Save, make, understand money

Household Bills

Facebook hack: what you need to know

Paloma Kubiak
Written By:
Paloma Kubiak

Facebook has confirmed it discovered a data breach last week affecting 50 million accounts. Here are the details so far and what you need to do.

The social media giant said that on the afternoon of Tuesday 25 September, its engineering team discovered a security issue affecting nearly 50 million accounts.

However, at this stage of its investigation, it’s not clear how many UK users were impacted.

It explained that hackers exploited a vulnerability in its code which meant that its ‘View As’ feature was compromised. This lets people see what their own profile looks like to someone else.

Scammers were then able to access ‘tokens’ which they could then use to take over users’ accounts.

Since the issue has come to light, Facebook said it has reset the access tokens of nearly 50 million accounts, and it is also resetting these tokens for another 40 million accounts.

This means that near 90 million people using the app will need to log back in to access their accounts. If you’re asked to do this, this means you’re affected.

Facebook added that it doesn’t know who is behind the attack or whether personal information has actually been accessed.

But Adam French, Which? consumer rights expert, said: “Anyone concerned they could be at risk as a result of the hack should consider changing their password, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try to take advantage of it.”

Guy Rosen, VP of product management at Facebook, said: “People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened. If we find more affected accounts, we will immediately reset their access tokens.”

Bupa fined for data breach

Separately the Information Commissioner’s Office (ICO) has fined Bupa £175,000 for failing to have effective security measures which resulted in half a million customer records being sold on the dark web.

Between 6 January and 11 March 2017, a Bupa employee sent names, date of births, email addresses and nationality information of 547,000 customers to his personal email account. This information was then offered for sale online.

The data was spotted online and Bupa and the ICO received 198 complaints about the incident.

ICO director of investigations, Steve Eckersley, said: “Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it.

“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”