50 Million Facebook accounts totally compromised. Fifty million people, that’s nearly the population of England. But that’s not all, additional 40 million could have been be affected too. That’s a total of 90 million people and that’s the population of Germany and Austria combined. They announced the hack to the public, fixed it and moved on like nothing happened.
It was announced on Friday, September 28th 2018. The hackers responsible for this attack could easily take full control of not only the accounts of people on Facebook itself, but also use that to log into other sites and services using Facebook login system. The problem was supposedly discovered on Tuesday, September 25th. The developers were to fix the issue on Thursday. Announcement followed on Friday.
What was the actual problem? Hacker or hackers responsible for this attack took control of users’ access tokens.
The Access Token is a credential that can be used by an application to access an API. It can be any type of token (such as an opaque string or a JWT) and is meant for an API. Its purpose is to inform the API that the bearer of this token has been authorized to access the API and perform specific actions (as specified by the scope that has been granted). The Access Token should be used as a Bearer credential and transmitted in an HTTP Authorization header to the API. Source
The problem was with the tool called ‘View As’ which lets you see your profile or page as someone else, for example a friend or stranger. By using that tool you allowed your profile to get compromised.
The company also announced that the users whose accounts were affected by this hack will be notified by Facebook. As far as I know, the only way that ‘notification’ is supposed to work is that affected users will be logged out and will be required to log back again to use Facebook. So if you were logged out from Facebook, yes. It did affect you. Your account was hacked, possibly other sites and services you used Facebook to log into are still compromised, though. So you might want to check all of the sites and services you used facebook login at. Perhaps drop Facebook login and use the good old fashioned login / password combination?
This is supposed to be the single biggest security breach in Facebook’s history. But let’s not forget the Cambridge Analytica scandal where as many 87 million profiles were affected (according to Facebook’s own estimates). The worst thing, yes there’s more where that came from, is that Facebook have no idea when this whole thing started. They only started looking into this after detecting some unusual activity earlier in September.
Hackers are believed to have not posted anything on the behalf of the compromised accounts or access messages. However, they did at least try to get some specific profile information from those accounts. It’s still being investigated, though and it’s too early to say what they got.
Privacy is important. Your right to privacy is one of your basic rights, to Facebook it doesn’t seem to matter. It’s not about the hack itself. No software is perfect, so this can happen to anyone. The problem are the people behind the company and its culture. The other problem is that people using Facebook are not properly informed about these things. Nobody reads the terms and conditions. Even if they tried, they’re not human-readable. You’d have to have a law degree to understand it all. And I do mean REALLY understand it all.
Using Facebook login might be convenient in some cases, but safe? Not anymore. Logging those users out of Facebook means the access tokens got reset and whatever the hackers got is useless now, but still.
Apart from this entire situation, there’s more on Facebook front. Another scandal started surfacing in the last few days. Do you remember when Facebook asked you for your phone number for “Security Purposes” and wrote that it won’t be shared? Yea… That Facebook recently admitted to is passing those phone numbers to advertisers. They are also suspected of getting your phone number from other people’s contact books. Because why not? There’s a good and detailed article written about this whole thing here.
Let’s take a moment and remember the mighty sobering quote we got from Mark himself when Facebook was just starting:
Zuck: Yeah so if you ever need info about anyone at Harvard
Zuck: Just ask.
Zuck: I have over 4,000 emails, pictures, addresses, SNS
[Redacted Name]: What? How’d you manage that one?
Zuck: People just submitted it.
Zuck: I don’t know why.
Zuck: They “trust me”
Zuck: Dumb fucks. Source
Mark Zuckerberg said during a conference call with reporters that: “This is a very serious security issue, and we’re taking it very seriously,”. I can only guess that after the conference call ended he added: “Dumb fucks”.