50 Million Facebook Accounts Hacked: What Should You Do?
Whatsapp Pinterest
Advertisement

So much is going on each month in the world of cybersecurity, online privacy, and data protection. It’s difficult to keep up!

Unlock the free "Facebook Security Checklist" now!

This will sign you up to our newsletter

Enter your Email

Our monthly security digest will help you keep tabs on the most important security and privacy news every month. Here’s what happened in September.

1. 50 Million Facebook Accounts Hacked

The last week of September threw up one of the biggest pieces of news: 50 million individual Facebook user accounts were hacked Facebook Hack Affects 50 Million Accounts Facebook Hack Affects 50 Million Accounts Around 50 million Facebook users may have had their accounts accessed as part of a major security breach. Which isn't good news. Read More . Facebook reset the passwords of 90 million accounts, just to be sure, indicating that the final number of compromised accounts could rise.

Attackers exploited a vulnerability in Facebook’s “View As” feature, which allows users to see what their own account looks like to others. Facebook’s vulnerability stems from three bugs. The first allows the Facebook video upload tool to appear on the View As page. The second lets the upload tool generate an access code. A final bug lets the View As page generate an access code for whichever user the hacker wants.

The issue isn’t confined to the Facebook site, either. Other Facebook services such as Instagram are also vulnerable, along with sites and services using the now ubiquitous Facebook Login. (This is how you secure your accounts when using social login Using Social Login? Take These Steps to Secure Your Accounts Using Social Login? Take These Steps to Secure Your Accounts If you're using a social login service (such as Google or Facebook) then you might think everything is secure. Not so -- it's time to take a look at the weaknesses of social logins. Read More .)

Initially, the only way to tell if you are a victim is if Facebook signed you out of your account without warning. However, Facebook now says it will post a message at the top of your News Feed if your account was involved.

The Facebook hack holds special significance for MakeUseOf’s European readers; this is the first significant data breach from a major tech company since the EU enacted the General Data Protection (GDPR) law in May 2018

As Facebook is registered in Ireland, the Irish Data Protection Commission could issue Facebook with a huge fine under the terms of the GDPR, but as yet the Commissioner hasn’t clarified “the nature of the breach and the risk for users.”

If you are a Facebook hack victim, here are four things you need to do immediately 4 Things to Do Immediately When Your Facebook Account Is Hacked 4 Things to Do Immediately When Your Facebook Account Is Hacked Having your Facebook account hacked is a nightmare. Here's how to secure a hacked Facebook account and contain the damage. Read More .

2. Five Eyes Governments Attack Encryption

“The governments of the United States, the United Kingdom, Canada, Australia, and New Zealand are committed to personal rights and privacy, and support the role of encryption in protecting those rights.”

Ministers from the Five Eyes governments—the U.S.A., United Kingdom, Canada, Australia, and New Zealand—met in Australia for the annual FCM. It was at this Five Country Ministerial that the above statement was drafted.

However, further inspection of the joint statement reveals that the Five Eyes allies are threatening to introduce legislation compelling tech giants such as Apple, Facebook, and Google to provide “lawful access solutions” to their products. In other words: the governments of Five Eyes countries want encryption backdoors, and they want them now.

Unfortunately, it is just not possible. Creating a backdoor for one person doesn’t stop it existing for others. Once the encryption backdoor is open the security of hundreds of millions of other law-abiding users evaporates.

It isn’t an issue that’s going away any time soon. Furthermore, there are numerous arguments against breaking encryption Why We Should Never Let the Government Break Encryption Why We Should Never Let the Government Break Encryption Living with terrorist means we face regular calls for a truly ridiculous notion: create government accessible encryption backdoors. But it's not practical. Here's why encryption is vital to day to day life. Read More , but very few for. At times, encryption breaking tools such as GrayKey What Is GrayKey? A Tool That Breaks iPhone Encryption and Passwords What Is GrayKey? A Tool That Breaks iPhone Encryption and Passwords Encryption is vital for privacy and security, but iPhones are now at risk thanks to GrayKey. Read more about GrayKey and why it has Apple so worried. Read More pop-up to give law enforcement a break, but they are few and far between. Other countries are considering an alternative approach. For instance, German Interior Ministry documents reference the use of Remote Communication Interception Software to target iOS, Android, and Blackberry devices without having to rely on service providers like Apple, Google, Facebook, and so on.

Police installing backdoors on the devices of their suspects? That’s another story.

3. British Airways Breach: 300,000 Customers Affected

UK flag carrier British Airways (BA) revealed that during the period from 22:58 on 21st August 2018 to 21:45 on 5th September 2018, the payment details of 300,000 customers were breached. (Yes, these oddly specific times come from BA.)

The stolen information contained the personal and financial information of any customers who booked with BA during that period. It didn’t, however, include the passport or identification document data for those customers. Speaking on BBC Radio 4’s Today on Friday program, BA chairman and CEO Alex Cruz said the hack was “a sophisticated, malicious criminal attack” and that BA are “extremely sorry for what has happened.” Cruz also promised that BA was “100 percent committed” to compensating any affected customers.

BA hasn’t officially disclosed how the hack took place. However, security researchers at RiskIQ believe the hackers planted malicious code on the BA payment page via a modified version of the Modernizr JavaScript library. The malicious code uploaded stolen data to a server hosted in Romania. This is in turn part of a VPS provider named Time4VPS, based in Lithuania.

“The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection.”

Researchers traced the hack to a group called Magecart who are also responsible for recent attacks on Ticketmaster and Newegg.

4. ESET Discover First UEFI-Based Rootkit

Security researchers at ESET discovered the first-ever UEFI-based rootkit in the wild. The rootkit allows a hacker to install persistent malware on a vulnerable system What You Don’t Know About Rootkits Will Scare You What You Don’t Know About Rootkits Will Scare You If you don't know anything about rootkits, it's time to change that. What you don't know will scare the hell out of you, and force you to reconsider your data security. Read More with the potential to survive a full-system format.

The discovery of a UEFI rootkit is particularly galling as UEFI systems have traditionally remained secure What Is UEFI And How Does It Keep You More Secure? What Is UEFI And How Does It Keep You More Secure? Read More against such threats. However, the rootkit presents a significant problem as it requires a full motherboard firmware flash to remove; your regular antivirus and antimalware programs won’t get near the rootkit The Complete Malware Removal Guide The Complete Malware Removal Guide Malware is everywhere these days, and eradicating malware from your system is a lengthy process, requiring guidance. If you think your computer is infected, this is the guide you need. Read More .

“While it is hard to modify a system’s UEFI image, few solutions exist to scan system’s UEFI modules and detect malicious ones,” reads the ESET blog. “Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the average user. These advantages explain why determined and resourceful attackers will continue to target systems’ UEFI.”

The rootkit, known as LoJack, is thought to be the work of the infamous Russian-government linked hacking group, Fancy Bear. The hackers modified Absolute Software’s legitimate LoJack laptop anti-theft tool. The tool installs to the system BIOS to survive a system wipe. The modification replaces parts of the original LoJack code to rewrite vulnerable UEFI chips.

How do you protect against the UEFI rootkit? The easiest method is keeping UEFI Secure Boot turned on How to Disable UEFI Secure Boot to Dual Boot Any System How to Disable UEFI Secure Boot to Dual Boot Any System Installing a second operating system on some Windows computers can be difficult thanks to UEFI. Here's how to disable UEFI Secure Boot and dual boot any operating systems you like. Read More . Your system firmware will then reject any file without a proper verification certificate, keeping your system safe from harm.

5. North Korean Hacker Charged in WannaCry and Sony Hacks

The US government charged and sanctioned a North Korean hacker for the 2017 WannaCry global ransomworm attack The Global Ransomware Attack and How to Protect Your Data The Global Ransomware Attack and How to Protect Your Data A massive cyberattack has struck computers around the globe. Have you been affected by the highly virulent self-replicating ransomware? If not, how can you protect your data without paying the ransom? Read More , as well as the 2014 Sony Pictures hack that forced the company to withdraw its then-upcoming film, The Interview 2014's Final Controversy: Sony Hack, The Interview & North Korea 2014's Final Controversy: Sony Hack, The Interview & North Korea Did North Korea really hack Sony Pictures? Where is the evidence? Did anyone else stand to gain from the attack, and how did the incident get spun into promotion for a movie? Read More . (The Interview is a comedy about a plot to assassinate the North Korean leader, Kim Jong-un.)

The indictment alleges that North Korean programmer, Park Jin Hyok, worked for a government front company with offices in China and the DPRK. Park and his colleagues are alleged to have engaged in malicious activity on behalf of the North Korean military.

fbi wanted posted for north korean hacker

“The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” said assistant attorney general John Demers. “The complaint alleges that the North Korean government, through a state-sponsored group, robbed a central bank and citizens of other nations, retaliated against free speech in order to chill it half a world away, and created disruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of millions, if not billions, of dollars’ worth of damage.”

The hacking group is also thought to be responsible for the unsuccessful hack attempt against Lockheed Martin. The group is also responsible for attacks against the Bank of Bangladesh, the Banco del Austro in Ecuador, Vietnam’s Tien Phong Bank, and a number of cryptocurrency exchanges.

The North Korean government hit back at the US indictment, labeling it a “smear campaign”. It also claims that Park is a “non-entity”. Understandable, given the circumstances.

Security News Roundup: September 2018

Those are five of the top security stories from September 2018. But a lot more happened; we just don’t have space to list it all in detail. Here are five more interesting security stories that popped up last month:

  • The US State Department confirmed a security breach affected the email of “less than 1% of employee inboxes.”
  • Data management firm, Veeam, exposed 445 million records for around ten days.
  • The US Attorney’s Office revealed how the Mirai botnet creators are helping the FBI investigate “complex” cybercrime cases. Their assistance keeps them clear of prison.
  • Uber picked up a $148 million fine for their 2017 data breach.
  • The average DDoS attack size has quintupled in size, to 26Gbps, according to Nexusguard.

A huge amount happens every month in cybersecurity, privacy, data protection, malware, and encryption. Check back next at the beginning of next month for your October 2018 security roundup. In the meantime, check out these five security breaches that might have put your data at risk 5 Recent Data Breaches That May Have Put Your Data at Risk 5 Recent Data Breaches That May Have Put Your Data at Risk It can be hard to keep up with all the latest online security hacks, so we've rounded up some of 2018's most notable breaches. Read More !

Image Credit: Thought Catalog Books/Flickr

Explore more about: Facebook, Online Fraud, Online Privacy, Online Security, Ransomware, Surveillance.

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Catherine Coulson
    October 11, 2018 at 7:53 am

    Keeping up to date with what your children are doing online can seem daunting. Technology is constantly advancing and sometimes parents feel that their children know more about the internet than they do.

    As I wrote at https://itrate.co, whatever their age, we can help you to find out more about what they might be doing online and give you some simple, practical and easy advice on the steps you can take as a parent to keep them as safe as possible.