Facebook is in the hot seat again. Last Friday, Facebook disclosed that hackers found a security loophole caused by three separate bugs that affected nearly 50 million Facebook accounts. According to Guy Rosen, vice president of product management, hackers used Facebook’s “View As” feature to steal access tokens, allowing them to take over people’s accounts. Facebook said these tokens are the equivalent to digital keys which allow users to stay logged into the app without having to retype their password each time.
Rosen said the company has fixed the security vulnerability and notified law enforcement of the breach.
Facebook also reset the access tokens for the nearly 50 million accounts that were impacted along with an additional 40 million accounts “that have been subject to a ‘View As’ look-up in the last year.” This means that about 90 million Facebook users will have to log back into their Facebook apps – and any apps where they sign in via Facebook. Once logged back in, Facebook Users will see a notification at the top of their News Feed explaining the situation.
As an added precaution, Facebook is temporarily disabling the “View As” feature until the company can be certain it no longer poses a risk to Facebook users.
“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As,'” said Rosen. “The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
As of Friday, Facebook did not know who was responsible for the attack or whether personal information was accessed or used.
“People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened. There’s no need for anyone to change their passwords,” Rosen said.
He advised users having trouble logging in to visit the Facebook Help Center. He also suggested that Facebook users who are concerned about possible access to other non-Facebook apps where they’ve used their Facebook login to gain access to go to Security and Login in settings and to look at all the apps that Facebook has access to.
In a Facebook video, Rosen explained the company’s handling of the breach.
“By Thursday, we had already fixed the issue, and we were protecting the security of people’s accounts by logging them out of Facebook,” said Rosen. “This is a very serious thing and we are investing a lot on safety and security. This is a top priority for us as a company.”
“There is a lot of good on Facebook but there is also abuse, and it is our responsibility to get ahead of it and to protect the security of people’s accounts,” Rosen said.
To that end, the company is doubling its safety and security team from 10,000 to 20,000 this year. This may not be enough to satisfy Irish regulators though. The Guardian reported that the Irish Data Protection Commission is investigating the data breach and could fine them up to $1.63 billion. Facebook is subject to GDPR in the EU. The Spanish Data Protection Agency has also said it will investigate.
From a PR standpoint, Facebook appears to have acted swiftly to correct the vulnerabilities and disclosed information to the public and the media fairly quickly. However, the damage is done. Facebook is already suffering from a tarnished reputation after the Cambridge Analytica scandal this spring. This is one more mark against Facebook. It may not cause a loss of daily or monthly users, but it could be cause for concern by advertisers and brands that rely on Facebook as a marketing and promotional channel. Even more importantly, this may be the first data breach where GDPR will be put to the test. Will the EU make Facebook an example?