Major Facebook Breach: 50m Users Compromised

Uploaded on 2018-10-01 in TECHNOLOGY-Key Areas-Social Media, TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Nearly 50m Facebook accounts were compromised by an attack that gave hackers the ability to take over users’ accounts, Facebook revealed on Friday 28th Sept. The breach was discovered by Facebook engineers on Tuesday 25 September, the company said, and patched on Thursday 27th.

Users whose accounts were affected will be notified by Facebook. Those users will be logged out of their accounts and required to log back in.

“I’m glad we found this and fixed the vulnerability,” Mark Zuckerberg said on a conference call with reporters on Friday morning. “But it definitely is an issue that this happened in the first place. I think this underscores the attacks that our community and our services face.”

The security breach is believed to be the largest in Facebook’s history and is particularly severe because the attackers stole “access tokens”, a kind of security key that allows users to stay logged into Facebook over multiple browsing sessions without entering their password every time. 

Possessing a token allows an attacker to take full control of the victim’s account, including logging into third-party applications that use Facebook Login.

The security breach comes at a time of significant strife for the social media company, which has faced mounting criticism over issues including foreign election interference, the flow of misinformation, hate speech, and data privacy.
The revelation that a political consultancy linked to the US president, Donald Trump, had obtained the personal information of tens of millions of Facebook users prompted widespread concern that the company was cavalier in its approach to privacy.

“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” Zuckerberg wrote in a public apology regarding the Cambridge Analytica breach.

According to Facebook, the attacker exploited three bugs that were introduced into the site’s “view as” feature in July 2017. “View as” allows users to see what their profile looks like to other users. The company does not yet know when the hack took place, but it said that it began an investigation after discovering unusual activity on 16 September.
In addition to the 50m accounts whose access tokens were taken, Facebook said that it would require 40m additional users who used the “view as” tool since July 2017 to log out of their accounts as a precaution. This will reset those users’ access tokens, protecting their accounts.

The company has notified law enforcement, the vice-president of product management, Guy Rosen, said on the conference call. Rosen said that Facebook was working with the FBI, but he did not comment on whether national security agencies were involved in the investigation.

“The investigation is early, and it’s hard to discover who is behind this,” Rosen said. “We may never know.” He did note that the scale and complexity of the hack would have required “a certain level” of expertise. Dr Lukasz Olejnik, an independent cybersecurity and privacy researcher, said: “Anyone involved in this hack knew what he was doing.” Olejnik noted that whoever discovered the vulnerabilities would likely have been eligible for a “bug bounty” payment had they disclosed the bugs rather than exploited them.

Another key area of investigation is discovering the extent to which the hackers used the access tokens. The company says it has not yet seen evidence that the hackers accessed private messages or made posts on users’ behalf, but they did attempt to access certain profile information.

Rosen did not provide any details on the location of users affected, saying only that the attack seemed “broad” and investigators had not determined whether there were particular targets. The company has notified the Irish Data Protection Commission (DPC) about the breach. 

The implementation of Europe’s General Data Protection Regulation (GDPR) meant that Facebook was required to notify data protection authorities within 72 hours if any affected users were in the European Economic Area.

The Irish DPC was critical in its initial response to the breach, tweeting: “At present Facebook is unable to clarify the nature of the breach & risk to users. We are pressing Facebook to urgently clarify these matters.

News of the hack comes at the end of a week in which many of Facebook’s Silicon Valley peers testified before the US Congress about the possibility of consumer privacy regulations.

“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” said the US senator Mark Warner in a statement. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users.”

Facebook shares fell about 3% following the disclosure. 

Guardian

You Might Also Read:

Regulation Might Actually Protect Facebook:

ICO Fine Facebook Half A Million Pounds:

 

« US Has Devastating Cyber Weapons
NATO Can’t Agree On What A Cyber Attack Is »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

FireEye

FireEye

FireEye delivers unmatched detection, protection and response technology through an extensible and flexible cloud-based XDR platform.

Axis Capital

Axis Capital

AXIS Insurance’s Professional Lines Division is a leading underwriter of technology/cyber coverage and other specialty products around the globe.

EverC

EverC

EverC (formerly EverCompliant) is a leading provider of cyber intelligence that allows acquiring banks and payment service providers (PSP) to manage cyber risk.

SCADAfence

SCADAfence

SCADAfence offers cutting edge cybersecurity solutions designed to ensure the operational continuity of industrial (ICS/SCADA) networks.

Wolfpack Information Risk

Wolfpack Information Risk

Wolfpack specialise in information and cyber threat management covering the full spectrum of prevention, detection, incident response and business resilience capabilities.

InfoGuard

InfoGuard

InfoGuard is a leading Swiss company providing comprehensive cyber security and network solutions.

Data Theorem

Data Theorem

Data Theorem is a leading provider in modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere.

Snode Technologies

Snode Technologies

Snode's Guardian cybersecurity platform uses AI and machine learning to monitor, detect and proactively respond to all threats on every device within your network.

Center for Education & Research in Information Assurance & Security (CERIAS)

Center for Education & Research in Information Assurance & Security (CERIAS)

CERIAS is one of the world’s leading centers for research and education in areas of information and cyber security.

AUTOCRYPT

AUTOCRYPT

AUTOCRYPT is a mobility security provider dedicated to the safety of future transportation

ProcessUnity

ProcessUnity

ProcessUnity is a leading provider of Third-Party Risk Management software, helping companies remediate risks posed by third-party service providers.

Cynance

Cynance

Cynance are an award-winning, independent cyber security specialist and part of the Transputec family of companies.

North East Business Resilience Centre (NEBRC)

North East Business Resilience Centre (NEBRC)

The North East Business Resilience Centre is a non-profit organisation here to support businesses in the North East of England in protecting themselves from cyber crimes and fraud.

Prevasio

Prevasio

Prevasio is a next-gen Cloud Security Posture Management (CSPM) with a built-in Vulnerability and Anti-Malware Scan for Containers.

InterSec Inc.

InterSec Inc.

InterSec Inc. is a cybersecurity company that offers a variety of services to small and medium-sized businesses including CMMC Compliance, Program Management, Governance, & Cybersecurity.

Efex

Efex

Efex is one of Australia’s leading Managed Technology Solutions providers. We service local companies across Australia, providing accessible, fast and straightforward IT.