Facebook’s worst ever security breach exposed 50 million accounts to hackers

Latest hack involved bugs in Facebook’s ‘View As’ feature which lets people see how their profiles appear to others

PUBLISHED : Saturday, 29 September, 2018, 1:28am
UPDATED : Saturday, 29 September, 2018, 9:07pm

Facebook has reported a major security breach in which 50 million user accounts – including company CEO Mark Zuckerberg – were accessed by unknown attackers.

The culprits could “seize control” of the accounts, the company said, by stealing digital keys the company uses to keep users logged in. They did so by exploiting three bugs in Facebook’s code.

The company said it fixed the bugs and logged out the 50 million breached users – plus another 40 million who were vulnerable to the attack – to reset the digital keys. Users do not need to change their Facebook passwords, it insisted.

Facebook said it does not know who was behind the attacks or where they’re based. In a call with reporters on Friday, Zuckerberg said the attackers could have seen private messages or posted on someone’s account, but there were no signs they did.

“We do not yet know if any of the accounts were actually misused,” he said.

The hack is the latest setback for Facebook during a tumultuous year of security problems and privacy issues.

This latest hack involved bugs in Facebook’s “View As” feature, which lets people see how their profiles appear to others. The attackers used that vulnerability to steal the digital keys, known as “access tokens”, from the accounts of people whose profiles were searched for using the “View As” feature. The attack then moved along from one user’s Facebook friend to another. Possession of those tokens would allow attackers to control those accounts.

One of the bugs was more than a year old and affected how the “View As” feature interacted with Facebook’s video uploading feature for posting “happy birthday” messages, said Guy Rosen, Facebook’s vice-president of product management. But it wasn’t until mid-September that Facebook noticed an uptick in unusual activity, and not until this week that it learned of the attack, Rosen said.

“We haven’t yet been able to determine if there was specific targeting” of particular accounts, Rosen said in a call with reporters. “It does seem broad.”

As a user, I want Facebook to proactively protect my data and let me know when it’s compromised
Michael Pachter, Wedbush analyst

Neither passwords nor credit card data were stolen but the company alerted the FBI and regulators in the US and Europe.

Jake Williams, a security expert at Rendition Infosec, said he is concerned the hack could have affected third party applications.

The “Facebook Login” feature lets users log into other apps and websites with their Facebook credentials. “These access tokens that were stolen show when a user is logged into Facebook and that may be enough to access a user’s account on a third party site,” he said.

Facebook confirmed late Friday that third party apps, including its Instagram app, could have been affected.

The Facebook bug is reminiscent of a much larger attack on Yahoo in which attackers compromised 3 billion accounts – enough for half of the world’s population. In the case of Yahoo, information stolen included names, email addresses, phone numbers, birth dates and security questions and answers. It was among a series of Yahoo hacks over several years.

US prosecutors later blamed Russian agents.

In Facebook’s case, it may be too early to know how sophisticated the attackers were or whether they were connected to a government, said Thomas Rid, a professor at the Johns Hopkins University.

“Nothing we’ve seen here is so sophisticated that it requires a state actor,” Rid said. “Fifty million random Facebook accounts are not interesting for any intelligence agency.”

Wedbush analyst Michael Pachter said “the most important point is that we found out from them”, meaning Facebook, as opposed to a third party.

“As a user, I want Facebook to proactively protect my data and let me know when it’s compromised,” he said.