Facebook announced on Friday it had discovered a security breach affecting almost 50 million user accounts. The company says attackers exploited a vulnerability within the “View As” feature — a setting that lets users see what their profile looks like to other users. Currently, Facebook doesn’t know if the attackers have misused the hacked accounts or accessed any information.
The Security Breach. On September 25, Facebook’s engineering team discovered a security vulnerability in the app’s “View As” feature that resulted in 50 user million accounts being breached. According to Facebook’s announcement, the attackers were able to steal Facebook access tokens from code attached to the “View As” feature, and leverage the tokens to take over user accounts. (Access tokens are the digital keys that allow users to remain logged in without having to enter their password every time they access their account.)
From Facebook’s announcement:
This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.” The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.
Facebook says it does not know how much damage has been done as it just started the investigation. It is unaware if the hacked accounts have been misused or if any information was accessed. The company also reports it doesn’t not know who was behind the attacks or where they were based.
Facebook’s response. Facebook says it has fixed the vulnerability and is temporarily turning off the “View As” feature while it conducts a security review. In addition to announcing the security breach, the company has informed law enforcement.
The access tokens for the 50 million accounts that were hacked have been reset, along with access tokens for an additional 40 million accounts that were subject to a “View As” look-up during the past year (as a precautionary step). The combined 90 million users who have had access tokens reset will have to log back into their accounts as they have been automatically logged out by Facebook.
The company says users who have been logged out will see a notification at the top of their News Feed explaining what happened when they log back in, but the three Marketing Land staff members who had to log back into their accounts did not see any such notification.
A continuing pattern. Facebook’s security issues are an ongoing dilemma. In addition to its own choice to play it fast and loose with user data — a business decision that resulted in the Cambridge Analytica crisis — the company has had to announce multiple security breaches this year. In June, the company apologized for a bug that accidentally set 14 million users privacy status to the public without their knowledge. In September, it reported a glitch in the system that allowed users with both an app and Facebook Ads account to access Facebook Analytics data of other apps.
Today’s security breach is different as it was an outside force attacking millions of user accounts. This is more in line with the attacks on Facebook, Twitter and Google reported in August. Although, even then, the 652 Pages Facebook removed were taken down for coordinated malicious behaviour. Facebook’s latest security breach is separate from coordinated behaviour by bad actors — this is bad actors finding a way into Facebook’s system to hack user accounts and, potentially, use stolen accounts for malicious behaviour.
Why marketers should care. Facebook’s constant battle to safeguard its platform is taking a toll on users. The company suffered slow user growth during Q2, and according to a September Pew Research Center report, 42% of Facebook users have decreased their daily activity on the platform, with 26% deleting the app from their phone.
Facebook ad targeting capabilities are strong, but how effective will they be if the people, continue to lose trust in the platform? There is also the added security concerns for brand and advertiser Pages. Facebook only mentioned “user accounts” being hacked, but the possibility of a brand’s — or political candidate’s — Page being attacked is a potential threat for any marketer or advertiser.