Facebook has announced a massive data breach affecting almost 50 million accounts. This breach, the largest in the company’s history, was discovered on September 25 and announced three days later. So far there is little information about the full impact, the motive, who may have been targeted, or whether the data accessed was misused. Here’s what we do know:
What Happened
Vulnerabilities in Facebook’s code allowed attackers to directly take over user accounts by stealing “access tokens” which are essentially keys to an account. These tokens act as authorization that keeps users logged in to their accounts over time without having to re-enter a password. Facebook discovered the breach because it noticed an unusual spike in users on September 16, prompting investigation. The company has said that the attackers could see everything in a victim’s profile, though there is still no information about the potential misuse of this data. According to CEO Mark Zuckerberg, “So far, our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts, but this, of course, may change as we learn more.” Facebook has stated that passwords and payment information were not compromised.
how accounts were accessed
This breach was made possible because of three distinct flaws in Facebook’s code that, combined, allowed attackers to see a user’s access token in the page’s HTML. This vulnerability has existed since July 2017 when Facebook implemented new video upload functionality. The “View As” page, normally a read only page that allows users to preview their page as another person would see it, allowed users to post video birthday messages. In posting videos, access tokens were incorrectly generated for the user being looked up and displayed in the page’s HTML. The hackers were able to take these access tokens to log in as another user, and then pivot from that access token to more accounts using the same method to extract more access tokens.
Is your account secure?
Facebook has reset all 50 million affected tokens, as well as 40 million tokens for other users who have used “View As” in the last year as an extra precaution. Resetting a token logs a user out of Facebook and directs them to the sign on page where they can use their normal password to log in. After logging in, affected users (all 90 million) will see a banner at the top of their news feed with a security update and a link that gives explains some details about the breach. Guy Rosen, VP of Product Management at Facebook states, “We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.” Facebook has turned off the “View As” feature that was exploited while it investigates.
User passwords are still secure, as is two factor authentication (2FA) – which we suggest using. Facebook does recommend that all users take precautionary action and log out of Facebook to reset access tokens.
Although the company has stated that it is not necessary, ImagIT recommends updating your password. Further, we suggest that users visit the “Security and Login” page to see where their account is logged in and remove any unfamiliar locations. In the wake of this breach, it is especially important to be wary of phishing attempts through phone or email, especially as private information typically used to verify identity may have been accessed. If you are unsure about the legitimacy of an email or call, reach out to the primary contact number for the organization or individual.
what about linked accounts?
Attackers in this breach would have also been able to access third-party services or sites accessed with a Facebook login, although it is unclear if they did. It could have also impacted Instagram accounts that use the same login as Facebook. Facebook has stated that it automatically unlinked potentially affected accounts from Instagram and Oculus, both of which are owned by Facebook. It did not do so with WhatsApp, also owned by Facebook, which the company said was not impacted.
A wide range of sites use integration features with Facebook including Venmo, Spotify, AirBnB, GoFundMe, Tinder, Pinterest, and more. At this time, we do not know how many of these sites may have had user data compromised because of the Facebook breach. Facebook has not disclosed a list of affected individuals to these sites.
Investigations
Facebook has stated that the vulnerabilities are fixed, and it has notified law enforcement officials. It has not determined if any specific locations or accounts were targeted, and Facebook does not know who the attackers were or where they were based. Facebook says it is investing heavily in security going forward and increasing the number of people working on security from 10,000 to 20,000. “This is a really serious security issue. And we’re taking it really seriously,” Mark Zuckerberg said in a conference call with journalists following the announcement, further stating that Facebook is committed to being more proactive about protecting its community.
The news comes at a poor time for the company, with security concerns already high a bug discovered in June that made up to 14 million people’s posts publicly viewable to anyone for days, and the Cambridge Analytica scandal in which a political consultancy got access to 87 million users’ private information.
Facebook could be hit with fines up to $1.63 billion under the General Data Protection Regulation (GDPR) if it is found that the company did not do enough to protect users’ data from this breach. GDPR is a regulation in EU law that serves to maintain data privacy and protection for individuals within the European Union. The company is cooperating with investigations, however the information reported to investigators so far has been lacking in detail. This is a developing story and we will be closely watching to see long term effects of the breach and of the new security measures sure to come out of this.
Update 10.12.2018:
Facebook has revised it’s initial estimate and is now stating that of the 50 million people whose access tokens that were believed to be affected, about 30 million actually had their tokens stolen.
Facebook states, “For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.” The company has not ruled out the possibility of smaller scale attacks.
The company has stated that the attack did not include third-party applications.
ImagIT Solutions is a network engineering company that provides comprehensive IT services for channel partners, managed service providers and enterprise businesses with multiple locations. ImagIT was founded with the goal of providing comprehensive, IT services for multi-site organizations. Built on providing exceptional customer service with the most trusted technicians in the field, we continue to grow with our clients and expand internationally. Our team of 400 expert engineers and full PMO are ready to take on any type of networking engagement! Whether its proactive support, an emergency call, long-term projects or ongoing break-fix services, ImagIT will deliver a solution that is customized to best fit your organization.