On September 28, Facebook announced that it had discovered a breach affecting nearly 50 million Facebook users. Bad actors exploited the “View As” feature of the site, combined with a video upload feature, to gain access tokens enabling account access.
While it is unclear when the breach occurred, it likely happened after the video uploading program feature was introduced in July, 2017. Facebook has since fixed the noted bugs in the code, and prevented their further exploitation. It has further removed the “View As” feature pending further research.
Per Facebook, the investigation into the breach is still in its early stages. It is unclear how much data was stolen, and how it has been used. Authorities have been notified and the investigation is ongoing.
As a precautionary measure, Facebook has enforced a mandatory logout of over 90 million users. It has advised users that they do not need to change their passwords, and that logging back in should suffice. It has offered apologies to users, and assured them of the importance of their future data security.
ACA Aponix Guidance
Jose Ramos, GXPN, OSCE, CEH and certified penetration testing specialist at ACA Aponix, explains why the size of Facebook's platform increases the risk of a breach: “The average social media user is not aware of the complex back-end functionality used by social media platforms such as Facebook. Most of these platforms consist of a plethora of data managed by complex code and databases. The problem is that even a minor coding bug can be leveraged by attackers to extract an enormous amount of data. Large databases, such as Facebook, would have a large attack surface vs. that of a smaller organization. When you pair a skilled attacker, a large database, and constant change, a sizable breach becomes inevitable.”
Alex Scheinman, PhD, Director of ACA Aponix’s Privacy Practice, explains why the Facebook breach also has implications in the areas of data privacy, reputational risk, and regulatory compliance, particularly GDPR: “This incident serves as a stark reminder that failure to implement appropriate security and privacy controls to address your firm’s personal data risks may lead to significant regulatory enforcement actions under applicable data protection regulations, such as the EU’s General Data Protection Regulation. Facebook has filed a breach notification with the Irish Data Protection Authority, with potential fines of $1.6 billion. This incident can also serve as a reminder of the considerable negative publicity and reputational harm that firms can face when they fail to meet their obligations to safeguard the personal data they have been entrusted to protect."
What You Can Do
ACA Aponix recommends taking the following precautionary measures regarding the Facebook breach and other potential breaches:
- Closely monitor credit cards and other financial records for unusual activity.
- Assume the likelihood of your static consumer data already being available on the dark web’s cyber underground.
- Enact a security freeze with major consumer credit bureaus, assuring that use of your personal information be restricted to your active demand.
- Apply security updates and install future updates as soon as they are released.
How ACA Aponix Can Help
ACA Aponix offers the following solutions that can help your firm protect itself from breaches, or related cybersecurity risk:
- Cybersecurity and technology risk assessments
- Penetration testing and vulnerability assessments
- Phishing testing and cyber awareness training
- Vendor diligence and management
For More Information
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.