Facebook has returned to the headlines again for issues regarding user privacy and personal information exposure after an alleged attack on their network. The social media giant admitted at least 50 million users may have had their personal information compromised due to the attack, which has been touted as the largest breach in the company’s 14 year history. And if the exposure of user data wasn’t bad enough, the attackers were also able to gain control of user accounts, allowing them to potentially pose as users or view their private information.
The breach has been traced to code vulnerabilities in the “View As” feature that allows users to view their profile as someone else, and code related to uploading birthday videos. Once exploited, these vulnerabilities allowed attackers to steal account access tokens. Some industry experts are also suggesting affiliated services, such as Spotify and Instagram, may have been compromised as a result of this breach. Investigation of the extent of the breach is still underway, and it is unclear whether certain individuals were targeted. Likewise, it is still unknown whether this attack was carried out by nation state actors or a hacker collective. Facebook has confirmed that they are working with law enforcement and that all vulnerabilities have now been patched. They have also forced access token resets for all accounts that were observed using the “View As” feature during the last year, requiring users to manually login to their accounts where they will be greeted with a security notification. Additionally, Facebook has temporarily disabled the “View As” feature while they conduct further security assessments.
The news comes as Facebook is still recovering from the Cambridge Analytica scandal, which lead to a congressional hearing involving Facebook’s senior executives and revealed millions of users had their information collected by third parties for political campaigns. This latest breach has renewed calls for government regulation of social media policies and procedures. As more developments emerge, this story is likely to weigh heavily on the future of social media platforms.
Proficio Threat Intelligence Recommendations:
- Consider the possible risks of allowing employees access social media at work, and make appropriate guidelines and/or changes to your organization’s AUP.
- Review the social media accounts your organization uses and develop policies regarding what information can be shared via social media accounts.
- Individuals should read the FTC’s recommendations for consumers, located here:
https://www.consumer.ftc.gov/blog/2018/10/facebook-breach-what-do-next
Facebook Security Update Announcement – Click Here
