Early morning on Saturday, Sept 29, I took my phone, went online on Facebook to catch up with the day’s updates. To my surprise, I was logged out; on Messenger and the main Facebook app. The message that I got went something like, my session has expired, and I need to log back in.
The first thing that came into my mind is that someone somewhere must have tried to log into my account. Facebook security system picked up the attempt and logged me out on all my devices. So I logged in as instructed, but at the top of my News Feed on the main Facebook app, there was a security alert from Facebook.
Apparently, whatever was happening to my account, was happening to potentially 50 million users across the globe. The social network had been attacked; from the looks of things, the attack was successful. Whoever the attackers were, they managed to take over some Facebook users accounts.
The attackers apparently exploited a vulnerability on Facebook – the ‘View As’ feature that allows you to view your account as other users views it – and took over the accounts of some people. But Facebook assures us that it has since sealed that security loophole, and by them logging you out and asking you to log back in, the matter should be resolved. The loophole was sealed by Facebook temporarily disabling the ‘View As’ feature; check to see if it is back up, though I doubt it.
What was the Damage and How can you Protect yourself?
I don’t know about you, but the assurance given by Facebook just does not suffice. Especially when you consider that most people use Facebook to log in to other websites and services. The said attackers successfully took the Facebook access tokens for potentially 50 million users.
These access tokens allow you to access an account even without giving your password. Sure, Facebook reacted in time and reset the access tokens for all the affected accounts (50 million’), and that is why you found the ‘Session Expire’ message, and you logged out of your account.
Since Facebook reset the access tokens, the company did not feel the need to tell anyone affected to reset their password. Simply log back in, and everything will return to normal. But after logging back in, here are some few recommendations we at Innov8tiv would probably advise you to do.
#1 – Check records of the Previous Logins
Assuming you have logged back into your Facebook account (for purposes of this demonstration, you into the Facebook web – on your desktop device), go to the link below:
Now, check to see if all the listed devices and locations match with your activities over the previous few days or weeks. If you suspect a device or location not matching up, go ahead to the following options:
>Click the three dots located on the right of the session(s) you find suspicious
>Then select ‘Log Out’ from the menu.
Doing so will log you out of whichever device and location that you think is suspicious. Whoever is accessing your account from that specific suspicious device and location will be kicked out of your account.
#2 – Take advantage of Facebook built-in Precautionary measures
If you didn’t know, well now know this, Facebook has built-in some pretty impressive precautions that will keep your account safe. They are as follows:
Two-Factor Authentication: You have the option of adding an extra layer of security to your account. Whenever you are logging in to a new device (even on a device you haven’t used in a while) to access your account, you will need to type in your password, and the Facebook will either text or email you a unique one-time code. You can then use this code to successfully log into your Facebook account. I strongly recommend activating this option, since while it might be a bit hard for someone to get your password, it will be harder for them to get your password, and have access to your phone and/or your email at the same time.
Get Alerts on any Unrecognized Logins: If someone bypasses the precaution above; because they managed to get your password and had access to your email and/or phone. Enable alerts on Facebook to get a notification whenever someone accesses your account from an unrecognized device and/or location.
Authorized Logins: Under the Facebook security settings, check all the devices on listed therein for those you would not need to use a login code. Remove such devices and browsers, so that to log in using them, you will need a login code to get through.
I should also probably point out that for two-factor authentication to work, you must give Facebook your phone number. It has been reported that Facebook will use that number for advertisement purposes. Apparently, advertisers upload a list of phone numbers from their customers, and if your phone number is on that list, then, Facebook will send you targeted ads from such advertisers.