In a statement on Friday, Facebook informed users that they have discovered a security issue affecting almost 50 million accounts. The breach had taken place three days earlier, on the afternoon of 25th of September. The company has informed the FBI and the Irish Data Protection Commission. Facebook said the investigation is in the early stages and it doesn’t yet know who was behind the attacks.
What caused the breach?
Apparently the “view as” feature, which lets people see what their profiles look like to other people, was the source of the vulnerability. The attackers started by viewing a Facebook profile they had access to as another user. But at times viewing as another person caused the tool for posting a birthday video to appear. Then, because of yet another bug affecting the video tool, hackers were able to generate an access token for the targeted user, giving them access to the user’s account. They exploited code associated with the feature that allowed them to steal “access tokens” that could be used to take over people’s accounts.
Facebook has since disabled the feature while they conduct their internal investigation.
Are you affected?
If you’ve been affected by the breach, Facebook logged you out of your account yesterday. The social network said it would also notify these people in a message on top of their News Feed about what happened.
However, an important thing to note: If you were logged out, you weren’t necessarily breached. Facebook has also logged out everyone who used the ‘View As’ feature since the vulnerability was introduced as a “precautionary measure”. The social network says this will require another 40 million people or more to log back into their accounts, adding: “We do not currently have any evidence that suggests these accounts have been compromised.”
Another important issue rises from the fact that this breach affects more than users’ Facebook profiles, but also the ones on which users have used Facebook as a log –in method. Facebook encourages the affected to change the passwords for those sites as well.
All this comes as Facebook has been under intense scrutiny for its ability to keep the data of its more than 2 billion users safe. The company is still reeling from its Cambridge Analytica scandal in March, in which a UK-based digital consultancy harvested the personal information of 87 million Facebook users.
Many of the 50 million customers breached will reside in Europe, so their data does fall under the EU general update to data protection regulation (GDPR). We don’t know exactly what information has been impacted – fines are applicable for sensitive and personal data such as credit card details, which Facebook initially said has not been affected. However, if attackers have accessed personal messages, all kinds of sensitive information could have been breached.
Although less than 10% of the 50 million users affected by the recent breach lived in the European Union, according to the Irish Data Protection Commission (IDPC), Facebook still could be liable for up to $1.63bn in fines, or four percent of its $40.7bn in annual global revenue for the previous financial year, if the EU determines it didn’t do enough to protect users’ security.