Facebook breach put data of 50 million users at risk
The vulnerability had to do with the social network's "view as" feature.
Richard NievaFormer senior reporter
Richard Nieva was a senior reporter for CNET News, focusing on Google and Yahoo. He previously worked for PandoDaily and Fortune Magazine, and his writing has appeared in The New York Times, on CNNMoney.com and on CJR.org.
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
ExpertiseE-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking.Credentials
2022 Eddie Award for a single article in consumer technology
The vulnerability stemmed from Facebook's "view as" feature, which lets people see what their profiles look like to other people. Attackers exploited code associated with the feature that allowed them to steal "access tokens" that could be used to take over people's accounts.
While access tokens aren't your password, they allow people to log in to accounts without needing it. Facebook also said later Friday that the breach also affected third-party apps that you have linked to your Facebook account, including Instagram. As a precautionary measure, Facebook logged about 90 million people out of their accounts, the company said.
The social network said it discovered the attack earlier this week. The company has informed the FBI and the Irish Data Protection Commission. Facebook said the investigation is in the early stages and it doesn't yet know who was behind the attacks.
Watch this: Facebook explains breach that exposed data on 50 million users
"This is a really serious security issue," CEO
said on a conference call with reporters Friday. "This underscores there are just constant attacks from people who are trying to take over accounts and steal information from our community. This is going to be an ongoing effort."
The news comes as Facebook has been under intense scrutiny for its ability to keep the data of its more than 2 billion users safe. The company is still reeling from its Cambridge Analytica scandal in March, in which a UK-based digital consultancy harvested the personal information of 87 million Facebook users.
The vulnerability disclosed on Friday came from a change issued in July 2017, when Facebook pushed a feature that prompted people to upload "Happy Birthday" videos, Facebook vice president of product management said on the call. The company is still investigating the attack, and doesn't know how much information was stolen or who is behind the hack. Because it was access tokens stolen and not passwords, Facebook said that affected users don't need to change their security settings, including their passwords.
Access tokens are sets of code granted to a user after logging in for the first time. They're often used across websites so that you don't have to log back in every time you go to a page. Facebook uses them for logins, and allows for secure access without needing a password.
Attackers carried out their attack with a series of steps that let them hop, skip and jump their way into generating access tokens for millions of Facebook users. They started by viewing a Facebook profile they had access to as another user. The "view as" feature is meant to allow users to see how their profile looks to the public or specific friends based on their
But when hackers viewed a Facebook profile as another user, sometimes the tool for posting a birthday video would appear. That shouldn't have happened, but did at times because of a bug, according to Facebook. Then, because of yet another bug affecting the video tool, hackers were able to generate an access token for the targeted user, giving them access to the user's account.
With the access token, hackers had control over the user's account. They could then "pivot," Rosen said, and view their victim's account as yet another user. Then they would repeat the process and generate an access token for that user, too.
The hackers were able to dramatically scale up this multi-step attack, so much so that Facebook noticed an unusual spike in user activity in Septermber and began investigating, Rosen said.
Fatemeh Khatibloo, an analyst at Forrester who focuses on consumer privacy, said in an email that it appeared Facebook had contained the damage from the breach at an early stage. She added that users probably heard about it sooner than they would have since new privacy regulations came into effect in the European Union earlier this year. The General Data Protection Regulation requires companies to tell users about a data breach no more than 72 hours after learning of it themselves.
"GDPR has forced [Facebook]'s hand in reporting the breach much earlier than they perhaps would have liked, and before they understand the full scope," Khatibloo said.
Debra Farber, senior director of privacy strategy at tech firm BigID, said the increased speed in reporting data breaches will have a positive long-term effect for the company. "It may not be today or tomorrow, but such actions are sure to engender significantly more trust," she said. BigID helps companies comply with privacy regulations.
The breach has also led to more criticism from lawmakers, who have already discussed introducing regulation to rein in big tech companies.
"A full investigation should be swiftly conducted and made public so that we can understand more about what happened," Sen. Mark Warner, a Democrat from Virginia, said in a statement. "Today's disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures."
As news spread of the data breach Friday, Facebook's own platform blocked users from posting two articles about the hacking attack. One article was by the Guardian and the other was by the AP. Facebook confirmed that its system was blocking the articles, saying it was an error. "We fixed the issue as soon as we were made aware of it, and people should be able to share both articles," the company said in a statement. "We apologize for the inconvenience."
Facebook has been without a chief security officer since Alex Stamos Facebook security chief departing company for Stanford in August to teach and do research at Stanford University. His departure took place during a larger reorganization of the company's security team that was ongoing when the cybersecurity attack began.
The departmental shifts made the cybersecurity team stronger, Rosen said. "If anything, we think this means we were able to find and address this faster," he said.
First published Sept. 28 at 9:52 a.m. PT. Update at 2:52 p.m. PT: Adds information from a follow-up conference call with Facebook.