I’ve been hacked!
For those of you who don’t know, Workplace is Facebook’s enterprise platform.
It’s a powerful tool that gives you simple and fast collaboration and communication.
It helps to bring together every person at every level of an organisation, making it easy to share and discuss with colleagues and partners all over the world in real-time.
But just like any other kind of online software that’s used by millions of people, there’s always a tiny chance that someone will try to worm their way in.
As a Chief Technical Officer, I know how crucial it is to be aware and prepared.
So in the unlikely event that something nasty ever happens to your instance of Workplace, I’ve put together a few tips to help you with your first response.
But first, let’s talk about Workplace itself:
Is Workplace Secure?
Workplace shares a number of features with ‘normal’ Facebook.
But it sits on completely different servers – and it ties into your company’s login mechanism (such as Active Directory or Okta) rather than your personal Facebook account.
And I’m pleased to confirm that it is incredibly secure, with certifications for:
- ISO27001 and ISO27018
- SOC2 and SOC3
- And the EU/US Privacy Shield.
However, no system is completely fool-proof.
So far, there have been no publicly documented cases of a Workplace instance being successfully hacked.
But if the age of the internet has taught us anything, it’s that any system that’s around for long enough can eventually suffer from a breach.
(And if you’re here reading this, perhaps it’s already happened to you.)
So if your instance of Workplace has been hacked, your first question should be this:
Do I still have control of the environment?
If the answer is ‘No’, then here’s my advice:
Stop reading, and contact a Workplace Partner immediately – because the plan that follows will only help if you still have admin access.
Here at Coolr, we were the first Workplace Partner in the EMEA. And today, we’re the most trusted.
No one has a better relationship with Facebook – and no one is in a better place to support you in this difficult situation.
So if you think you’ve been hacked and you’ve lost control of the environment, contact us immediately
If the answer is ‘Yes’ (you still have admin access after a hack), then we’ve got the high-level emergency action plan you need.
(A quick note: I would always recommend that you bring in an expert after a successful hacking attempt, whether you’ve still got admin access or not. This plan is for people who – for one reason or another – decide that they’re going to take action alone.)
Here’s our 6-point action plan to help you recover from a successful Workplace hacking event:
1. Don’t try to hide it!
I can’t stress this enough.
As tempting as it may be to sweep this under the carpet, you should have an internal process for reporting this – and its purpose is to protect you.
Start the reporting process immediately (or escalate the situation to someone who can start it on your behalf).
Your legal and media departments can’t protect you or your organisation if they don’t know that a breach has occurred.
2. Establish what’s happened
(Or at least what you think has happened.)
Workplace has a number of different possible routes for attack – so it’s going to be hard to consider them all here.
So here’s a list of the most likely routes, from the most likely to the least likely:
- The log-in details of one of your users has been compromised.
- One of your users has lost a device (or left a shared device logged into Workplace).
- One of the integrations you use has been compromised.
- Workplace gets physically hacked – not just your instance, but the underlying service. (This one is so unlikely that I’d put it at number 100 on the list if I could!)
3. Close the vulnerability
Once you’ve figured out how the attack has happened, you’ll need to work out whether the vulnerability still exists, and take steps to block the gap in your defences:
If one of your user accounts was compromised, you should reset its password and disable the account (you don’t need to delete the whole account at this stage).
If an integration was compromised, you should reset the integration token, and get in contact with the third party using it to make sure they’re being diligent on their end.
And if it’s a device that was lost or left logged in, you should invalidate the session immediately.
4. Make sure the hacker can’t get back in
Hackers will often leave themselves a ‘back door’ – a way of gaining access again if their initial route gets blocked.
So once you’ve identified and fixed the vulnerability, it’s important to keep monitoring the areas around that vulnerability. You can do this by:
- Checking all of your other accounts – have any new accounts been created, and does each account have a level of access that’s appropriate for their role?
- Invalidating all sessions and resetting all passwords – this should help to sever all ties between your system and the hacker
- Checking the activity of the compromised integration by looking through the integration security logs (this feature is still in beta).
5. Review the damage
Once you’ve secured the breach, you’ll need to take a deep look at exactly what happened during the attack – what changes might have occurred, and what data might have been lost.
You can do this by reviewing your compliance logs to see what activities took place during the compromised period.
With this information, you can build a timeline of the attack, see whether any data is likely to have been stolen, and then build a report which covers your worst-case scenarios.
6. Present your report
With your vulnerabilities fixed and your activity logs studied, you’ll be ready to present your report to your Service Continuity team. They’ll be able to help you decide the next steps.
So what’s next?
Hopefully, you’ve been able to block the points of entry and prevent the attacker from gaining any further access.
But regardless of whether any real damage has been done, you should take this experience as a valuable lesson – one that can help to fuel your efforts in preventing any further weaknesses in the future.
If you’re interested (and you should be!) watch this space for my next post.
I’ll be talking about resilience and prevention: how to harden your instance of Workplace to help protect it against potential threats.
And if you have any other questions or concerns, drop me an email.