After Facebook data breach, consumers need to go on defense

April 4, 2021 
By Teresa Murray, Consumer Watchdog

Consumers who have accounts on Facebook need to be extra vigilant in the weeks and months ahead as identity thieves could use stolen information to try and commit fraud.

Reports emerged Saturday that a hacker published data from more than 533 million Facebook users from 106 countries, including 32 million records on users in the United States. The compromised data includes their full names, phone numbers, Facebook IDs, birthdates, bios, locations and, in some cases, email addresses, according to Business Insider.

This serves as another important reminder that consumers must always be on the lookout for identity thieves who may call, text or email victims and try to trick them into providing more information. What we frequently see after data breaches: Bad guys may contact unsuspecting consumers and pose as Facebook, in this case, and try to con them into providing their password or credit or debit card numbers. Or scam artists may pose as other types of businesses, including banks, credit card issuers or online retailers. 

For consumers who willingly provide personal information to just about any company, especially a social media company, it’s not a matter of if, but when the data gets compromised. Names along with phone numbers, birthdates and email addresses are a dangerous combination to put in the hands of identity thieves.

Besides being on guard for suspicious phone calls, emails or texts, consumers should check whether they’ve used information that can be found on their Facebook profiles as the answers to secret questions for financial accounts, such as their high school mascot or name of their pet. Consumers should also realize the stolen information could be even more dangerous when combined with information from past data breaches, such as the Equifax breach of 2017, which disclosed Social Security numbers, dates of birth and financial information for half of the U.S. adult population.

Here are tips for coping with the Facebook data breach: 

Consider that you could see a broader attack on your identity.  If someone has your name, date of birth, phone number, email and other personal information from Facebook, they’re armed with enough ammunition to potentially do a lot of damage. You need to be extra cautious and paranoid for a while. Make that forever.

Watch out for suspicious emails, phone calls or text messages that try to trick you into disclosing personal information or changing your password, based on already having some information about you. Just because someone tells you your date of birth or the city you live in doesn’t mean they’re legit. Heck, it wouldn’t be surprising for a con-artist who has your Facebook data to call or email or text you posing as Facebook. Also important to remember: Your bank, credit card, the IRS, FedEx, etc. will never send you unsolicited links asking for your login password or Social Security number or anything like that.

If you get an email or text unexpectedly that you think could be legitimate, don't respond. Instead, contact the company or agency at a number you look up independently, using the back of your credit card, your account statement, etc. Even if you don’t enter personal information, just clicking on a bad link could infect your phone or computer with a virus that steals your information. 

The same advice applies to messages on social media. It's common for information-stealing viruses to be sent with a message such as, "Is this you in this video?" Your instinct is to click and look at what the sender is talking about. Don't give in to the temptation.

Check whether you need to change any information on any of your accounts that use secret questions for password recovery. Don't use secret questions that other people know the answers to, maybe because you have the information on Facebook. It's probably easy to figure out from your Facebook page what city you grew up in. Same with the elementary school you attended. Or your mother's maiden name.

Scrub your Facebook account and other social media of unnecessary personal information. Does Facebook or Instagram really need your phone number? No. Facebook frequently asks for your phone number for account security purposes; but it can contact you via your email address. Does Facebook need your birthdate including the year you were born? No. You'll still get birthday wishes without your birth year being listed. And the site certainly doesn’t need your mailing address. (Face palm.)

Consider getting a virtual phone number, such as through Google Voice, for those times when you need to give out a phone number. It’s easier to get a new Google voice number vs. replacing a personal cell phone number you’ve had for 10 or 20 years.

Watch out for new Facebook friend requests, especially from people you’re already friends with. The requests could be fraudulent.

Make sure your contact information is up to date with the banks, credit cards, investment firms and other financial institutions you do business with. You’d be surprised to learn how many people have fraud on their accounts and don’t find out quickly because companies don’t have a customer’s current cell phone number or even a correct email or mailing address.

Strongly consider putting a freeze on your credit files with the major credit bureaus. It's free by law to freeze and thaw. You should be able to do all three bureaus in less than 20 minutes total. Check out our step-by-step guide. To do it by phone: Equifax, 800-685-1111; TransUnion, 888-909-8872; and Experian, 888-397-3742. Freezes not only prevent someone from opening credit accounts in your name, but also block someone from fraudulently creating online accounts with the IRS and Social Security Administration.

With any company that offers it, opt in for two-step authentication for online access. This requires more than just your username and password. It requires a one-time code that is sent almost immediately by text or email and that you need to actually log in.

Protect your cell phone and primary email account that you use for financial accounts above all else. If someone is trying to breach an account and tries to reset your password, the notifications will generally go to your cell phone or email of record. Make sure the password for your primary email account isn’t used on any other account you have.

Sign up for transaction alerts with your financial accounts, so that you get text alerts or email messages about any withdrawals or transactions above a certain dollar amount, new transfers, payees added or any changes in contact information.

If you’re contacted by someone posing as a financial company you actually do business with and they ask for information, consider that an escalated threat. Contact your banks and investment accounts first, then credit cards and other types of financial accounts. Ask whether you can put additional verbal passwords on your accounts that don't involve any data in public records or that was available on your Facebook account. We're talking about PINs or random words (like tangerine or tooth). You want to make sure someone can't access your accounts for wire transfers or to change your contact information without your secret password.

 

Here’s advice that’s good for everyone, every day, regardless of any data breach:

If you’ve put freezes on your credit files, great. But don’t get complacent. Remember that 88% of identity theft involves existing accounts. Freezing your credit files does nothing to protect your existing credit cards, loans or accounts. And a credit freeze doesn’t protect your checking or savings accounts.

Monitor your primary bank accounts, credit cards, investments, etc. Every week is good. Every day is better.

Put every type of protection you can on your financial accounts. If you can require codes to be sent to your phone in order for you to log in, do it. If you can request email or text alerts for purchases above a certain dollar amount, or any bank account withdrawals, or changes to your contact information, then do it. 

Be more cautious about anything you post on social media -- Facebook, Twitter, Instagram, etc. You can provide thieves with a lot of information without meaning to. This is especially troubling if you tag your best friend and or post photos of your dog online, and then use that information as the answers for security questions for bank accounts. And remember that even if your social media accounts are accessible only to friends or family, the information is still on some company's database and can be accessed or sold.

For online financial accounts, don’t use the same password on more than one account. If there’s a breach or your account gets hacked, the thief can obviously do more damage if they can get into more accounts.

Never use a password that you use for a social media account such as Facebook or Twitter or Instagram on any other account, and especially not your email account or any financial account. Social media platforms are hot targets for hackers.

Consider whether it makes sense to sign up for online statements from entities such as your employer, your bank, your credit card company, etc., so that you don’t have to worry about the items getting in the wrong hands.

Whether you get your statements by mail or online, know when to expect them each month and reach out if something is missing. It could be a sign someone has intercepted the item or changed your contact information.

It’s old advice but worth repeating: Check your credit reports regularly to make sure there are no accounts or inquiries you don’t recognize. In normal times, you’re entitled to one free credit report per year from each of the three major credit bureaus. Because of COVID-19, you’re entitled to one free report each week from each of the three bureaus through April 2022. For the long term, the best strategy is to order a report from a different bureau every four months.

Go to annualcreditreport.com or call 1-877-322-8228. You’ll be asked to provide your name, address, Social Security number and date of birth. Don’t just google free credit report. You could end up on a scam site. If there’s any inaccurate information on your credit reports, use the dispute process to get the information removed or corrected. Or you write out a paper request and mail it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, Georgia 30348-5281. You need to provide your name, address, Social Security number, date of birth and which bureau you want a report from (Equifax, TransUnion or Experian).

If there are actually accounts on the credit reports that aren’t yours, you need to do more. Contact the creditors directly by phone to find out whether these are mistakes or whether you’re the victim of more serious identity theft. If it’s the latter, you should take additional steps to protect yourself, including filing an identity-theft affidavit with the Federal Trade Commission (it will provide you with prewritten letters to send to creditors). The FTC site is great and even has a chat function.

If you’ve chosen to get identity theft monitoring, realize that most of these services don’t prevent identity theft -- they just notify you once a problem has been detected.

Buy a shredder and use it to destroy sensitive documents.

Pay attention to your credit scores provided on any of your credit card accounts. While the scores may be different than your actual FICO score, they shouldn’t change dramatically from month-to-month. If they do and you’re not sure why, you need to find out. It could be a sign of fraud.