Facebook: 29 million users affected by breach
October 15, 2018 | Expert Insights
Facebook said hackers had gained access to 29 million users’ accounts in a massive data breach last month. The company downgraded its initial estimate that 50 million users were compromised in the intrusion.
Background
In late September, Facebook disclosed a security vulnerability that the company inadvertently introduced into their software in July 2017. The flaw affected Facebook’s “View As” feature that allowed users to see what their profiles looked like to a third party.
The flaw exposed Facebook security tokens that allowed hackers to gain access to a user’s account. Access tokens are digital keys that allow mobile users to remain logged in to Facebook without having to re-enter their passwords every time they use the app. Using these access tokens, the attackers could view and access information from a compromised Facebook account as if they were that user.
The attackers used a series of seed accounts to exploit the vulnerability. Leveraging an automatic technique to move from account to account, the attackers stole access tokens from the accounts of friends, then friends of friends, and so on to amass a group of 400,000 accounts. They eventually managed to steal access tokens of about 30 million accounts.
Facebook said it first noticed a spike in the number of people using the “View As” feature on September 14. On September 25, the company determined that it was an attack and fixed the vulnerability two days later. It had to reset the access tokens for 90 million users.
Facebook initially said the security issue affected nearly 50 million accounts, adding that it is cooperating with the FBI, the US Federal Trade Commission and the Irish Data Protection Commission and other groups as it continues to investigate the intrusion.
Analysis
Facebook announced that 29 million accounts were impacted in the breach, revising its initial estimate that 50 million users were compromised. However, the attackers managed to access a significant amount of personal information for millions of users.
Of the 30 million users compromised, hackers accessed extensive information on 14 million users including the most recent places they had checked in, their 15 most recent searches, types of devices used to access Facebook, dates of birth, relationship status, religion, pages followed, and other information listed on their profiles.
Another 15 million users saw their names and contact information exposed. Facebook said the attackers did not access any information for the remaining 1 million users.
According to Facebook VP of Product Management Guy Rosen, the attackers did not access any credit card information associated with members’ accounts. He added that Facebook has not received any reports of stolen information being available on the dark web so far.
Disclosure of the breach comes as regulatory authorities, lawmakers, security experts and investors have raised concerns that Facebook is not doing enough to protect its users’ data. Facebook has been facing heavy scrutiny into other issues recently including its role in the dissemination of misinformation and hate speech, foreign interference in elections and domestic politics, and data privacy.
The latest breach is likely the largest and most extensive security incident in Facebook’s history. It has come to light months after the EU’s General Data Protection Regulation (GDPR) went into effect. Companies that fail to comply could face penalties of up to €20 million or 4% of annual revenue – whichever is higher. The Irish data protection commissioner has already opened an investigation into Facebook’s breach.
Regulators around the world have also launched inquiries into the Facebook-Cambridge Analytica scandal that came to light in March. That incident saw profile details from 87 million Facebook users improperly accessed by the British political data firm.
Assessment
Our assessment is that although the pool of users impacted by the breach has decreased, the amount of personal information exposed in the incident is still staggering. The personal information gleaned by attackers could be exploited in phishing attacks to gather additional valuable information from victims. As trust in Facebook continues to nosedive, the incident further highlights the necessity for strong data protection legislation to guard against theft and misuse of user information.
Read more:
Comments