After Facebook's hack, there's a lot of useless post-breach advice

Thank you, Capt. Hindsight.

Alfred Ng
Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
3 min read

Advice like change your password doesn't really work for Facebook's breach. 


If someone is telling you that you should change your passwords after Facebook's breach, stop.

The advice is completely useless for the 50 million people potentially affected by a security flaw, announced Sept. 28, in Facebook's "View As" feature. And yet, organizations like the US government's Federal Trade Commission continue to suggest it.

When hackers hijacked millions of Facebook accounts, passwords weren't stolen. The attackers took access tokens, which are digital keys granted to users after the first login so they won't need a password for future sessions.

Facebook automatically reset access tokens for the people affected, as well as an additional 40 million people as a precaution, the company said on Friday, adding that because of this there's no need to change passwords.

The FTC noted this in its advice, then followed up with, "But, to be safe, log in and change your password anyway."

The suggestion plays off our natural desire to do something after such a massive breach. The ever-increasing number of breaches, from Yahoo to Equifax, have us all worried about our personal information. But there are times when the advice that comes after an incident doesn't help. Your best bet is to take more proactive measures ahead of a breach.

"Usually, there's not many steps that a consumer can do after a breach has happened," said Dave Kennedy, chief executive at security company TrustedSec.

The FTC's other advice isn't much more helpful. The agency recommends watching out for imposter scams that're potentially using information stolen from these Facebook accounts to pilfer money from you. Though scams are something you should be wary of, the FTC's tips aren't exactly linked to Facebook, Kennedy said.

"It's so generic that it's not even specific to the Facebook breach and it's not applicable to what's going on with Facebook," he said. "I don't think the advice was useful for this specific breach at all."

Post-breach advice is often what a person should've been doing before the breach happened. Use a password manager. Don't use Facebook to log in to third-party apps like Instagram, Spotify and Tinder. Use two-factor authentication.

Those are all typically good security practices that can protect you from future attacks, but they don't really do much to help you after a breach has already happened. It's like telling someone to wear a seat belt while they're recovering from a car crash.

"The consumer's ability to do anything to prevent long-term damage is limited," said Emily Wilson, fraud intelligence manager at Terbium Labs.

Oftentimes, the cleanup is out of the affected people's hands. They have to rely on the breached companies to protect their lost data and make sure it doesn't happen again.

"For consumers, they are in many cases in less control of their data," Wilson said.

For Facebook, the social network had already taken all those steps, by logging 90 million people out of their accounts to reset the access tokens. When Equifax announced that it suffered a breach affecting about 147 million Americans, the credit-monitoring company offered its own identity protection tool for free.

The most useful advice coming out following Facebook's massive breach, Kennedy said, is to protect yourself from new hacks, not the ones that've already happened.

But just because you can't do anything about the previous breaches doesn't mean you're helpless.

"There's lessons learned," Kennedy said. "It's not helplessness. There's proactive steps you can take."

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.