Facebook has been struggling to regain its reputation after the Cambridge Analytica data scandal and it hasn’t been an easy recovery road so far. Have you noticed that you’ve been logged out of your Facebook account? This is because the giant social network discovered evidence of a security breach on Sept. 25, which impacted almost 50 million user accounts. This hack allowed attackers to directly take over user accounts and gain acccess to the websites that users logged into with Facebook. Researchers are saying if the implementation of Facebook’s Sign-On tool, which allows you to use your Facebook account to access other sites and services instead of creating unique passwords for every site (as I’m sure many of us have done as a frictionless tool to make an account on a certain website), the hack would not have the large-scale of data breaching as it did. Hackers potentially have accessed everything from people’s private messages on Tinder to their passport information on Expedia, all without leaving a trace. This raises a few alarming concerns and questions. What is the impact of a stolen account? What kinds of data could the hackers potentially scrape and use in an abusive way? How should victims of data breaching react/take next steps?
How the Hack Happened
It’s important to note that data breaches and hacks are not something of foreign to Facebook. Sources say that the vulnerability of this incident was known in July 2017 when developers began to notice suspiciously high user access on the website. Facebook announced that hackers had leveraged three separate bugs to collect 50 million users’ access tokens, which are the equivalent of digital keys to a Facebook account. When you enter your name and password on sites and apps, your browser or device is set on access tokens which keeps you logged in without having you enter our credentials every time to log in. With those tokens, hackers can take full control of users’ Facebook accounts, but because of the Single Sign-On feature that Facebook has with a variety of different companies, they can also access any other website that those 50 million users log into with Facebook. As soon as Facebook discovered this vulnerability, they immediately reset the 50 million or so affected accounts and another 40 million accounts that potentially could have been affected. Users will also have their Instagram and Oculus accounts de-linked. Facebook has also contacted the FBI So far, there hasn’t been any stealing of identity or credit card information, and it seemed unlikely that private messages were accessed. However, hackers did try to access user data that could’ve included gender, hometown, name, and other personal details. In controlled experiments that simulated a similar environment of penetrating to these third-party sites through Facebook user access tokens, researchers found that the access to data was unnerving: you could track someone’s trips in real-time on Uber (pretty disturbing to know that someone you’ve never met or seen in your life can keep tabs of where your Uber is traveling to), read users’ private messages on Tinder even though it appears as “unread” to the affected account, and pilfer passport numbers and TSA information from Expedia.
Reactions to this Issue
This hack has caused a lot of stir. Two people have filed a class-action complaint alleging that the company’s lack of appropriate security had increased the susceptibility of identity theft. New York Attorney General Barbara Underwood quoted: “We’re looking into Facebook’s massive data breach. New Yorkers deserve to know that their information will be protected.” The FTC and Senator Mark Warner of Virginia have further pushed for an investigation. Members of the U.K. Parliament are also renewing their demands for CEO Mark Zuckerberg to testify in front of them. So, a lot of international political players on the stage here. In addition, if the EU General Data Protection Regulation, a key organization involved in the data privacy and regulation in the past, find Facebook liable, it could incur a $1.63 billion fee.
Key Stakeholders in this Issue
Part of what makes this attack so scary is the fact that Facebook is a platform connecting people to many different sites. There are ways that third-party companies can and should protect their users in case an incident like this happens, where Single Sign-On is breached. Websites that use this feature can either automatically log you in if you’re already logged onto Facebook somewhere else in your browser or they can require you to enter your Facebook password every single time you log into the company website. Obviously the latter seems more secure because this would provide an extra layer of padded security because the hackers would need more than the user’s access token, they would need passwords.
However, an audit of the most popular web and mobile sites that use Facebook Single Sign-On, ranging from Uber, Airbnb, Expedia, The NYT, and the Washington Post, only about two out of 95 web/mobile sites required passwords. It’s a classic case of companies focusing on usability and reducing friction over security. These third-party sites could also let users view activity on their accounts, leaving a “digital trail of crumbs” to spot any unauthorized access. However, only 10 out of 95 of those sites have this, which means that it could be really difficult to catch any perpetrators or cut them off if they have access.
Researchers have also investigated other factors to understand the scope of danger from this attack. Here are some spooky statistics:
-out of 29 sites, 15 allow hackers to change an account’s email address without entering a password
-out of those 15, 6 allow the password to be rest without entering the old password
-if you’ve logged into a website using the same email address associated with your Facebook but haven’t logged on using Single Sign-On at all, if the attacker tries to log onto that same website using Facebook’s Single Sign-On, sites will recognize and associate the two accounts.
(This means, if you have a Facebook, and even if you have never used that to log onto any other website, an attacker who has your user access token could still infiltrate your account on that website through that regard.)
So, how do we exert damage control over this darkly powerful incident? The same researchers who ran the experiment have a suggestion: Single Sign-Off. As great it is to be able to be connected so seamlessly from platform to platform, this heightened connectivity poses a greater risk. It’s not a responsibility that falls solely on Facebook, but also on the companies who have partnered with Facebook for the interest of simplifying access and making it easier to gain more customers to swipe, click, and shop on their sites and apps.
Information and data access are the new ammunition for an informational warfare that has dire consequences. With a giant platform like Facebook that has almost about 2.23 billion users, measures of extra scrutiny are a must and it will be interesting to see how Facebook attempts to mitigate the risks and damage from this incident and whether the reset of peoples’ accounts was sufficient to do so. Personally, I think I will stop choosing to “log in with Facebook” even though it’s minutes faster than creating a separate account name and password and look into de-syncing a lot of my accounts that I’ve logged in with Facebook (and there are a fair number of them) just as a safety measure.