50 million Facebook accounts were compromised on September 25th in what is likely the companies most severe data breach. Facebook made the breach public with an announcement last week, claiming that the company will notify all users who were affected, who will be logged out of their account and have to log back in. Facebook engineers were able to patch the breach two days after they discovered it.
“I’m glad we found this and fixed the vulnerability,” Mark Zuckerberg told The Guardian. “But it definitely is an issue that this happened in the first place. I think this underscores the attacks that our community and our services face.”
Hackers stole users’ “access tokens,” which allow users to stay logged into the site over multiple browsing sessions. This means that the attacker has complete control over whatever account they stole the token from, making it a particularly worrisome breach.
This breach comes not long after a massive scandal involving Cambridge Analytica and the alleged tampering with the 2016 presidential election by, for which Zuckerberg issued a public apology, stating “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.”
Facebook has since championed a new, less cavalier approach to privacy, but an attacker was still able to exploit three bugs involving the site’s “view as” feature, which was introduced in July 2017 to allow users to see how their profile looks to other people. Facebook has also made everyone who has used that feature since July 2017 to log out, effectively resetting their access tokens, protecting their accounts.
Guy Rosen, vice-president of product management at Facebook, explained that they have been in contact with law enforcement and are working with the FBI. “The investigation is early, and it’s hard to discover who is behind this,” Rosen said. “We may never know,” noting that such a large and complex hack required a high-level of expertise. Dr Lukasz Olejnik, an independent cybersecurity and privacy researcher, corroborated this claim, saying “Anyone involved in this hack knew what he was doing.”
The investigation is looking into how the access tokens have been used by the attacker, claiming that there has been no evidence of them accessing users’ private messages or posting as the user on their account.
The location of the breach is also a mystery as of right now as the attack was so broad. Facebook notified the Irish Data Protection Commission (DPC) and the newly implemented General Data Protection Regulation (GDPR) in the EU requires the social media company to disclose any breaches within 72 hours of its discovery.
“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” said the US senator Mark Warner in a statement. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users.”
Articles published in trusted news sources like the Guardian and the Associated Press that covered the data breach were flagged as spam on Facebook, preventing users from sharing such articles on the platform. The company apologized for censoring news of the breach, blaming it on “automated systems.”
Leave a Reply