Social media giant suffers huge data breach
Not even six months after being caught up in a data breach scandal with political data firm Cambridge Analytica, Facebook was targeted in a new cyber-crime.
The social media giant reported that on Tuesday, Sept. 25, its engineering team discovered a security issue affecting almost 50 million accounts. The cyber-criminals exploited a vulnerability caused by a change dating back to July 2017 that enabled users to upload video to their “View As” service. (View As enables users review what their personal profile looks like to someone else.)
By linking into this option, hackers were able to steal Facebook access tokens, which could be used to take over people’s accounts. Access tokens are the equivalent of digital keys that eliminate the need for users to re-enter their password every time they log onto Facebook.
According to a blog on Facebook’s website, the company has taken multiple steps to remediate the issue. In addition to fixing the vulnerability and informing law enforcement, Facebook has also reset the access tokens of approximately 50 million victimized accounts. The company is also resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.
These efforts require around 90 million people to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, users will get a notification at the top of their News Feed explaining the incident, according to Facebook.
Finally, the company is currently conducting a “thorough security review” of its View As feature.
Since the company is only three days into its investigation, it is undetermined if member accounts were misused or if any information was accessed. It is also uncertain who is behind the attacks, Facebook reported.
“People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened,” Guy Rosen, VP of product management, Facebook, said in the blog.
“This attack exploited the complex interaction of multiple issues in our code,” Rosen added. “The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
The company added that there is no need for anyone to change their passwords. If any additional affected accounts are detected, “we will immediately reset their access tokens,” Rosen said.
This is not Facebook’s first data breach. In March, data from 87 million Facebook users was pilfered, without authority, by political data firm Cambridge Analytica.
However, some industry observers believe the two incidents are not comparable.
“It’s easy to mix this [incident] in with their data privacy woes, but this breach is really of a different nature where the weaponization of identity makes any platform that houses user data vulnerable,” said Sarah Clark, principal at One World Identity, an independent advisory firm focused on trust and the data economy.
“If you are a digital business, it is critical to have tools to quickly detect account takeover attacks in place,” she added. “Which in today’s standards means machine learning driven algorithms, layered with behavioral biometrics that can detect anomalies as quickly as possible.”