Facebook and Google Plus Breaches: What It Means for You

Security bugs in Facebook and Google Plus have allowed the personal data of users to be compromised and it could affect a lot more than just those platforms. Find out what is going on, how it affects you and what to do about it.

The Facebook Hack

On September 28th, Facebook announced that 50 million accounts were hacked due to a security loophole. The problem came from a bug in the ‘view as’ feature, which allows users to look at their profile as if they were a member of the public and not the account owner.

Hackers were able to exploit the ‘view as’ feature to gain access to accounts, as well as access to any app account which uses Facebook as its way to log in.

The Google Plus breach

On October 8th, Google announced that between 2015 and March 2018 half a million Google Plus profiles had the possibility of app developers viewing what should have been private data. In clearer terms, a bug in the system allowed apps to access the name, email address, occupation, age, gender and more, associated with an account when access was not marked public by the user.

What do the Facebook and Google Plus breaches mean for me?

For Facebook, it means that hackers may have gained access not only to your Facebook account details, but also to any associated accounts. Apps like Instagram, Tinder, or Spotify, allow you to “sign in using your Facebook account”. As a result, each one of those accounts (there are roughly 100,000 apps that use Facebook as their gatekeeper) could potentially be hacked if your Facebook account was breached.

The Google Plus breach is less concerning but only slightly. According to Google, private information was made visible, but not passwords. However, the breach still leaves users vulnerable as much of the information required for identity theft was made accessible during the almost 3 year security bug.

What Facebook has to say about its login service after the hack

On October 2nd, Guy Rosen, a vice president of Facebook, released a statement saying that they have found no evidence that other sites have been compromised, yet they are working on a solution to delve deeper into the matter.

Unfortunately, this reassurance only goes so far. As 50 million accounts were breached before Facebook’s security team could identify and stop the attack, it is fair to assume that the hackers had plenty of time to collect sensitive data.

This isn’t running into a store and stealing the tip jar, this is an organized data heist. So whether the criminals are waiting on the information they obtained for some future purpose, or the worst has passed, only time will tell.

What does Google have to say about their Breach?

The most notable consequence of Google’s breach is the shutting down of Google Plus for consumers over the next 10 months. As for the breach itself, the official statement, written by the Vice President of Google Engineering Ben Smith, declares that they have found no evidence that any profile data was misused, and that the issue was fixed soon after its discovery last March.

Regrettably, there are still concerns related to the official statement. Due to the fact that Google Plus data is only kept for two week periods, Google cannot pinpoint which users were affected by the bug. Likewise, the half a million can only be said to be “potentially affected”.

This lack of precision, as well as the delay in notifying the public of the issue, is rightly cause for concern. However, like the Facebook breach, we will have to see whether the bug will result in hackers using that private information to harm individuals or if the companies truly have fixed the problem.

In the meantime, there are things you can do to protect your future.

What should I do to protect myself after the Facebook and Google Plus Breaches?

First, consider stopping to use Facebook and Google as your way of creating new accounts, or logging in to existing accounts other than Google and Facebook. If you've enabled this login system on your own website for your clients, you may want to remove it. Ultimately you'd be trading off some convenience for added security, which considering the latest news, might be a wise choice.

The concern is the same as using one username and password for multiple accounts, i.e. if one account is compromised, then all accounts are compromised. Don’t do it.

For security and convenience, a password manager, like LastPass or KeePass, is generally the way to go. They can be further secured through 2-factor authentication (see point 4).

Second, try to change passwords every 6 months or so. This will allow you to worry less when breaches like these arise.

Third, make sure that the password is long and contains letters, numbers and symbols. The longer a password is and the more diverse it is, the harder it is to find.

Having a strong password is so important that California has started to put through legislation demanding that companies create and enforce strong, default passwords for Internet-connected devices and expose companies failing to do so to potential lawsuits.

Fourth, enable two factor authentication when possible. This provides an extra layer of security when an unwanted guest tries to access one of your accounts.

Stay safe,