Facebook announced today that it has suffered from a major data breach that may have affected up to 50 million users. This is according to a report from the New York Times. Facebook discovered the attack this past Tuesday and have contacted the FBI. The breach reportedly allows attackers to take over control of accounts. As a precaution, Facebook has automatically logged out more than 90 million potentially compromised accounts. The breach itself is definitely a big deal, and something that we should all be concerned about, but the way that Facebook is handling it is out of the ordinary for them. To start, they have notified the proper authorities first, and while it’s taken a few days, they have also notified users of the threat.
What is also surprising is how Mark Zuckerberg is responding to the breach by saying, “this is a really serious security issue and we’re taking it really seriously”. Attackers exploited vulnerabilities in the code for Facebook’s “View As” feature, enabling them to abscond with access tokens, which are like security-based cookies. This could then be used by a hacker to target the account. Facebook announced that they have patched the vulnerability and disabled View As. They’ve also reset the access to tokens for the 50 million accounts that it knows were targeted, as well as another 40 million people who might have used View As over the last year. This last act was done for good measure. Again – not something that we’ve seen Facebook do in the past.
The company wasn’t able to confirm if this particular data breach was in relation to a threat that Mark Zuckerberg received where a hacker indicated that they would delete Zuckerberg’s account. But what were the hackers actually after? Facebook says at least 50 million users’ data were confirmed at risk after attackers exploited a vulnerability that allowed them access to personal data. Did they target Facebook because they already know how that Facebook has vulnerabilities? Or because Facebook itself can (and has) access user data?
The good news is that Facebook is saying that the company hasn’t seen any accounts compromised or improperly accessed. But because we’re in the early days of this potential crisis, that could change. Zuckerberg said that the attackers were using Facebook developer APIs to obtain some information, like “name, gender, and hometowns” that are linked to a user’s profile page. Further, Facebook is saying that it’s not likely that private messages were accessed. In addition, no credit card information has been used in the breach.
What does this mean for Facebook? If they were found to have breached European data protection rules (more specifically the General Data Protection Regulation) they could face fines of up to 4% of their total global revenue. But this can’t happen until Facebook knows more about the nature of the breach and what the risk is to users. Senator Mark Warner (D-VA) issued another stern warning to Facebook in regards to this latest breach. He again pushed for regulating companies who have large sets of data in order to ensure that things like this don’t keep happening. Where that will lead, remains to be seen.