Facebook Data Breach Compromises 50 Million Accounts
Facebook has in the recent past been rocked by a series of scandals. For instance, the social media giant announced on 25 September 2018 that 50 million Facebook accounts had been breached.[1] The incident is the largest Facebook has ever suffered since it was launched more than a decade ago. The timing couldn’t be worse as the news of the breach came at a time when the firm was being scrutinized over how it handles and secures personal information collected from users. Facebook was also recovering from another scandal where a British firm, Cambridge Analytica, accessed millions of user accounts and utilized the personal data for political reasons.
Whereas Facebook is yet to identify the hackers behind the September 2018 breach incident, details regarding the attack have already emerged. Apparently, the attackers exploited a series of vulnerabilities which gave them access to millions of Facebook accounts, including those of the firm’s CEO and COO, Mark Zuckerberg and Sheryl Sandberg respectively. According to the social platform, its system engineers launched investigations on 16 September after noticing an unusual increase in users accessing their Facebook accounts. On 25 September, the investigative efforts revealed cyber adversaries had discovered and exploited some bugs present in Facebook’s feature that allows a user to see how other people view their profiles. This is the “View as” feature and it is designed to permit users to view their privacy settings as another Facebook user.
Facebook’s vice president of product management, Guy Rosen, told reporters that in July 2017, the company may have introduced three bugs in the site’s video uploader. The hackers exploited the first flaw which prompted the uploader tool to mistakenly appear on the “View as” page. Then, the malicious actors exploited another bug and used the video uploader tool to generate access tokens. An access token is an object describing a process’s security context and normally contains information such as privileges and identity of the user account relating to the process. The hackers used the access token to log into a Facebook account without the need of a password, or a username for that matter. Actually, it gave them sign-in permissions similar to those of Facebook’s mobile application. Lastly, whenever the video uploader tool appeared in the “View as” page, it would trigger an access code which the hackers would use to log in to other accounts.
Although the breach gave attackers full access to the affected accounts, Guy Rosen said that Facebook was yet to determine if they accessed any personal information or whether they misused the accounts. Also, the firm was quick to add that it only noted the breach since the hackers automated the attack on a large-scale. Mark Zuckerberg further reported that the attackers attempted to gain access to account information through querying the account’s developer APIs. The CEO further added that investigations were yet to reveal if the hackers used the tokens to post any new posts, access private messages or past posts.[2] Instead, the malicious actors used account APIs to access account profile information including name, hometown, gender, or other profile information.
So, why did Facebook go for more than one year (since July 2017) without discovering the vulnerabilities the video uploader had introduced to the system? According to David Kennedy, founder and CEO of TrustedSec cybersecurity firm, it’s easy to suggest that Facebook ought to have discovered the vulnerabilities during security testing exercises. However, he says that it can be extremely difficult to identify such security vulnerabilities as they can only be realized when the site is dynamically tested while it is still running.[3] However, for a company like Facebook which takes a lot of pride in its engineering capabilities, it is very uncharacteristic that the vulnerabilities went unnoticed.
A data breach of this magnitude would have caused a lot of unprecedented damages. Facebook is clearly one of the largest and most influential social media platforms of our time, serving over 2.2 billion users worldwide. This has led to other popular platforms such as Instagram, Spotify, and hundreds of others to allow users to log in using their Facebook credentials. Consequently, hackers with access to the log in credentials of Facebook users can use the information to compromise other numerous accounts, leading to a large-scale cyber-attack across platforms. Facebook recognizes this and has since reshuffled the security team to work closely with all product teams across the company instead of working as a stand-alone department. The motive behind the move is to embed security measures in every step of Facebook’s product development.
Facebook responded appropriately to the data breach. Immediately after the cyber breach was discovered, the firm announced to all the relevant authorities and commenced investigations with the help of the FBI. Also, the vulnerabilities which gave the hackers access to the compromised accounts were mitigated the same day the breach was publicly announced. On top of that, the company notified users of the hacked accounts regarding the breach and proceeded to elaborate on the steps it had taken to make the platform more secure. The company further logged out all the affected accounts, including an additional 40 million users that were deemed to be at a risk of being breached.[4] This allowed Facebook to reset the access tokens of the accounts such that the hackers could no longer use them.
There are several lessons to be drawn from Facebook’s breach. First and foremost, it has shown that cybersecurity is indeed an arms race requiring constant vigilance. Early identification of vulnerabilities is the surest way of remaining protected in a volatile cyber environment. Also, the breach revealed the importance of a speedy response. Within a few days after discovering the hack, Facebook had already notified the relevant authorities, affected users, and fixed the vulnerability. A speedy response is important in preventing more damage from happening in these incidents. Moreover, with the breach affecting millions of EU citizens, Facebook is likely to pay a GDPR fine, possibly amounting to 4% of its annual global revenue. This means that it is more important than ever for companies to protect personal data from a financial perspective.
[1] https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html
[2] https://techcrunch.com/2018/09/28/facebook-says-50-million-accounts-affected-by-account-takeover-bug/
[3] https://www.trustedsec.com/2018/10/trustedsec-ceo-david-kennedy-on-cnn/
[4] https://www.cnbc.com/2018/10/12/facebook-security-breach-details.html