In less than 3 weeks, I’ve had to (and I’m sure like many others as well) change my Facebook password after receiving the message below and being unable to access my account:
In the first incident, reported on March 21, it emerged that Facebook erroneously stored “hundreds of millions” of passwords in plaintext, unprotected by any encryption, an incident the social media firm soon admitted, with the firm’s VP in charge of Engineering, Security and Privacy, Pedro Canahuati, stating that during the social network’s “routine security review in January,” they had found that some user passwords were being stored in a readable format within their internal data storage systems.
“This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way,” noted Canahuati.
But now again, less than a month later, another breach has occurred again, as unsecured personal data has been found lying around in the cloud, according Naked Security, Sophos IT security blog.
“These breaches happened through plain old carelessness – databases hosted in the cloud and apparently almost casually left open to the world… That’s like running your own servers in your own server room, but leaving the server room door unlocked with a big sign on it saying, “Free admission. Please don’t be naughty,” notes Naked Security’s Paul Ducklin sarcastically in a post, adding:
“In fact, it’s like copying critical data from your own servers onto a whole boxful of unencrypted USB drives and walking round a Dark Web convention handing them out to all and sundry.”
According to Upguard, the leak-seeking cybersecurity company which also discovered the March 21 leak, this latest leaked data trove belongs to:
- Cultura Colectiva, a Latin American social networking collective, which spilled a giant database of more than 500 million entries, probably covering millions of users (the site itself claims 45 million subscribers). The data apparently included Facebook IDs, likes, friends and more.
- At the Pool, a Facebook app that seems to have died out back in 2014, leaving its collected data orphaned and exposed. This data apparently included names, email addresses, Facebook IDs and passwords (not Facebook passwords, but stored in plaintext).
And so, in the face(off?) arising between users and the social network due to the sensitivity of the exposed data, what can those with Facebook accounts do as a remedy? Here’s what to do as advised by Naked Security:
- Review your Facebook apps and their permissions right now. Go to
Apps and Websitesfrom the left-side menu, and use the list of apps and websites, if any, to view and update the info they can request or to remove the apps and websites you no longer want.
- Review your privacy settings more generally while you’re about it. Use the
Privacymenu item on the Settings screen to access the
Privacy Settings and Toolspage.
- Turn on 2FA if you haven’t already. Because you can. Use the
Security and Loginpage to set yourself up. You can hand over your mobile phone number for SMS login codes, use an authenticator app, or set up a login token like a Yubikey if you have one.
Plus some general (but still useful) thoughts for the many app producers and consumers out there, all courtesy of the post by Paul Ducklin:
- If you’re an app developer, whether of Facebook apps, Google Play apps or software for any other platform, stop seeing security as a cost to be driven down. Make it a value that you can use to establish your trustworthiness.
- If you’re an app user, learn to be selective. Choose apps from companies that have earned your trust rather than simply claiming it. Avoid apps just because they’re fun or cool. Less is more.
- If you’re an app enabler like Facebook, regardless of the scale of your operation, remember our plea from April 2011, “We would like: vetted app developers”. Rapid signup procedures for developers may be egalitarian and convenient, but they seem so often to end in tears.
But even as we – as users – take the above steps plus other useful precautions, to guard our accounts from unauthorized access, the ultimate responsibility rests with Facebook as relates to these rampant breaches. And this should not be lost on anyone.