On Friday, Facebook announced the company’s discovery of a breach that affected some 50 million…
On Friday, Facebook announced the company’s discovery of a breach that affected some 50 million users’ accounts. The tech industry giant sought to reassure its users that an engineering team was managing the problem, logging some 90 million people out of their accounts as a precautionary measure. “People’s privacy and security is incredibly important, and we’re sorry this happened,” the company wrote in a blog post detailing the hack. “It’s why we’ve taken immediate action to secure these accounts and let users know what happened.”
The hackers were apparently able to take advantage of a defect in code for the site’s “View As” feature, an option that allows users to see how their profile page appears when accessed from another person’s account. The lapse gave hackers access to millions of people’s access tokens, which exist to allow users to save their password and log in as soon as they visit the site. The 90 million people who had their accounts reset represent some four percent of the site’s users, who as of June 30 number 2.23 billion.
“We face constant attacks from people who want to take over accounts or steal information around the world,” said Mark Zuckerberg, Facebook’s founder and CEO, in a post on the site. “While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place.”
The temporary access to people’s account could in theory have allowed the hackers to do more than simply access and steal private information. Entirely logged in, there was nothing to prevent them from posting statuses, impersonating people in chats, and directing the millions of accounts to follow public figures or republish news stories. That, however, is purely speculative, as Facebook says that so far it has found no indication that anything beyond people’s personal details – such as name and gender – were viewed during the breach. According to the company’s accounts of the incident, Facebook is still searching for the identity and location of the hackers and at the same time attempting to make sure that the problem has been fixed. In a press call, Facebook’s vice president Guy Rosen said that its entirely possible the company many never find the answers to those questions.
In an effort to stay public concern, the company reiterated its earlier announcement that it was hiring 10,000 new employees directly devoted to improving its security performance. That is in addition to the 10,000 existing employees responsible for the site’s security. “Security is an arms race,” said Zuckerberg, “and we’re continuing to improve our defenses.”
The pioneering social media company has been under immense scrutiny this year, however, following repeated abuses by Russian hackers circulating and artificially manipulating the popularity of fake news stories. That is in addition to the Cambridge Analytica scandal, the discovery that a political firm hired by the Trump campaign in 2016 was responsible for the misuse of user data of a similar scale. Facebook representatives argued that Cambridge Analytica – which received significant funding from the billionaire Trump supporter Robert Mercer – did not breach the company’s security in order to acquire the data, as the company routinely provides access to data for the purposes of academic research. The scandal, however, resulted from the sale of that information by one such researcher to Cambridge Analytica.
These twin crises have roiled Facebook executives, who now face the looming threats of increased government regulation around the globe. What’s more, company stock crashed an extraordinary 19 percent in late July, a 119-billion-dollar disaster for the company. After Friday’s announcement, company stock fell by some two percent.
“The bigger concern (and something we don’t know yet) is whether third party applications were impacted,” said Jake Williams, a security expert at Rendition Infosec. Williams said that third party sites and applications often accept Facebook logins as sufficient methods for accessing their own separate accounts and services. “In other words, Facebook is providing the identity management for countless other sites and services. These access tokens that were stolen show when a use is logged into Facebook and that may be enough to access a user’s account on a third party site.”
As of Friday, the misstep had already renewed calls in the United States for new regulatory legislation. Ed Mierzwinski the senior director of the consumer advocacy group U.S. PIRG, warned that Congress should take this as one more reason “not to enact any national security or data breach legislation that weakens current state privacy laws.” Indeed, social media titans like Facebook have been at pains to preempt state and federal legislation of the industry and generally insist that it is unnecessary in the defense against such threats. With related incidents coming one after another, however, the possibility of impending federal regulations continues to increase.