Dubai: Residents in the UAE have been advised to take precautionary steps to keep their social media accounts secure -- and to be careful about what they share online -- following reports of a security breach affecting millions of Facebook users.
The social networking platform announced on Friday that at least 50 million and potentially up to 90 million of its members have been exposed to hackers.
The breach was the largest since Facebook’s history and provided fraudsters the ability to take over user accounts: view their private messages, post on their wall or profile and log into other apps.
Should UAE users be worried and proceed with caution?
According to Facebook, it’s not clear yet if some accounts have already been misused by the hackers, but security experts based in UAE advised that it is better to take precautionary steps.
“Attackers could have gained the ability to impersonate affected users,” Nicolai Solling, chief technology officer (CTO) of Help AG, warned.
Among the things they should ideally do, users should always be cautious when posting pictures, messages or videos online, said one industry source.
The UAE already has stringent privacy rules on sharing of data on social media platforms and this means users in this part of the world are already cautious of what they put out there through Facebook.
But it pays to always think before they post.
Understanding UAE cybercrime law
“Users need to continually evaluate the type of data they share and the potential impact a breach of that data could cause, to become an active participant in protecting their own online identities,” said Richard Ford, chief scientist at Forcepoint.
He said the latest security breach affecting Facebook users illustrates a fundamental truth of the new digital economy: when a person shares his personal data with a company, he is putting his trust in the platform’s ability to protect that data adequately.
The Dubai Police had earlier arrested a man for posting on social networking sites a video of a person crying at a customer care centre of the Roads and Transport Authority (RTA). Publishing offensive images and remarks, as well as fake news online could also invite a hefty fine.
What actually happened?
Facebook said fraudsters managed to exploit the platform’s “View As” feature, which enables users to check out what their page or profile looks like to their friends or other users, and stole “access tokens.”
Access tokens allow a user to enter an account without entering a password, which means they could potentially take full control of other people’s profiles. After discovering the breach, Facebook automatically logged out the unauthorized users.
“As a precautionary measure, Facebook automatically invalidated the authentication tokens of exploited users, meaning they were automatically logged out,” said Solling.
Were passwords stolen?
Hackers were not able to gain access to users' passwords.
“The company, has however, stated that user passwords were not exposed as this was not a data breach. However, attackers could have gained the ability to impersonate affected users on services that use Facebook for authentication,” explained Solling.
Clearly, fraudsters are out there to steal identities and users have the responsibility to follow best practices in order to protect themselves.
What can you do?
Here are a few tips from Solling on what users can do to protect themselves against Facebook hackers:
• Always use a unique password as password reuse is simply not acceptable
• Ensure that the password cannot be easily cracked by using special characters and a strong password policy
• Use the multi-factor authentication features available in most of the well-established platforms. “Two-factor authentication essentially means using two methods for identification- the password and a unique code that is specifically generated for each login attempt. Most well established online services now offer this option especially when you try to log in using a new device that isn't recognized by the service,” said Solling.
“In the case of Facebook, users can choose to be identified either with a password and a text message (SMS) code sent to their mobile phone, or via the combination of password and a login code generated by a third party authentication app such as Google Authenticator or LastPass.”