540 Million Facebook Records Left Exposed
Researchers discovered likes, comments, and IDs from Facebook users unprotected on the internet
Personal information about Facebook users has been mishandled yet again.
Researchers at UpGuard, a cybersecurity firm, reported Wednesday that they discovered more than 540 million individual Facebook records stored unprotected on the internet by third-party developers. The data included people's likes, comments, and user names.
UpGuard found two different data sets. The bigger, 146-gigabyte trove had been collected from Facebook by a Mexican media company, Cultura Colectiva. The second, much smaller data set came from a Facebook-integrated app called At the Pool, which ceased operation in 2014. Both data sets were being stored through Amazon's cloud-computing subsidiary.
What You Should Do
"It might be a good idea to change your Facebook password," says CR's Brookman, who adds that reusing your Facebook password for other accounts is a very bad idea.
To do that on a computer, click on the question mark icon in the top right corner of your Facebook page, then scroll down to Privacy Shortcuts and Change Your Password.
While you're at it, consider clicking on Use Two-Factor Authentication. That makes it significantly more difficult for someone to break into your account, because you need a verification code—sent via text or an app—to confirm your identity anytime you access Facebook from a new location, device, or browser.
One caveat: In 2018, researchers discovered that Facebook may use phone numbers collected for two-factor authentication for advertising purposes. And more recently, security experts noticed that Facebook allows other users to look up your profile using those numbers, too.
If you haven't already given Facebook your number, says Bobby Richter, who heads Consumer Reports’ privacy and security testing, it’s better to use an app such as Duo Mobile or Google Authenticator for two-factor authentication. Those options are available in the settings for Facebook, which can be accessed by clicking on the down arrow icon in the top right hand corner of your Facebook page.
In the wake of the Cambridge Analytica scandal, Facebook withdrew access to personal data from any third-party app that users hadn’t logged in to for 90 days. It also limited apps with Facebook Login access from requesting any info beyond a user's name, profile picture, and email address without an official app review.
Brian Vecci, a top executive at the security firm Varonis recommends that consumers check which apps are currently collecting data from their accounts and revoke access for those that don't need it.
Here's how you do that: On a computer, click on the downward arrow at the top right of your Facebook page and choose Settings > Apps and Websites > Active. Click on the box next to any app you wish to cut off from data collection and hit Remove.
Once you do that, you will no longer be able to access the app using your Facebook Login, so create a new login and password for each app before making changes.
Passing the Password Test
What's your password strategy when it comes to protecting your online accounts? On the "Consumer 101" TV show, a Consumer Reports expert explains what you need to know about password managers.