Facebook reset account logins for tens of millions of accounts Friday, alongside its announcement that it found a serious security flaw had let hackers potentially control user accounts. How can you tell if you were in this breach? And, more importantly, what can you do about it?
If you log into Facebook from a smartphone app or Web browser and have to re-enter your login information, you may have been affected by the breach—but maybe not. Facebook said 50 million users’ accounts had “tokens” grabbed that would allow attackers to gain access to an account without a username and password.
However, Facebook reset account sessions for another 40 million users for whom it has a record that someone used this exploitable feature, even if it believes that the use wasn’t malicious.
Facebook said passwords weren’t leaked, and it hasn’t reset passwords for accounts.
Web sites and apps use tokens to keep a session between a browser or app and a server active after an initial login proves a user has the right credentials. These tokens typically expire over time, but companies may let them persist for a month or much longer before asking you to verify your login information again.
Because you don’t control tokens, there was no way to prevent this credential hijacking at Facebook, and no way exists for individuals to prevent another one in the future.
However, after any sort of login theft, it’s wise to reset your password. This is in case further details emerge that attackers were able to leverage one kind of access for another. Facebook has opted to not reset passwords for this group of nearly 100 million people, a significant percentage of its user base, but you can (and should) do it yourself.
To reset your password, visit facebook.com or use one of its apps, choose the downward-pointing arrow in the upper-right corner, and then choose Security and Login. Now choose Edit next to Change Password. After changing the password, click or tap Save Changes.
Most password-selection advice given out is poor, leading to people picking one short password that meets a set of arbitrary rules about mixed capitalization, punctuation, and use of numerals. People then use the same password at many sites. That’s a security no-no from two directions. First, it’s increasingly easy for even complicated short passwords to be cracked when password databases get extracted from sites. Second, re-using a password means an attacker could take over your account at every site at which you use the same password if the password gets broken at a single one of those sites.
The current password-selection advice from security exports is to use a password manager, whether the ones built into Google’s and Apple’s ecosystems in their devices and desktop browsers, or a third-party option from firms like LastPass, Dashlane, and 1Password. These create unique, strong, but long passwords for every site and app that can made up of words or nonsense letters, and be easy to memorize and type if need be.