RSN Fundraising Banner
Massive Facebook Hack Put Millions at Risk
Written by <a href="index.php?option=com_comprofiler&task=userProfile&user=49214"><span class="small">Brian Barrett and Lily Hay Newman, Wired</span></a>   
Saturday, 29 September 2018 08:22

Excerpt: "On Friday, Facebook revealed that it had suffered a security breach that impacted at least 50 million of its users, and possibly as many as 90 million."

Hands typing on a computer keyboard. (photo: hamburg_berlin/Shutterstock)
Hands typing on a computer keyboard. (photo: hamburg_berlin/Shutterstock)

Massive Facebook Hack Put Millions at Risk

By Brian Barrett and Lily Hay Newman, Wired

29 September 18


n Friday, Facebook revealed that it had suffered a security breach that impacted at least 50 million of its users, and possibly as many as 90 million. What it failed to mention initially, but revealed in a followup call Friday afternoon, is that the flaw affects more than just Facebook. If your account was impacted it means that a hacker could have accessed any account that you log into using Facebook.

That's a lot of them. You can read a fuller accounting of the hack here, but essentially it combines three bugs relating to Facebook’s “View As” feature, which lets users see what their profiles look like when other people view them. A video upload tool—intended to enable “Happy Birthday” videos—would erroneously appear on the “View As” page, and provide the access token of whomever the hacker searched for.

Facebook initially responded by logging out both the 50 million people it knows were affected by the attack, and an additional 40 million who were looked up with the “View As” tool in the last year. It also hit pause on the “View As” feature. But the second revelation Friday indicates that the fallout may be far more widespread than initially indicated.

Beyond the impact on Facebook accounts themselves, the company confirmed that breach impacted Facebook's implementation of Single Sign-On, the practice that lets you use one account to log into others. The idea is to use a trusted service—like Facebook Google, Twitter, and so on—to log into sites and services across the web, rather than create a unique profile for each one. That saves time, and ensures you're logging in through an entity you trust. In this case, it also appears to have potentially made Facebook's breach an internet-wide calamity, at least for those impacted.

"The access token enables someone to use the account as if they were the account holder themselves. This does mean they could access other third-party apps using Facebook login," Guy Rosen, Facebook's vice president of product, said in a call with reporters Friday. "Developers who used Facebook login will be able to detect those access tokens have been reset."

It's unclear how long those third-party sites will accept the stolen access tokens, or how difficult it would be for an attacker to use an access token to get into a third-party site.

Facebook separately says it has invalidated data access for third-party apps for the affected individuals, meaning if you're one of the 90 million people potentially affected, you won't be able to, say, share an image from Instagram over to Facebook without changing your password.

Meanwhile, Facebook has still not confirmed whether any third-party accounts were actually compromised, and still has not detailed exactly what type of data hackers could have gotten away with. (That they could gain full access to Facebook accounts gives at least a baseline: Anything and everything on your profile would have been exposed.) Facebook also declined to say exactly how long attackers took advantage of the vulnerability, which was introduced in July 2017. Fourteen months is a very large window to do potential damage.

As for how widespread the attack was, Rosen said the targeting appeared fairly broad. But New York Times reporter Mike Isaac noted that Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg had their accounts compromised as part of the attack.

Facebook already faces legal challenges as a result of the disclosure; Facebook users Carla Echavarrai and Derrick Walker have filed a class action suit in California "It is shocking that after all the publicity surrounding Facebook's handling of personal information in the wake of Cambridge Analytica and its promises to do better by its users that Facebook has yet again failed to protect consumers' information from hackers," said their attorney, John Yanchunis, in a statement.

The debacle also underscores broader concerns about Single Sign-On, which Friday turned into the ultimate object lesson in the inherent tradeoffs between security and convenience. "Single Sign-on schemes are great in the sense that the federal reserve cash vault in Atlanta is dramatically more secure than the safe at a local credit union," says Kenn White, director of the Open Crypto Audit Project. "But the downside is if a Single Sign-on gets breached you're hosed."

Sticking with one more secure sign-in does make sense, especially for use on sites that don't have the resources or inclination to invest heavily in security development. But just like you want your passwords to be unique so compromising one doesn't expose them all, account diversity is also vital online no matter how ironclad a particular sign-in scheme is. "You don't want a situation where there's one breach and your entire online identity is gone," White says.

It remains to be seen whether that's the case for 50 million—or 90 million—Facebook users. "We're just starting to work through the full scope of what we've seen here," said Rosen. For those affected, it's an excruciating wait.

Email This Page your social media marketing partner


A note of caution regarding our comment sections:

For months a stream of media reports have warned of coordinated propaganda efforts targeting political websites based in the U.S., particularly in the run-up to the 2016 presidential election.

We too were alarmed at the patterns we were, and still are, seeing. It is clear that the provocateurs are far more savvy, disciplined, and purposeful than anything we have ever experienced before.

It is also clear that we still have elements of the same activity in our article discussion forums at this time.

We have hosted and encouraged reader expression since the turn of the century. The comments of our readers are the most vibrant, best-used interactive feature at Reader Supported News. Accordingly, we are strongly resistant to interrupting those services.

It is, however, important to note that in all likelihood hardened operatives are attempting to shape the dialog our community seeks to engage in.

Adapt and overcome.

Marc Ash
Founder, Reader Supported News

+3 # NAVYVET 2018-09-29 10:54
Once again, I'm glad and relieved that I don't belong to ANY of the social media, and years ago resigned from PayPal too. They aren't always antisocial, you may not detest Zuckerberg as much as I do after hearing him on an interview about 10 years ago, but they are very, very risky for someone who hasn't much money to begin with and can't afford to have any of it stolen by hackers. And I'm spared a lot of personal anxiety--althou gh I do worry for my relatives and friends who use Facebook or any or the other online traps for Zuckers that are equally vulnerable. I'd rather continue using online only for research.

My suggestion: Make your friends from the people you know, see and talk to personally.