The security breach Facebook announced Friday that affected 50 million users was a setback for the social media giant, which has been working for months to regain customers’ trust over how it handles their data.
In addition to the 50 million users whose log-on information could have been accessed by hackers, the company required as a precaution another 40 million to log on to be able to get on their accounts. Facebook said it reported the breach of the company’s code, which the firm said it fixed, to law enforcement.
The social media company was not sure Friday whether any personal information had been gathered or misused, but it scrambled to address the issue, which was discovered earlier in the week. Facebook users may find they have to relink their Facebook accounts to their Instagram accounts, and possibly to third-party apps, which users often log on to with their Facebook accounts.
In a call Friday with reporters, Guy Rosen, Facebook vice president of product management, said that the breach appeared to be very broad with no specific country targeted. “We’ll update with what we learn,” he said.
Focus on elections
The breach came just weeks before the U.S. midterm elections, something the company has been keenly focused on.
More than 300 Facebook workers are scouring the platform, looking for false news, fake accounts and disinformation campaigns by foreign state-sponsored operatives that may be trying to sway voters. Facebook executives have said that they did not do enough to address these issues in the run-up to other elections such as the 2016 U.S. presidential race and that they are working to fix them.
In addition, Facebook’s relationship with its 2 billion users took a hit last spring when it was disclosed that an outside researcher who was given access to Facebook data used the information for political campaigns. As a result, the company contacted users whose information might have been seen or used by the outside firm Cambridge Analytica.
“We have a responsibility to protect your data, and if we can’t, then we don’t deserve to serve you,” Facebook CEO Mark Zuckerberg said in a statement posted to his Facebook page in March.
‘View As’ tool
The company said hackers exploited the privacy feature known as “View As,” which lets users see how their own profiles would look to other people. Facebook said hackers were then able to use the security flaw to steal log-in keys, called access tokens, that could allow them to access people’s accounts.
“We’re a big fan of ‘View As’ here at EFF,” said Gennie Gebhart, associate director of research at the Electronic Frontier Foundation, the digital civil liberties group. “It’s one good way to make sure that your privacy settings are the way you want them to be. I can see what my friends see or friends of friends see.”
But by checking what a friend can see, the “View As” tool actually made one’s friend vulnerable to this hack.
A relatively new feature that allowed users to upload “Happy Birthday” videos was part of a combination of three bugs that contributed to the vulnerability, the social media firm said.
“It’s one of those weird things that daisy-chained together,” Gebhart added.
Facebook said it was shutting down “View As” until further notice.
The hackers “used the access tokens to query data, but there are no public reports of abusing the access to post updates to timelines or spread disinformation,” said Travis Smith, principal security researcher at Tripwire, a security firm. “This could be because they were only after data or it could be that their attack was cut off midstream by Facebook before they could reach their ultimate goal.”
Affected Facebook users should take some additional steps, said Gary Davis, the chief consumer security evangelist at security firm McAfee, who wrote about the Facebook hack in a blog post.
Among them, users should change their log-in information. “Since this flaw logged users out, it’s vital you change up your log-in information,” he wrote.
He also stressed users should update their Facebook apps as soon as possible.
“Facebook has already issued a fix to this vulnerability, so make sure you update immediately,” he wrote.