For all the concerns Mark Zuckerberg’s pride and joy fends off about security and privacy, the platform had done a pretty good job keeping things on lockdown.
Aside from a few scares in recent years, Facebook had been one of the few social media networks to maintain a relatively solid record of security despite having millions of users frequent the site each day.
Anyone who knows the way data thieves think knows that the more attention a site gets, the bigger target it has on it. The reasoning is simple – when people upload more data to a site, the payoff becomes bigger for any data thief who can access said data.
And while Facebook had a long-running record of solid security, they may have experienced their biggest breach ever on the last Friday of September. The network released a statement saying that about 50 million people could’ve been affected by a security hole that allowed attackers to access peoples’ accounts.
The problem lie within the network’s “view as” feature. Because the number of sharing options on the page are plentiful, some people wonder how their page looks to friends as opposed to strangers on different privacy settings. This is what the view as feature was meant to do – let the owner of a page view it as if they were a stranger or friend of the page.
But some code associated with that feature allowed attackers to take access tokens which could, in turn, be used to take over entire accounts. They aren’t necessarily passwords, but they can be used to log into the account.
It gets worse – the breach also affected third-party apps associated with Facebook. This means anyone who used Facebook to sign into other platforms, like Instagram for example, could see those platforms compromised as well. Facebook took a precautionary measure and logged about 90 million people out of their accounts, and they’ve already informed both the FBI and the Irish Data Protection Commission.
Zuckerberg noted the seriousness of the breach on a conference call shortly after it happened, and said it underscored constant attacks the community faces. The only other big blemish on the network’s privacy record comes from the Cambridge Analytica scandal back in March, where a UK-based consultancy firm accessed data on about 87 million Facebook accounts.
The breach may bring up more questions about the use of access tokens, which are not unique to Facebook and are granted so users don’t have to log into a website every time they visit it. There’s also concerns about who exactly carried out the attack, and how they were able to spot this vulnerability before Facebook knew it existed.
It may also be revealed that more accounts were breached that originally thought. This isn’t uncommon – data breaches that affected major companies like Yahoo and Equifax in recent years were later revealed to be much worse, as the extent of the damage is hard to fully grasp in the early stages of an attack.