Facebook announced a data breach that put the data of 50 million users at risk. It stemmed from a vulnerability in the view as a feature that allowed hackers to exploit the code. Find out the details of the Facebook data breach and what you can do about it.
Facebook Data Breach Facts
Facebook said they found the vulnerability earlier this week and announced it on Friday. The vulnerability stemmed from Facebook’s “view as” feature, which lets people see what their profiles look like to other people. Attackers exploited code associated with the feature that allowed them to steal “access tokens” that could be used to take over people’s accounts.
Access tokens aren’t your password, but they allow people to log in to accounts without needing a password. Facebook said that the breach also affected third-party apps that you have linked to your Facebook account, including Instagram. As a precautionary measure, Facebook logged about 90 million people out of their accounts. So if you were logged out, you were affected.
Serious Security Issue
The company has informed the FBI and the Irish Data Protection Commission. Facebook said the investigation is in the early stages and it doesn’t yet know who was behind the attacks. Mark Zuckerberg said on a conference call with reporters Friday. “This underscores there are just constant attacks from people who are trying to take over accounts and steal information from our community. This is going to be an ongoing effort.”
How it happened
The attack came from a change issued in July 2017, when Facebook pushed a feature that prompted people to upload “Happy Birthday” videos. The company is still investigating the attack and doesn’t know how much information was stolen or who is behind the hack.
Attackers carried out their attack with a series of steps that let them jump their way into generating access tokens for millions of Facebook users. They started by viewing a Facebook profile they had access to as another user. The “view as” feature is meant to allow users to see how their profile looks to the public or specific friends based on their privacy settings.
But when hackers viewed a Facebook profile as another user, sometimes the tool for posting a birthday video would appear. That shouldn’t have happened but did at times because of a bug, according to Facebook. Then, because of yet another bug affecting the video tool, hackers were able to generate an access token for the targeted user, giving them access to the user’s account.
With the access token, hackers had control over the user’s account. They could then “pivot,” Rosen said, and view their victim’s account as yet another user. Then they would repeat the process and generate an access token for that user, too.
The hackers were able to dramatically scale up this multi-step attack, so much so that Facebook noticed an unusual spike in user activity in September and began investigating, Rosen said.
Fatemeh Khatibloo, an analyst at Forrester who focuses on consumer privacy, said in an email that it appeared Facebook had contained the damage from the breach at an early stage. She added that users probably heard about it sooner than they would have since new privacy regulations came into effect in the European Union earlier this year. The General Data Protection Regulation requires companies to tell users about a data breach no more than 72 hours after learning of it themselves.
“GDPR has forced [Facebook]’s hand in reporting the breach much earlier than they perhaps would have liked, and before they understand the full scope,” Khatibloo said.
Debra Farber, senior director of privacy strategy at tech firm BigID, said the increased speed in reporting data breaches will have a positive long-term effect for the company. “It may not be today or tomorrow, but such actions are sure to engender significantly more trust,” she said. BigID helps companies comply with privacy regulations.
The breach has also led to more criticism from lawmakers, who have already discussed introducing regulation to rein in big tech companies.
What should you do?
The company is still investigating the attack. They don’t know how much information was stolen or who is behind the Facebook data breach. Since it was access tokens stolen and not passwords, Facebook said that affected users don’t need to change their security settings, including their passwords. Since Facebook is not as experienced in security as other firms, you may want to consider changing your password just to be safe. Data breaches are becoming far too common, so we have to be vigilant in keeping our accounts as secure as possible and limiting the sensitive information we post online.