What to Communicate About the Facebook Hack

As many of you may have read, Facebook announced on Friday, 28 September that they were hacked. While they are still working through the details, it looks like over 50 million accounts were affected. The attack worked by taking advantage of Facebook’s “View As” feature. No passwords were compromised, instead it is believed the attackers gained access to peoples’ authentication tokens which meant the attackers could login as people who were already logged in. As a safety precaution, Facebook is resetting the connection of the 50 million affected people, forcing them to login in again, and is requiring it for another 40 million accounts as a precaution. Your workforce may have questions about this hack and be looking to you for information. Below is a template you can use (feel free to edit the template) to reach out to and inform your organization. In addition, this is a great opportunity to remind them about key security behaviors that help them at both work and home. Whenever communicating about a large, public incident there are a couple of things to keep in mind.

Stick to the Known Facts. There will be a growing number of guesses, finger pointing and opinions in the coming days, do not share those as most will be wrong and/or change.
This is Not the Victim's Fault. Big incidents like this are a growing problem in the age of big data and complex systems. Make sure people understand this is not their fault.

Folks, you may have recently read in the news about a cybersecurity incident at Facebook. We wanted to share some facts so you can better understand what happened, what you should do and how to protect yourself in the future. On Friday, 28 September Facebook announced they discovered they were hacked. Cyber attackers had identified a flaw in Facebook’s website that allowed them to take over and access people’s Facebook accounts that were already logged in. No passwords were compromised. Facebook has fixed the vulnerabilities in their website and is forcing most people to log in again to make sure cyber attackers no longer have access to their accounts. There is no action you have to take yourself right now as Facebook is taking the necessary steps to help protect you. However, we wanted to remind you of a few key steps to secure your online accounts.

Make sure you use a strong AND unique password for each of your online accounts, the longer the better. We recommend a passphrase for each of your accounts which can be a sentence or a series of random words. Can’t remember all your passwords? Consider using a password manager.
If a site like Facebook offers two-factor authentication, enable it. This super easy step is one of the easiest ways to add extra security to your accounts.

Our security team is here to help you out, if you have any questions please let us know.

About the Author

Lance Spitzner

Director, SANS Security Awareness

Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.