Posts

Today, Facebook announced a recently discovered security breach that relied on an open vulnerability in the platform’s coding. The “View As” feature, which lets users see their own profiles in the way that others see them—without all of the extra admin sidebar content that lets you control your wall—contained script that allowed hackers to use around 50 million accounts.

Facebook first closed the vulnerability and forced a re-login for the 50 million affected accounts. Then, they repeated the forced login for an additional 40 million accounts that didn’t seem to have been affected but that had used the View As feature.

From there, Facebook shut down the View As feature until they can secure it from further fraudulent use.

According to a report about the incident from Facebook, “Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As,’ a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

Whether you hear anything official from the company or not, there are some actionable steps you should take. First, change your password—which you really should be doing routinely in order to maintain your privacy and security. Any apps that you’ve connected to Facebook (you’ll know you’ve done this if you are able to log into it with your Facebook account) need to be force closed and logged out; it’s a good idea to a) change your password on those if you have one, and b) revoke the permission for Facebook to connect with it by going into your Facebook settings and removing it. Go into your settings and find all of the current devices you are logged into ( see screenshot above) and click “Log out of all devices” to ensure that no one with bad intentions may still be logged in to your account.

Finally in this case, changing your password means that you are changing the tokens on your devices that allow you to stay logged in. By doing this, it should update the tokens that might have fallen into the hands of bad-actors that might want the valuable personal information that would be in your Facebook profile. Remember, periodic proactive checks to your privacy and security settings will help you stay one step ahead of the identity thieves.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

The high-tech world of hacking means the bad guys have a lot of digital tools at their fingertips. Now more than ever, the automation behind stealing your account access means consumers need to practice the strongest password security they can.

Unfortunately, some consumers have continued to ignore years of expert warnings when it comes to password strength. SplashData, who publishes the annual list of the most commonly used passwords as compiled from leaked credentials, found that in 2017, “123456” was still the world’s most common password. That was followed by “Password,” “12345678” (thanks to websites that are trying to protect their users by requiring longer passwords), “qwerty,” and others, such as “admin” and “letmein.”

“But ‘password’ is so obvious that no hacker would ever think I’d use that… right?” Sadly, that’s not how credential cracking works.

The term credential cracking refers to the systematic, automated breaking of your username and password with the use of high-speed bots. Following a large-scale data breach, a hacker simply uses a large database of usernames and allows the computer to “guess” the passwords for each one. Some credential cracking software can make billions of guesses per second.

In short, no one is sitting at a computer with your username, typing in guess after guess until they reach your password. Their software does it for them and it does it with fairly strong results. There has even been a reported uptick in the numbers of failed login attempts on major consumer websites following large-scale data breaches, indicating that hackers are using the stolen information and their bots to “guess” passwords.

As bad as this development is, it’s not the only bad news. If you’re one of the many consumers who reuses passwords, any cracked credentials that a hacker has on you can lead them right to your other accounts. Using stolen information and cracking tools to guess your email or social media login, for example, would also give the hacker access to your Amazon, PayPal, online banking or other sensitive accounts if you’re reusing your password.

In order to fight back against this high-tech break-in, your account passwords must be strong and unique. Lengthy strings of uppercase and lowercase letters (that do NOT spell a word!) combined with some non-sequential numbers and symbols can help ward off even the most devoted little bot. Using that password on only one account is crucial to preventing multiple accounts from coming under attack.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Peer-to-peer payment apps, or P2P apps, are a convenient way to share funds with people. It might be a friend who bought those Taylor Swift concert tickets for your kid’s birthday present on your behalf, someone who owes you money for picking up the tab at lunch last week, or even a way to conduct business transactions like selling a piece of furniture or handmade crafts. One of the increasingly popular uses for P2P apps is when multiple people have to “chip in” to pay for a single item, like a hotel room, cruise ship cabin, or baby shower gift for a co-worker.

Though convenient, P2P platforms have been scrutinized for their potential security concerns. As a platform that is connected to some type of payment account, they’re a golden ticket for hackers. When you create your account on a P2P site, you will link a credit card, debit card, or bank account in order to deposit and withdraw funds; if a hacker gains access to your P2P account, they have access to a more serious form of your finances.

If you plan to take advantage of this handy payment method, you’ve got to use some precautions. The very first is your password security, which is always a good idea. Whether it’s an app account, your email account, or any other online portal, a strong and unique password is a must. A strong password contains a lengthy combination of uppercase letters, lowercase letters, numbers, and symbols, typically between eight and twelve characters in length. A unique password means that you don’t use it on other sites, no matter how tempting that may be.

Once your account is secured with a strong, unique password, it’s important to monitor all activity in case someone still manages to get in. You can set up transaction alerts to let you know right away if your account has been used, and you can schedule some time to log in and take a quick look each week. If you see activity that you don’t recognize, report it immediately.  Deposits you weren’t expecting, not just withdrawals or purchases, can still be a sign that someone is in your account.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

In a large-scale data breach, hackers may be after a variety of things. It might be sensitive data like personal identifiable information, email addresses and passwords or the answers to common security questions. It can also be slightly less sensitive but still usable information like payment card credentials and home addresses.

But what do hackers actually do with this information? Sometimes they use that data themselves and in other cases, they will sell it or hold it for ransom from the company it was stolen from. Payment card data can have a narrow window of opportunity for use since financial institutions may cancel those account numbers once they discover the breach.

There’s another way that credit cards have been used following a data breach, one that steals additional benefits from the victim. The theft of airline miles or bonus points tied to the victims’ credit cards may go unnoticed because most consumers don’t think to monitor their extra perks; once the hackers have stolen the account credentials, they can use or sell the additional perks on those accounts.

One of the first steps to protecting your perks accounts is to secure it with a strong password, one that you don’t use on other accounts and that you change frequently. By protecting this account and others, you’ll help prevent a breach of your accounts as well as stop a thief who bought old information on the dark web from a database of previously hacked information.

Another key step is to take some time to monitor these accounts from time to time. Thieves get away with it because too often we happily store up those miles or bonus points for a large trip or a major purchase. Monitoring your points from time to time can help you not only keep track of how far you have to go to reach your perks goal, but also lets you stay on top of any problems that arise.

If you do find out that someone has tampered with your perks account, contact your credit card issuer immediately and change your password on this or any account that uses those same login credentials. This could actually be the first sign that someone has accessed your credit card account, so it’s a good idea to order a copy of your credit report, too.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

What is considered valuable in terms of personal information has continually shifted definition for decades. At the Identity Theft Resource Center, educating consumers about the value of personal information is one of our top priorities. We often find that many consumers are unaware that having your Social Security number (SSN) exposed in a data breach is far more dangerous than having credit card or debit card information exposed. In addition to your SSN, other personal information that is regularly overlooked are login credentials (i.e. usernames and passwords), which can lead to other information being stolen using a method referred to as “credential cracking.”  This form of hacking is very widespread and more insidious than most Americans realize.

The Open Web Application Security Project defines “credential cracking” as a method that cybercriminals use to “identify valid login credentials by trying different values for usernames and/or passwords.” This is important considering that, according to the 2017 Verizon Data Breach Incident Report, 80 percent of hacking related data breaches were carried out using either stolen passwords and/or weak or guessable passwords. This means that cybercriminals attempt to gain access to a consumer’s account using educated guesses. How does someone make an educated guess about another person’s passwords? There are a couple of ways that this is done and it’s a lot easier than one might think. For example, criminals can use software that runs every word in the dictionary through authentication in hopes that a consumer has used a simple word as their login credentials.  Another way that cybercriminals make educated guesses on login credentials is to use common passwords. Unfortunately, this is successful as consumers continue to use passwords such as “password” or “1234567”. Another way that hackers crack credentials, which is the most pertinent to the focus on the value of personal information, is the use of breached login credentials.

In 2017, there were nearly 179 million pieces of personal information stolen, lost or exposed in data breaches. The use of breached login credentials by hackers is pertinent to the value of personal information because it transforms our ideas of what information is the most dangerous to have stolen by hackers or lost in a data breach.  For example, consumers would most likely consider having their tax information lost or stolen in a breach far more dangerous than having their Yahoo or Gmail account credentials stolen. However, the use of “credential cracking” shows us that one can be just as dangerous as the other.

In order to understand why this can be so detrimental, consumers should first think about the login credentials, most commonly this is a username and password, they use on their online accounts. While the best practice is that consumers use different login credentials on each of their accounts, this often isn’t a reality. How many consumers use the same username and password for their Facebook account as they do for their online banking? Even those who may think they are being safe by using different passwords often only use one or two slight modifications, such as the addition of a punctuation mark or another number to their commonly used passwords. When this is the case, all that a cybercriminal has to do is get their hands on the login credentials for one account and they have the key to open many accounts, which may be far more dangerous than the initial account which was compromised. This is crucial for consumers to understand. It shows why each piece of personal information, even something as seemingly useless as the login credentials for an old Twitter account you no longer use can spell big trouble. This is why we stress that consumers need to protect all the components of their personal information because they all have value. Of course, don’t hand out your SSN as you would your email address. The best strategy is to continue to guard that information as incredibly sensitive as well as protecting other personal information.

Our reminder to you is that every single piece of personal information has value. While the login credentials to your social media accounts may not initially cause the damage that an exposed SSN or banking account information will, with a little work from criminals those social media login credentials can lead to exposing more forms of personal information. Each piece of personal information is like a puzzle piece or clue which can be put together to cause serious damage in the form of identity crime.  So, while the value of a SSN, or other sensitive personal information, is far more valuable in the eyes of identity thieves, an email password has value as well. Both can lead to having your identity stolen. Consumers must understand that each piece of personal information or data has value and protect it.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.