by Team Yakkety Yak October 11, 2018
Earlier this month, Facebook suffered another massive security breach. This is the social media platform’s worst hack yet, compromising the activity history and account control of over 50 million people, or 2.5% of Facebook’s users.
The number of those affected may seem like a drop in the bucket, considering Facebook has over 2 billion users, but the breach is raising concern among data privacy and security circles. Although Facebook has eased minds over past breaches, the latest hack is leaving many to question the platform’s systemic security issues and two consecutive days of decreased stock value, a cause for investor’s concern. In the days that followed the hack, reports indicated that an additional 40 million accounts suffered from data exposure.
The skilled hackers are still at large, and facts about the hack are still few and far between—including exactly who was affected and what data was stolen. That is, with one exception: Mark Zuckerberg confirmed his personal account was one of the 50 million affected. Hopefully, this provides some comfort that the billionaire boy genius isn’t exempt from his company’s security catastrophe. What is clear, though, is that hackers exploited three bugs in Facebook’s code, including the “View as” feature, which allows an individual to see what a “Friend” sees on their profile. It also allowed hackers to steal profile access tokens.
Classifying the breach as a “sophisticated attack,” Facebook’s VP of Global Marketing Solutions, Carolyn Everson, also mentioned a shift in company mindset from reactive security to proactively “recognizing our responsibility, taking very specific actions” to protect the user accounts. No further explanation on these “specific actions” was made. Zuckerberg did comment that Facebook is voluntarily working with the FBI to identify the hackers. He also echoed Everson’s comments about proactively protecting the community by preventing these attacks from occurring in the first place through “investing heavily in security going forward.”
However, improved security moving forward doesn’t negate the fact that the hack affected other services that utilize the Facebook login option, including Tinder, Spotify and Pinterest.
Ireland’s Data Protection Commission is expected to open formal investigations, which could include a fine of $1.63 billion. This commission forced Facebook to reveal the breach, in order to comply with “strict” (AKA reasonable) privacy rules of informing the public within 72 hours. As Europe continues to crack down on online data collection and breach protocol regulations—due in large part to the General Data Protection Regulation (GDPR) that went into effect in May of this year—the tech world fully expects Europe to pressure Facebook to release more information, and also enact monetary punishment. As hacked Facebook accounts show up on the dark web for as little as $3, the heat is turning up on Zuckerberg, and it isn’t likely to cool down anytime soon.
Facebook has since reset all 90 million affected accounts, which innately resets the access token, and vows the vulnerabilities—the “View as” feature, video uploader, and the video uploader in the “View as” feature—have been patched. However, as Facebook writes, “if we find more affected accounts, we will immediately reset their access token,” confidence in both the internal investigation and company dwindle. Our advice? It’s best to be on the safe side and log out of your profile, change your password for Facebook and all related accounts and triple-check check your security settings.1