This was the biggest hacker attack on Facebook in its 14-year history.
Facebook has revealed that 50m user accounts have been breached by an access token harvesting attack. It warns that another 40m may also have been compromised and, in all, 90m of its 2.2bn users will have to log in or reset their credentials.
This breach is the largest in Facebook’s 14-year history and the company is still trying to determine whether the attacker misused any accounts or stole private information.
The origin of the attack is also still a mystery, but it is clear that the hackers were after access tokens or digital keys, an exploit requiring sophisticated skills. Possessing a token allows an attacker to take full control of the victim’s account, including logging into third-party applications that use Facebook Login.
Facebook was already having a terrible 2018 in terms of data security and the fallout of the Cambridge Analytica affair, and now it is faced with this massive and sophisticated data breach. It is serious stuff amid a year where an estimated 87m users’ accounts were potentially manipulated by political interests contributing to Brexit and US president Donald Trump’s election; the spiralling of the ‘fake news’ epidemic and Facebook’s initial pooh-poohing of its seriousness; and, of course, fears that Russian hackers have infiltrated the social network.
1. What happened?
Yesterday evening (28 September), Guy Rosen, vice-president of product management at Facebook, said that the breach was discovered on 25 September and that 50m accounts were affected.
“First, we’ve fixed the vulnerability and informed law enforcement,” he said.
“Second, we have reset the access tokens of the almost 50m accounts we know were affected, to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40m accounts that have been subject to a ‘View As’ look-up in the last year. As a result, around 90m people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.”
Rosen said that as a third precaution, Facebook is turning off the View As feature as it conducts a thorough review.
2. What’s the nature of the breach?
Rosen said that the attack exploited the complex interaction of multiple issues in Facebook’s code.
“It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As’. The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
3. What do users do next?
First off, Facebook said that there is no need for anyone to change their passwords. However, if people are having trouble logging in because they’ve forgotten their password, they should visit Facebook’s Help Centre.
Rosen said that if anyone wants to take the precautionary action of logging out of Facebook, they should visit the ‘Security and Login’ section in Settings. This section lists the places that people are logged into Facebook, with a one-click option to log out of all of them.
4. How would you know you were affected?
Most users wouldn’t know they have been affected unless they are asked to log back in. In short, 90m users out of Facebook’s 2.2bn user population have been logged out and will have to log back in.
5. What are access tokens?
They are basically digital keys for accessing your account. They are handy for allowing you to stay logged into Facebook without having to put in a password every time.
6. What is the View As feature and how were access tokens generated?
The View As window lets people see what their own profile looks like to other users. It should be a view-only interface. However, the bug in the system incorrectly enabled other users to post a video into other users’ View As windows.
Not only that, but a new version of the Facebook video uploader incorrectly generated an access token that had the permissions of the Facebook mobile app. The problem here is that every time the video uploader appeared as part of View As, it generated an access token not for the user but the person that you were looking up.
Combined, the vulnerability meant that an access token was generated every time a user was looked up. Attackers in the know could exploit this to find ways to log in as another user. The attackers were then able to pivot from that access token to other accounts and obtain other access tokens.
7. That is scary. What have the hackers done so far?
Facebook itself doesn’t have the answer to this question because it is only starting its investigation. However, critics are already warming up to this being a reverberation of the Cambridge Analytica affair in terms of what it could mean for third-party apps or advertisers to which Facebook may have given your data.
“One other major unanswered question about this incident is whether the access tokens could have let attackers interactively log in to third-party sites as the user,” opined Brian Krebs of Krebs on Security.
“Tens of thousands of websites let users log in using nothing more than their Facebook profile credentials. If users have previously logged in at third-party sites using their Facebook profile, there’s a good chance the attackers could have had access to those third-party sites as well.”
Facebook has no evidence that this has happened. “We have invalidated data access for third-party apps for the affected individuals,” a Facebook spokesperson has said.
8. What happens next?
“The investigation is early, and it’s hard to discover who is behind this,” Rosen said. “We may never know.”
Rosen did point out that the scale and complexity of the hack would have required “a certain level” of expertise.
The news of the attack will add even more scrutiny to the vast and complicated business machine that is Facebook, and you wonder will it ever manage to salvage its reputation in terms of privacy and security.
The legal fallout of the current data breach has already begun. The social network is facing a class-action complaint filed on behalf of California resident Carla Echavarria and Virginia resident Derick Walker, who allege that Facebook’s lack of proper security has exposed them and other users to potential identity theft. The lawsuit was filed yesterday in the US district court for the northern district of California.
No doubt this will lead to a resurgence of the #DeleteFacebook movement that began earlier this year as the Cambridge Analytica scandal raged.
Groups such as the Electronic Frontier Foundation and US university researchers are pointing to other potential flaws, such as if users who gave their mobile phone numbers for two-factor authentication could be targeted by advertisers if Facebook shared this data with them to boost advertising.
For Facebook CEO Mark Zuckerberg, the 50m-user breach and the legal repercussions will seriously compromise his vision for the company and products such as Messenger being the gateway for a slew of mobile payment, banking and e-commerce services.
One thing is certain: it will add to the clamour among US politicians for more stringent data protection legislation. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users,” Democratic US senator Mark Warner said in a statement.
“A full investigation should be swiftly conducted and made public so that we can understand more about what happened.”
Updated, 8.49am, 1 October 2018: This article was updated to clarify that Guy Rosen revealed news about the data breach on 28 September.