90 million users! That's how many people got affected because of the Facebook data breach from last week. In this post, we get to the bottom of this to find out why the Facebook data breach is way more harmful than you think.
Before we get into why the Facebook data breach is more harmful than what it appears to be, let's just understand what exactly happened in this data breach.
What was the Facebook Data Breach All About
"On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts," Guy Rosen, Facebook's VP of Product, wrote. "Attackers exploited a vulnerability in Facebook's code that impacted 'View As,' a feature that lets people see what their own profile looks like to someone else."
"This allowed them to steal Facebook access tokens which they could then use to take over people's accounts," he added. "Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app."
Access token or access cookies or session tokens are basically bits of code that help you stay logged into something like Facebook even if you reboot your device. Essentially, this came in as a solution to the fact that people hated logging into frequently used applications again and again.
After a deeper examination, the team at Facebook explained that the vulnerability was because of a combination of three different bugs:
Bug 1 occurred in the “View As” feature which allowed the user to upload a video in a happy birthday message.
Bug 2 was with the video uploader which incorrectly generated an access tag with permission to the Facebook mobile app.
Bug 3 was more of a lottery because it allowed an access token to be generated for the profile being looked up rather than the one viewing it.
Pedro Canahuati, Vice President of Engineering, Security and Privacy, said: “The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens.”
Is Your Facebook Account Affected?
According to Facebook, 50 million user accounts were affected but they reset the access tokens for 90 million users. If your account was affected, you would have been logged out automatically. You would have needed to log back in by entering your username and password again.
What you don't need to worry about is your password. Access tokens do not store passwords. So, you don't need to change your password either.
Now we come to the most important thing with this data breach.
Why is the Facebook Data Breach More Harmful Than You Think
The Equifax breach from last September affected 145 million Americans. So, if you compare this breach with that of Equifax, it might seem that 50 million accounts isn't much. But it's not the sheer size that makes the Facebook data breach worrying. Facebook collects tons of personal information, a lot of which you don't even realize your are providing. And while this might seem trivial to some it can actually be quite damaging.
“Most data breaches involve financial information, but your Facebook account can be misused in a number of ways that are harmful,” says Justin Brookman, the director of consumer privacy and technology policy for Consumers Union, the advocacy division of Consumer Reports. “Accessing your private communications and posts by itself is pretty invasive, but that information could also be used to crack account security questions or to scam you and your friends.”
Facebook is a Gateway to Many Other Accounts
In today's digital world, it is extremely difficult to safeguard information. Many companies have fallen prey to security attacks that have resulted in major breaches. In fact, you would have noticed banks now ask for personal information to validate your security - things like mother's maiden name, pet's name, your school, or where you grew up in, etc.
Now think about all the personal information that is available about you on Facebook. Most of us would have all these things easily available or have it in a way that is easy to figure out. This is what opens the door to further damages by hackers.
Knowing specific things enables hackers to look legitimate and take advantage.
What You Can Do After the Facebook Data Breach
First thing, just because Facebook asks you to fill in your hometown, or your best friend, or your mom doesn't mean you have to give it to them. Make sure you always check your privacy settings as well.
Do not put anything on Facebook that you wouldn't mind being in public domain. When you think about this make sure you think about the things we mentioned above and see how each information you provide links to other things.
Examine every link you click on the internet. If you find something fishy, more often than not, it might better avoided. Don’t assume that a website is legitimate just because its URL starts with “https.” Encryption is available to everyone.
Be careful of weird attachments from unknown people on your email as well as Facebook messages. These might contain malware.
Guard your financial information. There is absolutely no reason to share this with anyone over an unsecured channel. Even banks will always ask you to enter such information after they connect you to a secure line.
Check which apps or services you login to using Facebook login. Preferably, disable Facebook login and switch to conventional email or username password based login.
If you are a business, get your network and apps secure with penetration testing!
It is very easy for vulnerabilities to be missed. More often than not, security vulnerabilities are just sitting in business systems for months or years. Perform regular checks using penetration testing tools and services to discover and fix vulnerabilities in a timely manner.
If you need any help with penetration testing for your mobile or web apps, feel free to drop us a note and we'll help you figure out a way to be safe.