Just a few weeks ago, Facebook suffered a massive data debacle where more than 50 million data accounts were compromised. The data breach occurred due to Facebook’s View As feature which enables users to check how their own profiles appear to the public. This feature gave hacker’s the user account’s access tokens which Facebook used to let users log in to their accounts. When a person gets a user’s access token, he or she can access that account even without any user ID or password.
In Facebook’s official announcement about the debacle, they mentioned,
First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.
The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birth date, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.
A humongous amount of data was accessed. More than 15 million users had their phone numbers and email ID exposed. Users who set their privacy settings to public were attacked. About 14 million users had their gender, relationship status, location, birthdays, hometown, religious preferences exposed. Other information that were leaked were education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow. 1 million people got saved thanks to the privacy settings set by them.
Is your account safe? Yes, they still are. But experts are saying that even two step authentication is not enough now. You should add a PIN to your cellular account