• In compliance with security regulations, Facebook notified the US Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS).
  • To ensure better protection, the firm has reset the access tokens of 50 million users.

On September 28, Facebook announced that malicious actors exploited a vulnerability in one of its features to compromise 50 million user accounts. The flaw existed in the ‘View As’ feature, which allows users to see what their own profile looks like to others.

The attackers used Facebook accounts’ access tokens to gain access to users’ accounts without users’ knowledge. The vulnerability was first spotted by the media giant on September 16, 2018. However, the bug existed since mid-2017.

What happened?

In a press release, Facebook confirmed that the vulnerability in question existed since July 2017. The bug was inadvertently created when the company was making some changes to the code related to its video uploading feature. This, in turn, impacted the ‘View As’ feature.

“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As’. The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” Guy Rosen, VP of Product Management at Facebook, said in a statement.

By exploiting the bug, the attackers were able to access the tokens and hijack accounts. The breach impacted both Facebook’s Android and iOS app users - those who were signed in to their Facebook account on their devices.

Containing the breach

While Facebook says it has fixed the vulnerability, it has yet to reveal what kind of data was accessed or stolen by the hackers. In compliance with security regulations, it has also informed law enforcement agencies like the Federal Bureau of Investigation (FBI), and the Department of Homeland Security (DHS). The firm also notified the US Congress and the Data Protection Commission in Ireland, about the breach.

Facebook may be slapped with a fine

It is speculated that the European Union (EU) privacy watchdog may slap a fine of up to $1.63 billion on the social media giant, if the regulators find that the company violated the GDPR privacy laws. According to the Irish Data Protection Commission (DPC), less than 10 percent of the 50 million affected accounts belong to users located in the European Union. The Irish DPC is assessing whether to open a formal probe into Facebook.

"Before we would launch any investigation there are steps that would have to be taken in relation to information gathering and preparing the scope of an inquiry. Furthermore, we would need to establish under which provisions of the Data Protection Act 2018 we would conduct it. We are currently engaged in those steps," the Irish DPC told CNBC.

Facebook notifies OAIC

Following the breach, Facebook is notifying all major the law enforcement agencies. On September 29, Facebook informed the Office of the Australian Information Commissioner (OAIC) about the breach.

In a statement published by the OAIC, Facebook notified the Australian privacy watchdog about “an incident involving the security of Facebook accounts.” The law enforcement agency is closely monitoring the incident along with the Australian Cyber Security Center.

“The OAIC is making inquiries with Facebook about the facts, including the number of Australians who may have been impacted by the incident,” a spokesman from OAIC said, Business Insider reported.

India seeks a report on the breach

The Indian Ministry of Electronics and IT has asked Facebook to provide a detailed report on the breach, to understand the impact on Indian users.

A top official told the Economic Times that the company has sought two days to respond with an update. Mark Zuckerberg, the founder of Facebook said that his team is still investigating the impact of the breach, which was discovered on September 28.

“We have asked them about the impact, they wanted some time for the investigation and have committed to get back to us with a detailed report by Wednesday morning. We have, however, not sent any formal notice, but have just communicated our concerns to the company,” a spokesperson for the Indian Ministry of Electronics and IT told the Economic Times.

It is suspected that the impact of the breach could be far-reaching in India. Given how Indian users also use their Facebook accounts to log in to several third-party apps such as Zomato, BigBasket, Hotstar, FreshMenu, Quora and more, they might be more severely affected. However, Facebook claimed that no external app or website has been affected due to the breach.

“We have now analyzed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login. Any developer using our official Facebook SDKs – and all those that have regularly checked the validity of their users' access tokens – were automatically protected when we reset people's access tokens,” Guy Rosen, VP of Product Management at Facebook said, the Independent reported.

Stolen credentials already on the Dark Web

According to a report by the UK firm Money Guru, stolen login details of Facebook users are already up for sale on the dark web for a mere $3.90. This has sparked fresh privacy fears.

“There are few better ways to gain insight into someone’s life than their social media accounts. These details are frequently stolen to sell to companies with little scruples about targeted advertising. It’s also a fast track to identity theft as they can take control of your accounts, lock you out and cause serious reputational damage in a short space of time.” Money Guru explained in a blog post.

The second breach in a row

This is the second breach Facebook has experienced in this year. In March 2018, the company received flak for improperly handling the personal data of millions of users. The personal data of 87 million Facebook users were harvested by the political data firm Cambridge Analytica. A majority of affected users were from the US, followed by 1 million users from the UK, Philippines, and Indonesia respectively.

Precautionary actions taken

Facebook has reset the access tokens of 50 million users, which requires users to log in with a new password. The firm has also reset the access tokens of another 40 million accounts that have used the ‘View As’ feature in the last year, as an additional precautionary measure. That means a total of 90 million users will have to log back into Facebook. Upon logging in, “people will get a notification at the top of their News Feed explaining what happened.”

The firm has also disabled the ‘View As’ feature temporarily to carry out a thorough security review.

“We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens” said Rosen in a press release.

In addition, users have also been urged to follow simple security steps to keep their Facebook accounts safe from future attacks. Here are a few simple steps you can take to kee your data safe:-

  • Use strong and unique passwords to lock your accounts. Using a password manager can help keep passwords encrypted, thus making them less susceptible to breaches.
  • Visit the ‘Security and Login’ tab in Facebook to keep a track of the number of services you have logged into using Facebook login credentials. It is better to sign out of the services that you no longer use regularly.
  • Enable two-factor authentication for your Facebook accounts. This provides an additional layer of security for your data.
Cyware Publisher