What to do about Facebook breach?
April 8, 2021 6:41 PM
I changed my FB password, and I already have data monitoring. Is there anything else to do?
I'm reading articles that say people whose data (usually name, phone number, and email) was exposed in the recent Facebook breach won't be notified. But even if we were notified, what could we do?
Today Facebook insisted that I change my password, so I did change it to something new and strong. I presume my info was breached. (I would presume that even without the prompt to change my password.)
I found this previous question about the Experian breach. I was notified about that one, and I signed up for data monitoring, which I check regularly.
Assuming my name, email, and phone number were in the Facebook breach, too, what do I need to do differently? Would it even help to change my number or email?
I'm reading articles that say people whose data (usually name, phone number, and email) was exposed in the recent Facebook breach won't be notified. But even if we were notified, what could we do?
Today Facebook insisted that I change my password, so I did change it to something new and strong. I presume my info was breached. (I would presume that even without the prompt to change my password.)
I found this previous question about the Experian breach. I was notified about that one, and I signed up for data monitoring, which I check regularly.
Assuming my name, email, and phone number were in the Facebook breach, too, what do I need to do differently? Would it even help to change my number or email?
Check haveibeenpwned.com. Hopefully your information wasn't exposed. If it was, this article by a well-known computer security expert has some suggestions.
posted by davcoo at 7:12 PM on April 8, 2021
posted by davcoo at 7:12 PM on April 8, 2021
Brian Krebs has some good suggestions. I just went through and changed some of the FB privacy settings regarding being looked up/contacted via phone number. And though the horse has left the barn, I deleted (on FB) the phone number that FB leaked, and verified my Google Voice number that for whatever mysterious reason was never allowed to be verified before.
posted by Standard Orange at 8:12 PM on April 8, 2021
posted by Standard Orange at 8:12 PM on April 8, 2021
When password databases get exfiltrated, then assuming that the organization they were exfiltrated from has displayed basic security competence, the only password-related information stored in them is cryptographic hashes of the actual passwords.
The only way to convert a cryptographic hash back into the password it was derived from is to guess a password, hash it, and compare the result to the hash you're trying to reverse. This can be done systematically at ridiculous numbers of billions of guesses per second, but the only passwords it's economically feasible to recover this way are the short and non-random ones, especially given that those are the very ones most likely to have been re-used across services and therefore the most rewarding to collect.
So if your passwords are all unique, and all machine-generated at random using password management software that estimates their resulting strength at around 100 bits of entropy or more, there is in practice zero chance that they will ever be recovered from an exfiltrated credentials database.
Use KeePassXC or something equivalently strong to store your passwords and you can stop worrying about this kind of stuff. There's actually a fairly decent password manager built into Firefox these days, if you'd rather not bother evaluating alternatives and don't mind being locked into a single browser vendor for all eternity.
posted by flabdablet at 3:32 AM on April 9, 2021
The only way to convert a cryptographic hash back into the password it was derived from is to guess a password, hash it, and compare the result to the hash you're trying to reverse. This can be done systematically at ridiculous numbers of billions of guesses per second, but the only passwords it's economically feasible to recover this way are the short and non-random ones, especially given that those are the very ones most likely to have been re-used across services and therefore the most rewarding to collect.
So if your passwords are all unique, and all machine-generated at random using password management software that estimates their resulting strength at around 100 bits of entropy or more, there is in practice zero chance that they will ever be recovered from an exfiltrated credentials database.
Use KeePassXC or something equivalently strong to store your passwords and you can stop worrying about this kind of stuff. There's actually a fairly decent password manager built into Firefox these days, if you'd rather not bother evaluating alternatives and don't mind being locked into a single browser vendor for all eternity.
posted by flabdablet at 3:32 AM on April 9, 2021
This thread is closed to new comments.
I have a google voice number that I use for sites like Facebook. It can receive phone calls/voicemails and text messages for 2FA but never rings my phone, just sends me an email. Changing your number is probably overkill. But I would advise against ever putting your actual phone number in a website where someone doesn't actually need to telephone you, and using the Google Voice method instead.
posted by peanut_mcgillicuty at 7:05 PM on April 8, 2021