The year just goes from bad to worse for Facebook. The social network has revealed that it suffered a security breach which has impacted at least 50 million user accounts, with chances that as many as 90 million accounts may have been compromised in some way—the company has reset the login tokens for all. Facebook says that attackers exploited a vulnerability in Facebook’s code which is linked with “View As”, a feature that lets Facebook users see what their own profile looks like to another user. This vulnerability allowed hackers to get access to the login tokens, which could then be used to take over or control user accounts—without users realizing something has happened. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” says Guy Rosen, VP of Product Management, Facebook, in an official statement.
When exactly did Facebook determine this?
Facebook says that the vulnerability was discovered in July 2017, after the company had made changes to the video uploading feature on the social media platform. The View As feature code allowed hackers access to login tokens—the feature has since been disabled. One of the purposes of the View As feature was to enable “Happy Birthday” videos.
Who else knew?
The company clarifies that investigations started immediately, and the US Federal Bureau of Investigation (FBI) was notified soon after as well as the Department of Homeland Security, Congressional aides and the Data Protection Commission in Ireland, where the company’s European headquarters are located.
What was the problem?
A vulnerability in the code, which was created after Facebook added a new video upload feature, allowed hackers who could discover it, to get access to user login tokens via the feature that lets Facebook users see how their profile would look to another visitor. The offending video uploader tended to create its own login tokens, which it wasn’t supposed to. Facebook has taken pains to explain that no user account login passwords were exposed or stolen during the entire process.
Is your account safe?
Chances are, Facebook’s investigations which flagged as many as 90 million potentially vulnerable accounts, would have done its job completely. If at some point after this breach, you were asked to login to your account again, that means Facebook has successfully reset your account. If no such thing happened, and you can continue to access your account as always, perhaps your account wasn’t compromised. Nevertheless, you should still manually log out and login from the Facebook account on all devices you have signed in on, just to reset the login data again and generate new tokens.
This is not the first time Facebook has suffered breaches.
In 2013, the social media network had mentioned that a software flaw had exposed the phone numbers and email addresses of 6 million users, and it was about an year before it was identified and soled. Before that, in 2008, a bug had revealed the birth-dates, otherwise set as confidential, for about 80 million Facebook users profiles. Here and now, however, is the largest security breach ever for the company.
However, the bad news doesn’t end here. If you are a part of the 90 million accounts that Facebook has taken corrective measures for, the problem could be worse. A hacker who may have accessed your account’s login tokens at some point, would also have been able to access any other account you use your Facebook credentials to sign in to. This is known as a Single Sign-On, where you can use the Facebook login details to sign up or sign in on other websites, apps and services that support this feature. Login using Google, Twitter, LinkedIn and Facebook are some of the options that you would often see on other websites and apps, for instance.
There is no clarity yet on how, if at all, third party login sources will accept the login tokens stolen by hackers, if the genuine account user is already logged in on the service. Chances are, when Facebook reset your login credentials on the primary account, the same credentials used to access third party websites, would have been reset as well. However, you can still manually log out and then sign in again on any apps or websites that you may have signed in on using Facebook, to generate new tokens.
Facebook already faces legal repercussions immediately after this disclosure. California resident Carla Echavarrai and Virginia based Derrick Walker have filed a class action suit in US District Court for the Northern District of California, against Facebook. "It is shocking that after all the publicity surrounding Facebook's handling of personal information in the wake of Cambridge Analytica and its promises to do better by its users that Facebook has yet again failed to protect consumers' information from hackers," said their attorney, John Yanchunis, in an official statement.
“Our investigation is still very early, so we don’t yet know exactly the scope of the misuse and how and if accounts were actually misused,” said Facebook’s Rosen in a call with the press. That perhaps sums up the situation, wherein Facebook itself is still understanding what exactly happened.
Also Read | Data Mishandling, Complex News Feed & Millennials Turning Away: Where Does Facebook go From Here?
Comments
0 comment