Massive Facebook hack: 50 million accounts hacked
On Friday morning, Facebook announced that it had suffered a major security breach impacting at least 50 million of its users, and possibly as many as 90 million. Later in the day, in a follow-up announcement, it revealed that the breach affected more than just Facebook. The breach could possibly also compromise all other accounts for which people use Facebook to log in.
"This is a very serious security issue, and we're taking it very seriously," said CEO Mark Zuckerberg to reporters.
The breach comes at a crucial time for Facebook which is reeling under the fallout caused by the Cambridge Analytica scandal and is trying hard to convince its user base of more than 2 billion that the platform is now safe. The British consulting firm Cambridge Analytica harvested the personal data of up to 87 million users and unwittingly participated in an alleged massive misinformation campaign during the 2016 U.S. elections that many say put President Trump to the White House. In yet another scandal worth revelation, it came to light that Facebook had shared user information with 52 tech companies and app developers even after announcing in 2015 that such access had already been revoked. Worryingly, some of these companies were flagged by the U.S. intelligence as national security threats.
How did the hack take place?
According to the social media behemoth, the hackers exploited a series of bugs related to a Facebook feature called ‘View As’ that lets users see what their profile looks like to another user. As the technology magazine Wired explained, the first bug prompted Facebook's video upload tool to mistakenly show up on the ‘View As’ page. The second one caused the uploader to generate an access token—that allows you to remain logged into your Facebook account on a device, without having to sign in every time you visit—that had the same sign-in permissions as the Facebook mobile app. Finally, when the video uploader did appear in ‘View As’ mode, it triggered an access code for whoever the hacker was searching for.
“This is a complex interaction of multiple bugs,” Guy Rosen, Facebook’s vice president of product said. He further added that the hacker was not a noob and likely possessed some level of sophistication.
“If the attacker exploited custom and isolated vulnerabilities, and the attack was a highly targeted one, there simply might be no suitable trace or intelligence allowing investigators to connect the dots,” said Lukasz Olejnik, a security and privacy researcher and member of the W3C Technical Architecture Group.
How serious is the hack?
50 million people have been affected, which certainly is a large number, and that too when we consider only the best-case scenario of 50 million people being affected, the worst-case scenario would mean 90 million or more got compromised. Yet, from Facebook’s point of view, it is a minuscule percentage of its total userbase. The second-quarter numbers for 2018 put the userbase at around 2.3 billion, which means that just over 2% of users got breached. It has also been reported by the New York Times reporter Mike Isaac that Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg had their accounts compromised as part of the attack.
Beyond the impact on Facebook accounts themselves, the breach impacted Facebook's implementation of Single Sign-On that lets users use one account to log into others. The idea is to use one trusted service like Facebook, Google, Twitter to log into sites and services across the web, instead of creating a unique profile for each one. This saves time and ensures you're logging in through an entity you trust. But this also makes these services a single-point-of-failure which if compromised, will reveal the entire online identity of the victim. A breach of any of these will be an internet-wide calamity, at least for those impacted.
How did Facebook respond?
Facebook responded by logging out both the 50 million people it knows were affected by the attack and another 40 million who it suspects to have been affected too. It also suspended the ‘View As’ feature until a detailed security audit is carried out.
Facebook separately said that it had invalidated data access for third-party apps for the affected individuals, meaning if you're one of the 90 million people potentially affected, you won't be able to, say, share an image from Instagram over to Facebook without changing your password.
Facebook also announced that it is doubling the number of employees who work to improve security from 10,000 to 20,000. "Security is an arms race, and we're continuing to improve our defenses," Zuckerberg reiterated. "This just underscores there are constant attacks from people who are trying to underscore accounts in our community."
Zuckerberg addressed the issue in a Facebook post:
The company said it is in the early stages of its investigation and has reported the breach to the FBI. Rosen said that the company has yet not been able to determine when the vulnerability was first exploited or who orchestrated the attack, where it came from or whether it had targeted a particular subsection of Facebook’s users.
Who are the hackers?
Facebook is yet to identify the hackers, or where they may have originated. “We may never know,” Guy Rosen, Facebook’s vice president of product, said on a call with reporters on Friday. But if history teaches us something, we know that the blame will get put upon some foreign power trying to meddle in American matters, not considering that there is a high probability that the hacker could well be an American.
What should you do now?
We recommend that you log out from all devices that you use to access Facebook, change your password and re-login to Facebook. We also recommend that the new password you set be a strong password and not one similar to your previous password.
In recent months attempts to breach Facebook accounts has intensified. In June this year, the company announced that it had discovered a bug that made up to 14 million people’s posts publicly viewable to anyone for days. However, this is the first time in Facebook’s history that users’ entire accounts may have been compromised in a hack.
It would be naïve to assume that this was the last attack, and Facebook will be able to patch all vulnerabilities and hackers will never again be able to find a hole in its security. The truth is that Facebook is a huge company that has access to data for billions of people all around the globe and its userbase is growing. It will, therefore, remain attractive and lucrative for hackers who driven by either intellectual curiosity, fame, financial benefits or by other nefarious reasons will keep trying to seek newer ways to breach its security.
And so there will be more bad news, and even more bad news, and even more. So much of it we will get to hear daily that eventually we will lose interest in it and news about it will cease to generate outrage and viewership for the news channels. Then the money-driven media will stop reporting them, and we will imagine that the hackings stopped. This will serve a death blow to the democracy. It is for this reason that USA Really will never cease to stop reporting on issues that concern the general public. If your personal information is stolen or sold as a commodity, we will keep raising our voice and informing you.