The How, Why and What Next of Facebook's Latest Data Breach
Another day, another social media platform data breach – though this one may be the most significant thus far.
If you haven’t been tuned into the tech press, here’s a rundown of Facebook’s latest data breach, what was potentially accessed by the hackers, and what it could mean for The Social Network - and social media more broadly - moving forward.
At around 2am ET or so on Friday, a heap of Facebook users took to Twitter to report that they’d been randomly logged out of their accounts. The problem was most widely reported in India (where it was 10am local time), but they flowed in from everywhere, indicating that a significant issue of some kind had occurred.
Shortly after, a Taiwanese hacker named Chang Chi-yuan announced that he had discovered a vulnerability in Facebook’s code, which he would use on Sunday to log-in to Facebook CEO Mark Zuckerberg’s account and delete it, and that he would stream himself doing so on Facebook Live.
The announcement sparked a flurry of activity from Facebook, as users tried to understand what, exactly, was going on, and importantly, whether their Facebook data was safe.
Facebook then published an official explanation on its blog – Facebook VP of Product Management Guy Rosen explained that, on Tuesday afternoon, Facebook had identified “a security issue affecting almost 50 million accounts”.
“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
For context, Gabriel Dance of the New York Times provided this explanation, which outlines what data, potentially, hackers might be able to get from the types of access tokens in discussion.
re: fb’s announcement of 50m access tokens compromised… here’s a quick look at how we used ONE access token to acquire detailed information on 556 friends of a user, and unique identifiers (useful for scraping and combining information) on over 294,000 more. all with one token. pic.twitter.com/Tjo3Di7qAB— gabriel dance (@gabrieldance) September 28, 2018
As such, this breach could potentially be a lot larger than the Cambridge Analytica scandal, which utilized user permissions, and did not involve researchers taking over user accounts.
As noted by Dance, while only 50 million were directly impacted (note: Facebook also logged out another 40 million more to be safe), the broader data access implications could be huge, depending on how the hackers approached the process.
Facebook has now advised that the breach has been fixed, the proper authorities have been notified, and that impacted users will see this notification at the top of their News Feed when they log back in.
There’s no word on who may have been involved in the hack, though Facebook has said that the operation, at peak, was “complex" and leveraged multiple bugs that interacted together, which suggests it would have required a high level of expertise (likely beyond the capacity of a single bug bounty-chaser like Chi-yuan). Passwords were not stolen, and as a precautionary measure, Facebook is disabling the ‘View as’ option on profiles as they investigate.
What, Specifically was Accessed?
At the moment, we don’t know what the hackers were actually looking to steal, or were able to take as a result of this flaw.
As noted above, theoretically, they could have used this process to access a heap of data on every affected user, and if they’d been doing this for a couple of days, there is a chance that vast amounts of personal info have been downloaded, and could be packaged up and sold on the dark web.
As Facebook says, no one knows, at this time, what was accessed:
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.”
It’s worth remembering that during the Cambridge Analytica investigation, it was initially reported that only 30 million Facebook accounts were impacted, then Facebook revised that up to 50 million, then 87 million when reporting to Congress. That, of course, is not to say the same will happen again, but these are initial figures only. The damage could be significantly more widespread, depending on how the attack was carried out and why.
What we do know, as explained by Facebook, is that up to 90 million accounts were directly impacted, and with the vulnerability now addressed, they can no longer be breached. We’ll just have to wait and see on the further details.
What Will this Mean for Facebook?
Ever since the Cambridge Analytica controversy, Facebook's been working to repair its image to some degree, with research showing that Facebook is now the least trusted company among the major tech giants.
That’s a problem when your company relies on audience data to fuel its advanced ad targeting system, and is also looking to roll out things like a new dating platform, and (reportedly) a smart speaker device, which would bring Facebook's data tracking direct into your home.
Apparently, Facebook had planned to launch its smart speaker device earlier in the year, but had to delay due to privacy concerns related to the Cambridge Analytica issue. The revised launch plan would have seen them revealing more details about their ‘Portal’ speaker device this week – but then…
In that respect, the latest breach doesn’t help Facebook’s reputation any – but as noted by Josh Constine from TechCrunch, the extended implications may be a lot more significant than that.
Constine reports that Senator Mark Warner, a vocal advocate for the regulation of social networks, has said that:
“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users – the era of the Wild West in social media is over.”
FTC Commissioner Rohit Chopra has also expressed his concern:
That could see Zuck and Co. subject to much more stringent operating regulations and requirements, which would be a major shift in how Facebook, and likely social platforms more broadly, work.
Regulation would come at a significant cost for Facebook, both in regards to monetary investment and independence, which is why the company has been working hard to avoid such by providing as much insight into its processes as possible, in an effort to placate officials and show that it can handle its business.
But the steady stream of privacy concerns continues to flow – just this week, Gizmodo reported that Facebook has been using people’s contact information, like mobile numbers uploaded for security purposes, as a data tool to help advertisers, without expressed user permission to do so.
It doesn’t look good for Facebook, and it definitely looks like expanded regulation will become a real possibility.
It may take months to sort through the damage left in the wake of this latest attack, and you can expect ongoing revelations and revisions in that time. But this could be the one that pushes regulators over the edge - and changes social media as we know it.
UPDATE: Another significant note on the data breach (via Will Oremus):
NEWS: Facebook's Guy Rosen just confirmed that the breach would have allowed hackers to access not only your Facebook account, but your accounts on other sites where you used Facebook as your login.— Will Oremus (@WillOremus) September 28, 2018
More to come...
UPDATE (10/3): Facebook has reported that their investigation has found no evidence that the attackers accessed any apps using Facebook Login. They're still looking into the other potential impacts.
UPDATE (10/12): Facebook has provided another update on their ongoing investigation into the data breach and impacts. The Social Network now says that 30 million access tokens were stolen, fewer than they first suspected, but for those impacted, a wide range of data was accessed. Facebook has also confirmed that this was, indeed, a deliberate attack, and says that all affected users will receive a notification shortly.
Follow Andrew Hutchinson on Twitter