Tech Brief: Facebook Under Spotlight Again After Massive Security Breach

Facebook once again raised uncomfortable questions about why should anyone trust them with their personal data after it disclosed a security flaw in its video uploader feature that exposed as many as 50 million accounts to hackers, who "exploited a vulnerability in Facebook's code that impacted 'View As,' a feature that lets people see what their own profile looks like to someone else, ... to steal Facebook access tokens (software keys that keep users logged in so that they don't need to re-enter their passwords every time) which they could then use to take over people's accounts."

Image: Facebook Newsroom

Although Facebook says it has fixed the issue and alerted law enforcement (indicating it was an exploit discovered with an intention to steal user identities), as a precautionary measure, it has forcibly booted 90 million people out of their accounts (by resetting their access tokens) and have them log back in, in addition to "temporarily turning off the 'View As' feature while we conduct a thorough security review."

The flaw, inadvertently introduced on the site back in July 2017 but discovered only on September 25, is the fourth in a series of troubling security flaps that have ailed its massive social platform since the start of the year. The social network, which has come under intense scrutiny for failing to protect user data in the Cambridge Analytica data scandal, in which an outside research firm got its hands on personal information of 87 million Facebook users without their permission, courted further trouble back in June/July after a software bug unblocked people who had been blocked by another user and updated the target audience of Facebook posts made by 14 million users from "friends" to "public" without any warning.

"We're continuing to improve our defenses, and I think that this also underscores that there are just constant attacks from people who are trying to take over accounts or steal information from people in our community," said CEO Mark Zuckerberg during a conference call with journalists following the revelation. But a lot of unanswered questions remain. Who is/are behind these attacks? How long had the hackers exploited this flaw? What data did they steal? Was it just token/profile information (in which case it would affect third-party websites like Instagram, Spotify, Tinder and just about any service that uses Facebook login), or did it involve any other personal data? (Facebook has said the investigation is still in its early stages.)

The company is already feeling the heat though, with its stock price tumbling more than 3 percent in the wake of the disclosure, apart from facing a class-action lawsuit filed on behalf of one California resident, Carla Echavarria, and one Virginia resident, Derick Walker, who allege that "Facebook's lack of proper security has exposed them and additional potential class members to a significantly increased chance of identity theft as a result of the breach."

Update on Sept. 30: Facebook may face up to US$ 1.63 billon in fines from Ireland's Data Protection Commission, days after the company disclosed a data breach of more than 50 million users, according to a new report by The Wall Street Journal.

Update on Oct. 2: In a statement published today, Facebook has confirmed that the "investigation has so far found no evidence that the attackers accessed any apps using Facebook Login," a single sign-on feature that allows users to login to third-party websites using their Facebook credentials.

Update on Oct. 12: On Friday morning, Facebook announced the results of its investigation into the security issue. The attackers, it said, "already controlled a set of accounts, which were connected to Facebook friends," and that "they used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people." The hackers then "used a portion of these 400,000 people's lists of friends to steal access tokens for about 30 million people," the statement read.

The good news here is that the breach affected fewer people than was previously believed (50 million). But the bad news is that it appears to have confirmed the worst fears: Of those 30 million, 15 million had their name and contact details (phone number, or email, or both) improperly accessed, while 14 million had their "username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches," (in addition to their name and contact info) exposed. For the remaining 1 million, none of their information was taken. Facebook is also putting up a help page to notify all the 30 million users.

"People's privacy and security are important to us, and we are sorry this happened," said Guy Rosen, VP of product management, in a call with journalists. The social network, which is already battling a huge trust crisis, said the FBI is actively investigating the hack and assured that no data was accessed from third-party apps linked to users' Facebook accounts.

Update on Oct. 18: Facebook appears to have concluded the attack as a consequence of a hack perpetrated by scammers looking to make quick money off deceptive advertising, reports The Wall Street Journal. While the attack may no longer be politically motivated, the news may still be of no assurance to users who are losing trust in a platform that's mired in a cesspool of privacy abuses over the last few years.

Update on Nov. 15: Freedom From Facebook Coalition, a group of vocal critics of the social networking giant, files a complaint with U.S. Federal Trade Commission, asking the consumer protection agency to investigate the data breach. "Facebook, Inc. is a serial privacy violator that cannot be trusted," the complaint reads. "It has grown too big and its products have become too integrated and too complex to manage. Not only can we no longer trust Facebook, Inc. to manage its system safely, the corporation no longer has the capacity to do so effectively."

Comments