The social network is working to fix the privacy intrusion into 50 million accounts that took place recently in order to ensure that it is not repeated
For users, Facebook is revelation of a data breach that gave attackers access to 50 million accounts and raise an important question: ‘What happens next?’
For the owners of the affected accounts, and of another 40 million that Facebook put at risk, the first order of business may be a simple one: sign back into the app. Facebook logged everyone out of all 90 million accounts in order to reset digital keys the hackers had stolen — keys normally used to keep users logged in, but which could also give outsiders full control of the compromised accounts.
Next up is the waiting game, as Facebook continues its investigation and users scan for notifications that their accounts were targeted by the hackers.
What Facebook knows so far is that hackers got access to the 50 million accounts by exploiting three distinct bugs in Facebook’s code that allowed them to steal those digital keys, technically known as “access tokens.†The company says it has fixed the bugs.
Users don’t need to change their passwords, it said, although security experts say it couldn’t hurt to do so.
The social-networking website, however, doesn’t know who was behind the attacks or where they’re based. CEO Mark Zuckerberg — whose personal account was also compromised — said that attackers would have had the ability to view private messages or post on someone’s account, but there’s no sign that they did.
The hack is the latest setback for Facebook during a tumultuous year of security problems and privacy issues. Though, none of these issues have significantly shaken the confidence of the company’s two billion global users so far.
This latest hack involved bugs in Facebook’s “View As†feature, which lets people see how their profiles appear to others. The attack then moved along from one user’s Facebook friend to another. Possession of those tokens would allow attackers to control those accounts.
However, neither passwords nor credit card data was stolen, said Guy Rosen, Facebook’s vice president of product management. He said the company has alerted the FBI and regulators in the US and Europe.
Facebook confirmed that third party apps, including its own Instagram app, could have been affected.
News broke early this year that a data analytics firm once employed by the Trump campaign, Cambridge Analytica, had improperly gained access to personal data from millions of user profiles. Then a congressional investigation found that agents from Russia and other countries have been posting fake political ads since at least 2016. In April, Zuckerberg appeared at a congressional hearing focused on Facebook’s privacy practices.
The Facebook bug is reminiscent of a much larger attack on Yahoo in which attackers compromised 3 billion accounts — enough for half of the world’s entire population. In the case of Yahoo, information stolen included names, email addresses, phone numbers, birthdates and security questions and answers.
In Facebook’s case, it may be too early to know how sophisticated the attackers were and if they were connected to a nation state, said Thomas Rid, a professor at the Johns Hopkins University. Rid said it could also be spammers or criminals.
“Nothing we’ve seen here is so sophisticated that it requires a state actor,†Rid said. “Fifty million random Facebook accounts are not interesting for any intelligence agency.â€
