The Facebook data breach and Plum

There has been no fraudulent activity and your Plum accounts are safe.

What happened?

Yesterday, Facebook announced that up to 50m accounts have been breached due to a bug in their 'View As' feature. According to Facebook, no passwords or credit cards have been leaked. The attackers gained access to "access tokens" which allow you to connect your Facebook account with third-party applications, like Plum. The breach had taken place three days earlier, on the afternoon of September 25th.

As an immediate action, Facebook logged out around 90m accounts, making the leaked access tokens non-usable by the attackers. This includes people affected by the breach but also everyone that used their 'View As' feature. As Facebook mentioned, if you were logged out of your Facebook account, it doesn't mean that you were affected by the breach directly.

Our immediate response

It's important to note that your bank login details are not at risk from the breach since we do not store them.

When we were informed about the breach we initiated an internal investigation to make sure that your Plum accounts are safe and secure.

Being extra cautious, we have also taken a few additional actions:

  1. We have logged everyone out to ensure that your Plum tokens are reset (these tokens are not related to the leaked access tokens). This means that a few buttons from your previous conversations with Plum might stop working – just ask Plum the same question to get fresh new buttons sent to you.
  2. Each and every bank account change will be manually reviewed by our operations team (in addition to the automated checks that we already have in place).

We found no signs of fraudulent activity and we will continue to be monitoring the situation for the coming days.

Should you change your Facebook password?

According to Facebook you don't have to change your password but there is no harm in doing so. If you're not already using a password manager like 1Password or LastPass you should perhaps consider it. Using a unique, strong password for every service is the best way to protect your accounts against attacks like this 🔒

Your security and safety is our upmost priority. If you have any concerns or thoughts feel free to reach us at security@withplum.com.