50 Million Facebook Accounts BreachedVulnerability in 'View As' Feature Exploited
Facebook revealed Friday that it had discovered a breach that affected almost 50 million users.
"Attackers exploited a vulnerability in Facebook's code that impacted 'View As,' a feature that lets people see what their own profile looks like to someone else," Facebook says in a statement posted Friday. "This allowed them to steal Facebook access tokens, which they could then use to take over people's accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app. "
Facebook says it discovered the issue Tuesday afternoon. "We've fixed the vulnerability and informed law enforcement," it says in the statement.
The company says it has reset the access tokens for the almost 50 million compromised accounts, as well as an additional 40 million accounts that have also been subject to the "View As" look-up in the last year. "As a result, around 90 million people will now have to log back into Facebook, or their apps that use Facebook login," according to the statement.
Facebook has also turned off the "View As" feature pending further investigation.
"There is no need for anyone to change their passwords," the social network giant says.
Facebook says the origin of the attacks is unknown.
"Since we've only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed," the statement notes. "We're working hard to better understand these details. ... If we find more affected accounts, we will immediately reset their access tokens."
Reaction to the Revelation
Avivah Litan, vice president at Gartner Research, notes: "This Facebook data is mainly useful to either advertisers or nation-states. I doubt advertisers hacked Facebook, so I imagine this is the work of a nation-state building out its population maps for citizenry of various countries.
"For example, nation-states use these population maps to influence elections through targeted 'fake news' postings, or to target individuals for other nefarious purposes through social engineering that is now more easily enabled via this population map. They can pretend to be a 'friend' when they send someone email with a malware attachment."
Facebook didn't take security seriously enough when it built its platforms, Litan asserts. "It's playing catch up now, hopefully, since they acknowledged their serious shortcomings during the 2016 election. The problem, however, is that it will take years for them to retrofit their mega applications and platforms with security protections, so I suspect we will see more such data breaches against Facebook in the next two to three years."
Commenting on the breach, Julie Conroy, research director at the advisory firm Aite Group, observes: "This just shows how hard it is to keep ahead of the criminals; all too often it's the release of a new product feature that creates a security gap that the criminals find first. This reinforces the tenet that security strategies need to be built with the assumption that all static personal information is already in the hands of criminals."
Matthew Maglieri, CISO of Ashley Madison's parent company Ruby Life Inc., warns against "rushing to judge" Facebook in light of the breach. "As a professional who has worked with companies around the world to enhance and build their cybersecurity programs, I would say that we need to learn from incidents like these," he says. "And while we must hold each other accountable for these incidents, we also need to help each other up, to avoid belittling our peers who have gone through the worst, and to share what we know so that others can improve. If we don't, we'll only be preventing the open and honest dialogue necessary for our collective success."
Facebook is still dealing with the fallout from the Cambridge Analytica scandal. The British analytics firm may have improperly obtained the data of up to 87 million Facebook users.
And in early September, Facebook officials went to Capitol Hill to defend how its platform is combating ongoing election interference efforts by Russia. But at the same time, the White House and some Republican lawmakers launched coordinated broadsides against social media firms, accusing them of political bias, with President Donald Trump suggesting - without citing any evidence - that the firms were interfering in U.S. elections (see Facebook, Twitter Defend Fight Against Influence Operations).