600,000+ compromised account logins every day on Facebook, official figures reveal

Filed Under: Facebook, Featured, Privacy, Social networks, Spam

If an unauthorised party has logged into your Facebook account, then you're far from alone.

New official statistics revealed by the social networking giant reveal that 0.06% of the more than billion logins that they have each day are compromised.

Put another way, that's more than 600,000 per day - or, if you really like to make your mind melt, one every 140 milliseconds. (By comparison, a blink of the eye takes 300-400 milliseconds)

Snippet of Facebook security infographic

The statistic was revealed in an infographic published alongside an official Facebook blog post trumpeting new security features introduced by the firm.

The new security features include Trusted friends (called "Guardian angels" in the infographic).

Facebook says that you will be able to nominate three to five "trusted" friends who can help you if you have a problem accessing your account - if, for instance, someone else has changed its password and locked you out of your email account. The idea is that if you need to login to Facebook but can't access your email account, Facebook will send codes to your friends that they can pass on to you.

Trusted friends on Facebook

(BTW, nice middle names you're using there, Facebook)

None of your friends on their own has enough information to access your account, as they are only sent a single code. But, of course, if your "trusted" friends turned out to be untrustworthy and banded together they would - between them - be able to access your account. So you best be sure that you keep a close eye on who your trusted friends are (especially if you're prone to falling out, or they think practical jokes are amusing), and be pretty confident that they are taking their own computer security seriously.

Oh, and it might be an idea to remind yourself what the word "friend" actually means, as history has shown that many Facebook users have a very different idea of what a "friend" is from the rest of the world. :)

Another thought occurs to me - if a bad guy has taken over your Facebook and email account, isn't it likely that he will also change who your trusted friends are at the same time? Wouldn't that make the whole security measure kinda pointless?

Another new announcement is App Passwords - meaning that you will no longer have to log into Facebook apps with the same credentials that you use for your Facebook account. It's certainly a good idea not to use your Facebook password with anybody other than Facebook - so it's good to hear that Facebook will be offering this new privacy option.

App specific passwords

However, it's not hard to predict that the only people who might use such a feature might be those who are already very aware of privacy issues, rather than the great unwashed majority on Facebook.

Facebook security infographic

Facebook's infographic is too long and thin to properly embed on the Naked Security site, so here's a link to where you can download a version for yourself.

Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks.

Join the Sophos page on Facebook, where over 140,000 people regularly share information on threats and discuss the latest security news.

What are your experiences of spam, malware, scams and cybercrime on Facebook? Is Facebook doing enough to make their social network a safer environment?

Leave a comment below and share your thoughts.

, , , , , ,

You might like

23 Responses to 600,000+ compromised account logins every day on Facebook, official figures reveal

  1. aldon · 1441 days ago

    as 60 o/o of facebook accounts are false game accounts i dont think anything will really make facebook safe as everytime new safety measures are introduced facebook bring some other stupid thing to share all our details with the world, the reason most use false accounts for games is 1,theres no limit as to how many you can have. 2,you can abuse as many rules as you like because if facebook ban you, you simply rename another false account with the same name thats just been banned and hey presto followin a few posts your back to where you were before,3 you annonymous, nobody knows who you really are, Is that safe well no i dont think it is, take vampire wars and offshoot groups like deth kult these attract young girls into them and they become very graphic sites showing images of a macarb nature, where is it all going to end, for some i would say in tears,

  2. Sean · 1441 days ago

    The datapoint you've based your post's title on is located in a section called “Facebook Keeps Spam At Bay”.

    So I read that as: Only .06% of over 1 billion logins per day are compromised [BY SPAM].


    “If [typo removed] an unauthorised party has logged into your Facebook account, then you're far from alone.”

    Seems that you've read their stats as account compromises… please justify that position/spin.

    • Thanks for telling me about the typo - now fixed. I'm such a butter fingers.

      Clearly we're reading Facebook's data in two different ways. I would find it strange for Facebook to use the word "compromised" if they're talking about users receiving spam messages. That's hardly a compromise is it?

      And right next to the data point they have another - 0.5% of Facebook users "experience spam" on any single day. How does that fit in with your reading of the "compromise" stat?

      My deduction is that Facebook is talking about the phenomenon of users' accounts being accessed by spammers, and used to send messages out to their online pals. That's what I would call a "compromised account", and that's the 600,000+ a day I suspect.

      I did contact Facebook's UK PR some 24 hours ago to ask for clarification regarding their stats, and spoke to a charming young woman who sounded terribly helpful.. but didn't ever get back to me with any answers. :(

      The other question I had was what Facebook classify as spam. For instance, are they counting the frequently seen survey scams that hit many thousands of users' newsfeeds most days? That I suspect is a much bigger issue than "traditional" spam.

      If Facebook do have any clarification I would be happy to post it up here.

      • Sean · 1441 days ago

        Not receiving! Being tricked into *spreading* spam/scams… that's a compromise of the account.

        You do consider “rogue apps” to be a compromise don't you???

        But it doesn't mean that the accounts were “logged into”.

        But too late now… the tech press has already shallowed your headline without any skeptical analysis of their own.

        Rushing to conclusions results in misinformation being spread — and that is a harm for the general Facebook using public. :-(

      • Sean · 1441 days ago

        Swallowed rather.

        Looking at the stats:

        .06% of accounts are compromised by rogue apps, like-jackings, etc and are used to spread spam.
        .5% of users see that spam/scam in their news feed.
        4% of what's shared is spam.

  3. Jess · 1441 days ago

    I've never really had an issue with Facebook security. My sister on the other hand is having issues with pictures being shared with friends of friends even after she changes settings.

  4. Regina · 1441 days ago

    I haven't had a problem yet, hopefully I wont either. It I click on an app say like a quiz or something that combines my friend in a certain way, I will go through my account settings and delete the whole thing if I don't like something about it. I never play games on FB. I also research through you or news media before I pass something along or click on something. If it's something bad or misinformation, I inform the person who posted it. I do like the login with a generated password to link to other sites app, that makes since. Every time I do that I think in the back of my head, "did I just make a mistake?"

  5. Art Irish · 1441 days ago

    The article is interesting but it's distracting to have to sort through the grammar and spelling errors. Maybe it was written in haste by someone watching the (U.S.) World Series last night.

    • aldon · 1441 days ago

      If every person in the world were perfect Art we would not be commenting on this subject

    • Actually the biggest distraction in my life at the moment is "Social Chess" for the iPhone. That's about as sporty as I get.

      Sorry about the typos.

      • aldon · 1441 days ago

        try antisocial chess lol just make sure the other guy is smaller than you

  6. Carl B · 1441 days ago

    I quit FB about 18 months ago after someone in Uzbekistan logged into my account. FB friends are not nearly as important as linkedin, so made decision to shut down FB. No regrets.

  7. You have it completely wrong. 600,000 times a day, we STOP a bad guy from getting access to an account even though he has guessed, phished, or stolen the login and password of an account. This is something we're very proud of and we'd appreciate if you'd explain it to your readers correctly.

    • Gavin · 1440 days ago

      I wish Facebook had a support apparatus to help me get back ON to my account. I went on vacation and tried to access my Facebook account from a different computer. As a result, Facebook froze my account, and asked for the birthdate I had given them. Unfortunately, I had given a made-up birthdate when I first signed up with them (in order to to forestall identity theft), and I have no idea what date I gave them. So now I can no longer log-on to Facebook anymore: unless I guess the date. I've tried going to Facebook's "Help" page, but they have no link or form which covers this problem.

    • Paul Ducklin · 1440 days ago

      Hi, Joe.

      Just to back Graham up for a moment here: he's using exactly the same terminology you did in your document. He even posted an image above with the relevant part from your stats, where you say, "Only 0.06% of over 1 billion logins per day are compromised."

    • .06% of logins, not accounts. That can confuse people. They will assume 1 login = 1 account, or at least that attackers have similar need to login repeatedly. If you have the data, why go back?

      When asked at DerbyCon, Kevin Johnson claimed to have "about 5,000" FB accounts. Those aren't compromised. Who needs to compromise for spam when you can create unlimited real ones? If you need info from a real user, just get them to hand it over with apps/likes.

      "600,000 times a day, we STOP a bad guy from getting access"... but # stopped does not = # detected, and # detected does not = # breached. Unless both detection and active response have 100% success rate.

      Of course, I'm assuming I'm responding to Facebook's CSO. Maybe you're just an account with a similar name. Sure, Graham is following you, but how do I know he wasn't duped too? Not everyone is who they say they are.

  8. Virgil Hicks · 1440 days ago

    Hackers,or the FaceBook team,people are being setup to say things they didn't comment on.

  9. Jeannie · 1438 days ago

    OK, so this nit picking is all well and good, BUT back to the original article and our accounts being compromised. No one has mentioned what we should do about it, if our account IS compromised. (i.e.: report as spam/change password) AND what is the difference between being compromised and hacked. I sure hear that word more than compromised. Thanks

  10. jamie · 1438 days ago

    i finally deleted my scam book account

    tired of all the rogue applications that can access your info just because a friend was stupid enough to add it and all the event invite spam and the tagging spam and all the other privacy scams they do

    scam book is no different than the nigerian identity thieves - they just look like offering a service to get you to do the exact opposite of what places like sophos tells you to not do and makes it a terms violation for just doing what any competent security expert will tell you to do for not being a victim of identity theft or a burglary ring trolling for victims on the internet to break in when you posted you will be out of the house for a week

    we can all do better if we tell these scammers what we think by simply not doing business with places that violate all common sense for privacy and safety

  11. Jon Fukumoto · 1437 days ago

    To prevent your Facebook account from being compromised, use a complex password at least 8 characters long consisting of upper and lower case letters along with numbers and symbols. Also go into your account settings and click on security and enable Login Approvals. If you log in on a computer or device that's not recognized, Facebook will send you a 6 digit code via a text message on your mobile phone. By having Login approvals on, it will prevent unauthorized access to your account.

  12. Henry · 1437 days ago

    How is getting your friends to receive codes on your behalf better security?

  13. BrianC · 1437 days ago

    I note in the 'screen shot' of Generate App- Specific Passwords, that generate is spelled as generaet. God save us from these experts!
    Will the password generated be a genuine password thats generated in order for us to have a genuine credenshal. OOps credential.

  14. I can't login to my Facebook account using my iPhone,but can using other gadgets.what could the problem be

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley