Facebook has already been having a difficult time gaining trust from its user base, mainly due to a data breach that involved Cambridge Analytica. Now, the company has announced that a recent hack, which occurred in September, exposed the information of about 30 million users. In this blog, I will be telling you about this security breach, as well as my take on it.

What Happened

Between September 14 and 27, attackers used access tokens and a flaw in the View As feature to gain unauthorized access to millions of Facebook accounts and get certain account information. Facebook identified the hack as a malicious hack on September 25, 2018, and closed the vulnerability 2 days later. The hackers stole access tokens for 30 million accounts, which allowed them to gain complete access to those profiles; this was revised down from an initial estimate of 50 million accounts affected, which is rare in the cyber security realm because hacks are much worse that what is initially thought.

The following is a video that was released soon after the attack was revealed. It contains information about what was initially thought to have happened regarding the hack.

What Was Stolen?

So now a bit about what exactly was stolen, accessed, and/or hacked. From the 30 million accounts affected, the hackers accessed basic contact information, such as name, email, and/or phone number, for 14 million accounts. They also gained access to additional information including gender, religion, location, and device information. For 15 million accounts, the 15 most recent searches were accessed, and for the remaining 1 million accounts, no info was accessed.

No data was taken from 3rd party apps, including Instagram, Messenger, and WhatsApp, linked to the accounts, and there is no indication the hackers posted any content while logged in. Also, it is unclear what exactly the hackers plan to do with the stolen data.

Eventhough not many accounts were affected, the data stolen was quite personal.

How The Hack Was Undertaken

Before I explain how the hack was executed, I want to define two terms, the View As feature and access tokens. View As is a feature that allows people to see what their own profile looks like to someone else. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they return to the social network.

The hack was able to be undertaken because of the complex interaction of three bugs in the Facebook system; this flaw has existed since July 2017. The first bug, as explained by Guy Rosen, Facebook’s vice president of product management, caused a video uploader to show up on View As pages, on certain kinds of posts, encouraging people to post happy birthday greetings. In normal circumstances, the video uploader would not have showed up.

The second bug caused the video uploader to generate an access token that had permission to log into the Facebook mobile app. The third bug was that when the video uploader showed up as a part of the View As feature it generated a new access token for the hackers, giving them access to the account of the person they were pretending to be.

With this process, the hackers used an automated technique to move from account to account so they could steal access tokens from a user’s friends, and for friends of those friends, and so on, totaling about 400 000 users, which acted as an entry point for the hackers and were the worst affected.

The technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That included posts on their timelines, their lists of friends, groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, except if a person was a Page admin whose Page had received a message from someone on Facebook, then the content of those conversations was available to the attackers.

Using a portion of these 400,000 people’s lists of friends, the attackers stole access tokens for about 30 million people.

People have no idea who exactly was behind the attack, but an article published by Wall Street Journal on September 17 reported that the people behind the attack were possibly Facebook and Instagram spammers who claim to run a ‘digital marketing company’.

The attack could not have been related to the upcoming US Midterm Elections because the breakdown of the amount of users affected by country is fairly broad. This also leads to people believing that the attack was not state-sponsored.

Steps Facebook Is Taking

The hackers were sloppy enough that Facebook was able to detect their work by simply noticing the large access to user account tokens. Facebook detected the first spike of activity on September 14 and identified it as a malicious attack 11 days later, on September 25. The company closed the vulnerability two days later and reported the attack to users and privacy officials, in accordance with breach disclosure laws, on September 28. It also forced 90 million users to log out and then back in, and invalidated their access tokens temporarily.

Facebook has said that it takes these incidents really, really seriously. It has pledged to notify all 30 million users through its Help Center in coming days and will send customized messages to let them know what information of theirs was stolen. The company is currently working with FBI to investigate the hack and determine who was behind it.

What People Have To Say

This hack has been a blow to Facebook’s credibility, and people are worried about the harmful effects of an attack that stole such personal information .

According to BuzzFeed’s Charlie Warzel, this is a privacy disaster. The ripple effects may go unnoticed for weeks or months, but as long as users’ deeply personal information is floating around the internet, it is exposed and open to misuse.

Will Oremus from Slate tweeted that unlike a password, location and search histories aren’t things you can change. If your password is stolen, you change your password. The damage is done and you move on, but if all your identifying personal information is stolen, you can’t change anything. It could haunt you for the rest of your life.

My Take

In my opinion, data hacks are becoming far too common; they are becoming a norm, and that should not be. As technology advances, steps must be taken to secure people’s personal information and give users privacy. People trust companies with their information, and companies must honor that trust.

I chose this article to show how harmful hacks can be, in the short-term and long-term. Not only do they steal users’ personal information, but they also harm the trust people have with companies.

This recent Facebook hack is a huge blow to the trust people have in Facebook, which is already quite low. Once credibility is lost, it is hard to regain, and Facebook will definitely struggle to regain trust from its users. Even though this attack was not entirely Facebook’s fault, the social network should have done more to make their users’ personal information harder for hackers to get a hold of. If a company can not take care of their users’ data and keep it secure, that company does not deserve to be trusted.

Regarding the people who had their data stolen, they will always worry about it being misused, as their personal information is in the hands of people who can do anything with it.

This was a summary of what has so far happened involving Facebook’s recent hack. I used The Verge’s article for this blog. For further information, you can visit Android Central’s article on this topic or Engadget’s article.