Is Facebook losing face over security and privacy problems? The site is the source of a new data breach affecting 50 million accounts. One hacker plans to delete Zuckerberg’s account. And how your phone number is used to target you with ads.
Almost 50 million Facebook accounts were compromised in a new data breach revealed on Friday, the social networking site confirmed. Facebook engineers discovered the breach last Tuesday and patched it on Thursday. Users that were affected by the breach will be notified. Here’s how the vulnerability worked: Attackers were able to use Facebook’s “View as” feature to steal access tokens. This is a feature that allows you to see how your account appears to others. The flaw allowed the attackers to take over victim’s accounts. Facebook says it’s sorry this happened. It suggests that as a precaution, you could log out of Facebook. Questions still remain around the extent of the breach. For example, could it have affected services that allow users to log-in with Facebook accounts?
Facebook’s security concerns don’t stop there. Yesterday, a white-hat hacker planned to delete Mark Zuckerberg’s account from Facebook. Chang Chi-yan told his 26,000 followers on Facebook that he’d live-stream the event. He’s a well-known bug bounty hunter based in Taiwan. Facebook does have a bug bounty program, but I don’t think this is what they have in mind for reporting vulnerabilities. I’m recording this on Friday afternoon, so by the time this podcast airs on Monday morning, we’ll see if Zuckerberg’s account is deleted or not. [Editor’s Note — The hacker changed his mind about the live broadcast and Zuck’s account is still online this morning.]
Finally, despite previously saying it doesn’t use contact information provided for security purposes to target advertising, a new investigation finds that is doing so. Researchers from Northeastern University and Princeton University worked with Gizmodo reporters is harvesting user phone numbers in two different ways. There’s two-factor authentication, when you use your phone number to help log-in; and shadow contact information. We told you about the shadow contacts on Friday. Researchers found that phone numbers used for two factor authentication were able to be targeted by advertisers about two weeks after being submitted. It’s worth noting that Facebook no longer requires you to provide a phone number to use two factor authentication. And if you’re currently using it to secure your Facebook account, don’t turn it off.