FacebookSecurity
Latest
Following Adobe hack, Facebook requires compromised users to change passwords
Here's a good lesson to vary up your passwords if we've ever seen one: Facebook is locking out Adobe users whose accounts were compromised by a recent large-scale hack if they use the same login info for both Adobe and the social network. To regain access, they'll need to change their password and answer a few security questions. According to Krebs on Security, Facebook has mined the encrypted password data to discover which of its users were affected by the breach -- more than 38 million Adobe users' accounts were reportedly exposed. Facebook was able to discover the same email-password combos by running them through the same code it uses to confirm your credentials at login time. If the site found that your account matched one of the millions exposed in the Adobe hack, you'll receive a notification like the image above. Diapers.com and Soap.com have reportedly put the same policy in place; this is important stuff, guys!
Facebook security bug exposed 6 million users' personal information (update)
Today, Facebook announced a security bug that compromised the personal account information of six million users. In a post on the Facebook Security page, the site's White Hat team explained that some of the information the site uses to deliver friend recommendations was "inadvertently stored with people's contact information as part of their account on Facebook." When users downloaded an archive of their account via the DYI (download your information) tool, some were apparently given access to additional contact info for friends and even friends of friends. The post continues: We've concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared. There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool. Facebook says it's temporarily disabled the DYI tool to fix the breach. We've reached out to the site for further comment; for now, read the official statement via the source link below. Update: Facebook has responded to our inquiries and stated that while the bug was discovered earlier this month, "it had been live since last year." They immediately disabled the tool, fixed the bug and reenabled it within 24 hours of the bug's discovery. The bug was reported to them through a White Hat program for external security researchers.
