It seems like every month we write a post about a new Facebook breach or some other scandal. This month is no exception. In this edition of “Seriously Facebook, Get It Together,” we’ll take a look at the social media platform’s September 29 announcement that a breach had affected at least 50 million and possibly upward of 90 million users.
Hackers gained access to users’ personal data through three bugs in Facebook’s video uploader and “view as” features. These vulnerabilities first appeared on the site in July of last year, but it wasn’t until September 16 of this year that Facebook noticed a spike in suspicious activity. Yes, you read that right; hackers might have had this access for more than a year.
The bugs arose when users opted to view their profile as someone else, causing the video uploader to sometimes pop up without being prompted. This triggered the creation of an access code for the person the original user chose to view their profile as, which hackers were then able to use to log into that other account. They sought out personal user information like age, gender and location.
Hackers managed to steal roughly 50 million of these access tokens before the bugs were patched, but Facebook also secured the accounts of an additional 40 million users who it suspected may also have been affected.
What are access tokens?
Access tokens are digital keys that keep you logged into the apps and websites you use frequently without forcing you to enter your username and password every time. Fortunately, these tokens don’t store passwords, so it’s not mandatory to create a new password if you’ve been affected by this data breach.
What steps has Facebook taken to correct this?
Facebook reported that it fixed the bugs and reset the access tokens of all 90 million users thought to be affected when the breach was discovered. If you found yourself manually entering your credentials to log into Facebook for the first time in a long time, you may have been a victim of this breach.
What kind of repercussions could Facebook be facing?
In addition to likely losing a number of users who aren’t keen on having their data stolen, Facebook could be looking at a hefty fine from the EU. Unluckily for the ‘Book, the attack affected 5 million European users. Remember, the EU enacted the General Data Protection Regulation in May of this year, and they no longer have patience for slip-ups of this magnitude. If it’s found that Facebook slacked off and didn’t do all it could to prevent this from happening, it could be fined up to 4 percent of its annual global revenue, which works out to about $1.63 billion.
Who’s responsible for the attack?
The hackers’ identities are currently unknown. Don’t hold your breath waiting for the mystery to be resolved; the FBI is on the case, but tracing a breach like this can take a long time.
Were any other Facebook-related apps affected?
Facebook doesn’t believe any credit card information was stolen or that hackers broke into private messages sent on its site or mobile app, but the investigation findings might prove otherwise. What about other apps and services that are owned by Facebook or that use Facebook info for their login processes, such as WhatsApp, Instagram and Spotify? No need to worry about those, Facebook says.
Guy Rosen, vice president of product management for Facebook, wrote in a blog post on October 2: “We have now analyzed our logs for all third-party apps installed or logged during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login … Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens – were automatically protected when we reset people’s access tokens.”
How do I know if I’m a victim of the breach?
As mentioned before, one sign that you may have been affected is if you were logged out of the app or desktop site. You can also check whether or not you were victimized by navigating to your security and login page under “Settings” and looking at “Where You’re Logged In.” If you were unaffected, all the devices and locations should be familiar to you.
On the other hand, if you find that you were hacked, you don’t necessarily need to terminate your account, although you should probably change your password, and you might want to reconsider how much of your personal info you have on the platform. Whether or not you’re a victim of the attack, it’s highly recommended to turn on two-factor authentication for increased security.
Are you suffering from data breach fatigue? Have you decided to delete your account as a result of this event? And if not, what would Facebook have to do to lose your patronage?