In an ironic twist that Mark Twain would have been proud of Facebook’s most recent and largest breach to date stems from a feature Facebook added to give users more control over their privacy!
“View As” Gives More Than a View
Two bugs in Facebook’s “view as” feature were exploited by hackers. The flaws enabled them to get control of so-called Access Tokens, which allowed them to be logged in as genuine Facebook users without having to use their password. Ouch! I guess my 20 character randomly generated password wasn’t much of a deterrent when you have a backdoor like that!
All told, nearly 50 million user accounts were compromised on Facebook including those of Mark Zuckerberg himself and Sheryl Sandberg, Facebook’s COO. When you factor in that many people use their Facebook account to access other services such as Spotify, Tinder and hundreds of others, the extent of the compromised accounts grows to staggering.
Do We Have Your Attention Now?
Facebook was already arguably under more scrutiny than any other company for its past security transgressions such as those involving Cambridge Analytica and “Fake News” but this latest episode is sure to garner the attention of even more individuals, lawyers and regulators both here and abroad. Two individuals here in the US have already filed lawsuits that they hope will become class-action lawsuits.
GPDR Could Cost Billions
GPDR went into effect on May 25th of this year and that may have serious consequences for Facebook. If Facebook is found to be in breach of GPDR for failing to adequately protect user data they could be facing the largest security related fine in history. Under GPDR, a guilty party faces a fine of 20 Million Euro or 4% of revenue, whichever is larger. In this case, 4% of revenue represents a whopping $1.63 billion!
The Final Irony
Stories spread rapidly on Facebook. Real news and fake news alike and Facebook has taken tremendous heat for allowing fake news stories to proliferate across their platform. But, what is fake and what is real? And, with 2.2 billion users, who decides?
Well in the final ironic twist to this story Facebook was the one place you couldn’t learn about the latest breach. Why? So many users posted stories about the breach that Facebook’s spam filters thought the actions looked suspicious and removed them for looking like spam “fake news” stories!
Social networks such as Facebook pose a tremendous threat to the privacy of individuals and corporations who choose to use them. The use of a single Facebook login to access multiple properties means that the breach of a singular system, in fact, represents the breach of potentially hundreds. Extreme caution with social media has always been advised and this latest breach drives that home. While convenient, using shared credentials for access should be avoided as a security best practice.