Facebook data breach affects 30 million people
In announcing a data breach in 2018, at first Facebook said 50 million people's data had been accessed, then 30 million - but the data accessed was more sensitive than they thought at first. After investigation, the company explained that it had identified four stages of attack with a different group of victims affected in each one. The attackers used an automated technique to move from the first small group of accounts they controlled to others, stealing access tokens of friends and friends of friends. From the first 400,000 accounts the attackers accessed timeline posts, lists of friends and group memberships. In the second, affecting 15 million, the attackers picked up profile information such as phone numbers and email addresses. From the third group, 14 million people, the attackers gathered the most sensitive information, including the full range of personal details, the last ten places they checked in from or were tagged in, the websites, people, and pages they followed, and their 15 most recent searches. From the final group of 1 million people the attackers were unable to gain any information.
The source of the hack was two bugs in Facebook's "View As" feature, which allows users to see their profiles as they appear to others, and one in a tool for uploading birthday videos. The combined effect was to enable the attacker to collect the access token for any user they searched for. Among the compromised accounts were those of Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg.
A complicating factor was that many people use Facebook logins as a single sign-on for sites across the web; an attacker in possession of a user's token could access any of those accounts, too, as if they were the user themselves. The company said it invalidated data access for third-party apps for the individuals affected. However, a study from the University of Illinois at Chicago found that some of the web's most popular sites had not implemented basic security precautions that could have limited users' exposure - such as requiring users to type in their passwords for each login or view account activity to check for unauthorised access. For some sites the privacy loss may be minimal; however, the researchers found that compromised accounts could let them track trips on Uber, read private messages on Tinder, and copy passport numbers and TSA information on Expedia.
Writer: Lorenzo Franceschi-Bicchierai; Brian Barrett and Lily Hay Newman; Issie Lapowsky; Mike Isaac and Sheera Frenkel
Publication: Motherboard; Wired; New York Times