up to date. You can also use a website reputation rating tool, which comes in the form of a browser plug-in, to warn you if you try to go to potentially dangerous websites.
Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2018, Consumer Reports, Inc.