On Friday it was announced that Facebook was hit by a cyber breach that attacked up to 50 million user accounts. The company indicated that criminals exploited a vulnerable feature due to a software bug which enabled the hackers to act like users on their profile; also referred to as the ‘View As’ option, a privacy feature enabling users to see what their Facebook profile page looks like to visitors, including individuals who they are not ‘friends’ with on Facebook.
In 2017, Facebook inadvertently introduced three vulnerabilities in its video uploader. When using the “View As” feature that enables you to view your own profile from someone else's perspective, the video uploader tool would occasionally display, when it shouldn't at all. When it did appear, this generated an access token using the person who the profile page was being viewed as. If that token was obtained, an attacker would then have the credentials to login as that user.
Hackers exploited code associated with the feature that allowed them to steal "access tokens" that could be used to take over people's accounts. Although the codes are not passwords, they allow individuals to sign into an account without the need for a password. Access tokens are a set of codes generated once the user logs into an account for the first time. This saves the user from having to re-enter their login details every time they go to a new page. According to Facebook, users’ passwords were not revealed in the data breach, though impacted accounts did have to re-login into the social network on Friday.
The breach on Facebook comes in a string of recent attacks including British Airways, Equifax and Npower. Under new GDPR regulations it is reported that the breach could present Facebook with a monumental fine of up to £1.26billion.
This isn't the first time that Facebook have hit news headlines for its cyber security vulnerabilities. In March it was reported that UK Based digital consultancy Cambridge Analytica harvested the personal information of 87 million Facebook users.
This affected not only the reputation and confidence of its users, but also those who advertise on the platform, including creators of the popular Firefox web-browser, Mozilla, who announced that it would stop advertising on Facebook following the controversy.
CEO Mark Zuckerberg, was quick to publicly respond in relation to last weeks breach, stating: “This is a really serious security issue. This underscores there are just constant attacks from people who are trying to take over accounts and steal information from our community. This is going to be an ongoing effort.”
According to Guy Rosen, the firm’s vice-president of product management, the fault in Facebook's systems has now been fixed, adding that all affected accounts had been reset, as well as another 40 million "as a precautionary step".
The data breach comes at an extremely bad time for Facebook, with them recently coming under scrutiny from the US and beyond, in relation to their capabilities of protecting user data.
Jeff Pollard, vice-president and principal analyst at Forresters, an American market research company that provides advice on existing and potential impact of technology, said "Attackers go where the data is, and that has made Facebook an obvious target.
“The main concern here is that one feature of the platform allowed attackers to harvest the data of tens of millions of users. This indicates that Facebook needs to make limiting access to data a priority for users, APIs, and features."
You can find out if you were one of the 50 million users affected by the breach here.
Like most data breaches, this will have detrimental effects on the businesses reputation, image and in the longer run; more than likely its share value and profit levels. The company saw its share price drop more than 3% on Friday and has over 2 billion active monthly users.
With two attacks in the space of eight months, Facebook will now be delving deep into their cyber security vulnerabilities to make sure they are robust against any further cyber attacks. However, it shouldn't just be Facebook that are taking action. Facebook might have been the unfortunate ones this time around, but your organisation could be the next.
This attack was a technical exploit on Facebook's systems. Organisations are encouraged to complete Cyber Essentials+; a scheme that showcases that an organisation has implemented the most important cyber security technical controls and carries out regularly checks for vulnerabilities within their security strategy. To take cyber essentials in your own hands, take a look at our online cyber essentials course to find out how we can help you!
It is essential to understand that people are still the most vulnerable part to an organisation's defence, and from the people perspective, for individuals worried about having their data compromised, make sure to visit our online courses to see what steps you can take to limit the chances of becoming a victim of online identity theft and know how to limit the effects.