Facebook Breach: Data, Dollars, Tokens and Trust

To maintain trust, organizations often invest in security controls in an effort to mitigate the potential for a data breach; what happens when something slips through the cracks? On September 25, 2018, social media giant, Facebook, notified users of a massive data breach affecting over 50 million individuals.

How Did it Happen?

The breach involved deficiencies in Facebook’s “View As” feature. This commonly used feature allows users to view how their profiles appear to other users. Attackers managed to use this functionality to steal access tokens from the accounts of people whose profiles were searched using the feature. From here, the attack daisy-chained from one user’s Facebook friend to the next attaining access tokens along the way.

Fortunately, once discovered, Facebook acted quickly to patch the vulnerability. Unfortunately, at this point, it was too late. In an organization as large as Facebook, the damage had been done. Too little, too late.

Cyber-security Definition: Access tokens contain security credentials for login sessions that identify the user, the user’s groups, the user’s privileges and in some instances, a particular application.

Facebook still isn’t sure what kind of client information has been compromised; however, they are certain the hack affected those who use Facebook to log into other accounts, such as Instagram, Tinder and other third-party apps that use this login function. Based on the above statistics, the probability of user information exposure is extensive.

Facebook Inc. faces a potential $1.63 billion fine as the EU’s privacy watchdog investigates whether the social network violated the European’s Union privacy laws, GPDR.

Beyond the threat of fines, there is the priceless issue of user confidence and trust. Perhaps more valuable than any fine, the damage done has become so vast that some individuals, including those completely unaffected by the breach, are considering closing their accounts with Facebook entirely. With a user base well over 2 billion, it’s certainly not a leap in judgement to assume that even a fraction of a percentage of this value could hurt the organization and its stakeholders.

The question all organizations should be asking themselves, after having learned of such an event, is “If a household name like Facebook, with virtually unlimited resources, is vulnerable, just how secure is ours?”.

For more information on how to protect your organization’s greatest assets, please contact the team at Packetlabs to discuss our penetration testing service offerings.