Facebook breach put information of 50 million users at threat

“This is a really serious security issue,” CEO Mark Zuckerberg said on a conference call with reporters Friday. “This underscores there are just constant attacks from people who are trying to take over accounts and steal information from our community. This is going to be an ongoing effort.” 

The news comes as Facebook has been under intense scrutiny for its ability to keep the data of its more than 2 billion users safe. The company is still reeling from its Cambridge Analytica scandal in March, in which a UK-based digital consultancy harvested the personal information of 87 million Facebook users.

The vulnerability disclosed on Friday came from a change issued in July 2017, when Facebook pushed a feature that prompted people to upload “Happy Birthday” videos, Facebook vice president of product management said on the call. The company is still investigating the attack, and doesn’t know how much information was stolen or who is behind the hack. Because it was access tokens stolen and not passwords, Facebook said that affected users don’t need to change their security settings, including their passwords.

Access tokens are sets of code granted to a user after logging in for the first time. They’re often used across websites so that you don’t have to log back in every time you go to a page. Facebook uses them for logins, and allows for secure access without needing a password.

Attackers carried out their attack with a series of steps that let them hop, skip and jump their way into generating access tokens for millions of Facebook users. They started by viewing a Facebook profile they had access to as another user. The “view as” feature is meant to allow users to see how their profile looks to the public or specific friends based on their privacy settings. 

But when hackers viewed a Facebook profile as another user, sometimes the tool for posting a birthday video would appear. That shouldn’t have happened, but did at times because of a bug, according to Facebook. Then, because of yet another bug affecting the video tool, hackers were able to generate an access token for the targeted user, giving them access to the user’s account.

With the access token, hackers had control over the user’s account. They could then “pivot,” Rosen said, and view their victim’s account as yet another user. Then they would repeat the process and generate an access token for that user, too.

The hackers were able to dramatically scale up this multi-step attack, so much so that Facebook noticed an unusual spike in user activity in Septermber and began investigating, Rosen said.

Fatemeh Khatibloo, an analyst at Forrester who focuses on consumer privacy, said in an email that it appeared Facebook had contained the damage from the breach at an early stage. She added that users probably heard about it sooner than they would have since new privacy regulations came into effect in the European Union earlier this year. The General Data Protection Regulation requires companies to tell users about a data breach no more than 72 hours after learning of it themselves.

“GDPR has forced [Facebook]’s hand in reporting the breach much earlier than they maybe would have liked, and prior to they comprehend the complete scope,” Khatibloo stated.

Debra Farber, senior director of personal privacy technique at tech company BigID, stated the increased speed in reporting information breaches will have a favorable long-lasting impact for the business. “It may not be today or tomorrow, but such actions are sure to engender significantly more trust,” she stated. BigID assists business adhere to personal privacy policies.

The breach has actually likewise resulted in more criticism from legislators, who have actually currently talked about presenting guideline to check huge tech business.

“A full investigation should be swiftly conducted and made public so that we can understand more about what happened,”Sen Mark Warner, a Democrat from Virginia, stated in a declaration. “Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.”

As news spread of the information breach Friday, Facebook’s own platform obstructed users from publishing 2 short articles about the hacking attack. One post was by the Guardian and the other was by the AP. Facebook validated that its system was obstructing the short articles, stating it was a mistake. “We fixed the issue as soon as we were made aware of it, and people should be able to share both articles,” the business stated in a declaration. “We apologize for the inconvenience.”

Facebook has actually lacked a primary gatekeeper because Alex Stamos Facebook security chief leaving business for Stanford in August to teach and study at StanfordUniversity His departure occurred throughout a bigger reorganization of the business’s security group that was continuous when the cybersecurity attack started.

The department shifts made the cybersecurity group more powerful, Rosen stated. “If anything, we think this means we were able to find and address this faster,” he stated.

First releasedSept 28 at 9: 52 a.m. PT.
Update at 2: 52 p.m. PT: Adds info from a follow-up teleconference with Facebook.

How to eliminate yourself from the web: 6 methods to leave the grid

VPN: Keep your online existence and info personal.

Password Managers: Choose a password supervisor to protect your digital life.

The Smartest Stuff: Innovators are believing up brand-new methods to make you, and the important things around you, smarter.

Special Reports: CNET’s thorough functions in one location.