Carolyn Everson, Facebook’s vice president of global marketing solutions, was as ominous as she could be during an Advertising Week panel today in describing whoever recently hacked Facebook to potentially gain control of tens of millions of user accounts.
First, she said, it was an attack that required the hacker or hackers “to understand three different bugs.” In terms of whoever actually pulled it off, she went on to compare them to an “odorless, weightless intruder” that wormed into the company’s systems which Facebook could only detect “once they made a certain move.”
To be sure, headlines about another hack at Facebook — it’s like, on one hand, do they still surprise anyone anymore? You’d be forgiven at this point for thinking the social networking giant is about as secure as that big house down on the corner where the old man lives who keeps spying on everybody and somehow is always forgetting to lock his doors and windows. There they are again, the blue lights that signal a police investigation into another break-in there.
Let’s be clear, though. News that emerged Friday of multiple bugs that reportedly exposed the accounts of some 50 million people drastically underplayed the reality here. Without getting too geeky, a Business Insider report today makes clear the breach “also affected services for which people use Facebook to log in, such as Tinder, Spotify, and Airbnb. At this point, no one knows precisely how much data hackers took off with, though it’s clear they would have had full access to victims’ profiles.”
Making the potential damage from this data breach, the report continues, something on a scale that far surpasses the Cambridge Analytica flap. Indeed, it’s not out of the realm of possibility that Facebook could be looking at billions of dollars of its market value evaporating because of this, and, again per BI, “even if the hackers miraculously stole very little, the fact it happened to a company entrusted with 2 billion people’s information is astonishing. And it is all due to the company’s early, hacky approach to growth and its apparently boundless greed.”
What do they mean by that? If you’ve ever used Facebook’s “View As” feature, you’ll know it was designed to make you feel like you had control of your privacy (LOL, in light of this next part). You could use it to view your profile as someone else, ostensibly to make sure the outside world was seeing only the information you wanted it to see. Turns out, though, that feature was coded extremely poorly. So poorly that a video upload tool would sometimes appear when users were using the feature. “The uploader,” BI explains, “would then generate the access token for whoever’s profile users were looking up. Simply put, this potentially gave hackers access to millions of Facebook profiles.”
It doesn’t stop there, of course. Facebook has also since acknowledged that third-party sites that let users login via their Facebook ID could also have been improperly accessed as a result of this breach. Jason Polakis, an assistant professor of computer science at the University of Illinois at Chicago, explained in a tweet thread here that users need to be on the lookout for suspicious off-Facebook activity, since using the access tokens means someone could have accessed a third-party site connected to a Facebook account — even if that Facebook user has never accessed that site before.
Another stunning piece of news from Polakis:
An unexpected finding during our experiments was that when attackers use hijacked FB tokens (i.e., cookies) to access the user’s FB account, the attacker’s session *didn’t* show up in the list of active sessions if the attacker stayed connected for less than 60 mins. (4/n)
— jason polakis (@jpolakis) September 29, 2018
NBC offers some steps that users should take as as result of this breach. First, go to the “Security and Login” settings in Facebook:
- “Check “Where you’re logged in” for suspicious sessions. If you see any, click the dots beside the session and then click ‘Not You?’ to report it to Facebook.
- While there, you can get notifications if someone tries to access your Facebook profile in the section titled ‘Setting Up Extra Security.'”