Any social media website should thrive to include strong security algorithms in its design, as users freely share their detailed personalized information on them. The brainchild of CEO Mark Zuckerberg, Facebook hosts more than 2 billion monthly active users around the world. Being one of the top tech companies in the world, one would expect Facebook to spend a significant portion of its billion-dollar revenue to search and fix existing flaws in its algorithms that could result in a potential breach. However, it was discovered that even the most tech-savvy companies are prone to vulnerabilities. On 28th September, Facebook announced that hackers have breached the account of 50 million users by exploiting a flaw in one of its features – which is deemed as one of the largest data breaches in history.
The point of attack came from one of Facebook’s vital nodes – its “View As” feature. The feature enables users to preview how their profile appears on the Facebook account of other users. A critical vulnerability in the feature allowed hackers to retrieve the users’ “access tokens”, which kept them signed in on Facebook without having to enter their passwords every time they accessed their accounts. Using such tokens, hackers stole information from 50 million accounts, including login credentials.
Since finding out about the breach, Facebook immediately reset the digital access codes for affected users. In addition, Facebook also identified another 40 million accounts that were not breached but were vulnerable to the same defect. Guy Rosen, Facebook’s vice president of product management, said, “As a result, around 90 million people will now have to log back into Facebook, or any of their apps that use Facebook Login.” Facebook has also alerted authorities regarding the news of the attack but was unable to pinpoint who was responsible for it.
The breach may have also compromised personalized information shared on third-party services, like Spotify and Airbnb. Majority of these services use Facebook Connect identity as a login feature. Gaining access to Facebook accounts would have enabled the hacker to log into these services as well, possibly undetected. However, Facebook has investigated into this matter during the time of the attack and has found no evidence that attackers accessed any apps using Facebook Login.
In the wake of the news, a class-action lawsuit was filed against Facebook. As per the rules of the General Data Protection Regulation (GDPR), Facebook divulged the news of the attack within the stipulated period of 72 hours. However, the European Union privacy watchdog could still fine Facebook up to $1.63 billion for a lack in its security protocols. This is set to be the first real test of the GDPR, which was established in early 2017 to deal with issues exactly like these.
The data breach is the latest security embarrassment for the social media giant. In early 2017, Facebook admitted that personal information from tens of millions of accounts was mined by Cambridge Analytica for political targeting during the 2016 Presidential Election. Since then, users have started an online petition to boycott Facebook. The case has only gotten stronger in the wake of the present data breach and might be a crucial blow to Mark Zuckerberg and his billion dollar empire.