No matter how strong a password you set for your Facebook account, you should know there is one entity that can access it without your knowledge whenever it’s given reason to do so. It’s not the government, although they indeed might be interested in this particular “hack,” too. It’s Facebook. That’s right, Facebook holds the power to log into the accounts of any of its more than 2.2 billion users, a fact it kept secret until now.
Only a “small group” of Facebook employees have permission to access any profile without the knowledge of the owner, according to The Wall Street Journal. But if you’re a Facebook employee, an alert dubbed internally the “Sauron alert” will tell you that someone has logging into your account.
The same protections do not exist for the regular Facebook user, which proves yet again that Facebook has a double standard stance on user privacy.
Facebook does have a reason for not disclosing this capability. However, that’s not good enough considering what we’ve been learning about Facebook for the past few weeks. Here’s what a Facebook spokesperson had to say about the matter:
In thinking about how we could do something similar for everyone, there are a number of important considerations that come into play—for example, how we can avoid tipping off bad actors or hindering our work to prevent real world harm in cases of abuse or other sensitive situations.
It’s very likely the public at large would not have found out about Facebook’s backdoor were it not for a Facebook employee who abused these privileges to snoop on private user information. Facebook’s chief security officer told The Journal that employees who abuse these controls will be fired.
Apparently, the actions of the people who do hold the universal key to all Facebook accounts are closely monitored by their supervisors, and they must provide legitimate reasons for accessing someone else’s account. However, they’re able to obtain extremely sensitive information, the kind that you don’t share with others:
The privilege entitles these personnel to view information that users typically consider private, such as pictures and posts they have shared only with friends, or unencrypted private messages, one of the people said.
And it turns out that multiple employees have been fired for improperly accessing user data. You. Don’t. Say.
The Sauron alert notifies Facebook employees via email or notice inside a Facebook account that their account was accessed by privileged colleagues. The feature has been in use for years, apparently, and it’s mostly used for testing features and dealing with bugs.
It’s unclear how Facebook can log into anyone’s account, or exactly what valid reasons are for these breaches. On top of privacy concerns, should we also be worried about hackers finding a way to access user accounts now that they know this backdoor exists?