Facebook Network Breach: 50-Million Users’ Data Exposed
Facebook announced the breach on Friday morning.
I woke up this morning with an odd icon flashing on my phone’s lock screen. It was Facebook messenger, an app I seldom use, asking me to log in again. Turns out I wasn’t the only one. Facebook announced on Friday that a network breach had occurred, exposing the information of some 50 million users.
More than 90 million users were forced to log out of their accounts on Friday morning, a common safety measure when accounts are potentially compromised.
Facebook reportedly discovered the breach earlier in the week, on Tuesday. Apparently attackers exploited a feature in Facebook’s code that gave them the ability to take over some users’ accounts. Facebook has already fixed the issue and notified authorities, though at this time there is no indication who was behind the attack, nor is it evident what the complete scope of the attack even was.
Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.
This is more bad news for the social media giant, which has seemingly been under fire on all fronts lately. If you’ll remember, Cambridge Analytica, a political data-mining firm was able to steal information from over 87-million accounts in the lead-up to the 2016 by abusing Facebook’s graph API. That news didn’t start coming out until about a year ago though.
In the aftermath, as Facebook rolled out a PR campaign aimed at reassuring its users, CEO Mark Zuckerberg said this:
“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.”
You get the feeling that sentence is going to come back to haunt Mr. Zuckerberg over the coming days.
Facebook has also been in the news for its roll in the proliferation of fake news during the last election cycle. The company is also being criticized for shirking GDPR rules. And with the US Republican party currently threatening to regulate Google for political bias, don’t be surprised if Facebook gets lumped in with that, too.
So, once again Facebook is sorry your data may have been compromised.
People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened. There’s no need for anyone to change their passwords. But people who are having trouble logging back into Facebook — for example because they’ve forgotten their password — should visit our Help Center. And if anyone wants to take the precautionary action of logging out of Facebook, they should visit the “Security and Login” section in settings. It lists the places people are logged into Facebook with a one-click option to log out of them all.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown