Facebook hacked, 50 million+ accounts compromised

Facebook shares its userbase statistics at the F8 conference. The company also owns WhatsApp, Instagram, and other popular apps. (credit: Courtesy of Maurizio Pesce via Wikimedia Commons) Facebook shares its userbase statistics at the F8 conference. The company also owns WhatsApp, Instagram, and other popular apps. (credit: Courtesy of Maurizio Pesce via Wikimedia Commons)

The worst hack in Facebook’s history began on Sunday, Sept. 16. Security engineers detected unusual activity within the company’s systems, but it took days before they had a full explanation. Attackers exploited a vulnerability to gain full access to the accounts of over 50 million users, including connected applications such as Instagram and WhatsApp. Facebook discovered the extent of the breach on Sept. 25 and released an official security update three days later.

It remains unclear who the hackers were or what exactly they obtained from Facebook, but the ramifications could be catastrophic. With over 2.2 billion users, Facebook is one of the largest data stewards in history, with vast stores of personal information such as birthdays, credit card numbers, and geolocation history.

More than 90 million users were automatically logged out of their accounts on all devices following the attack as a safety precaution, and while Facebook says it’s unnecessary to change your email or password, the company is being cryptic about how they will deal with stolen data.

“We’re taking it very seriously,” said Facebook CEO Mark Zuckerberg in a conference call with the media. “I’m glad we found this, but it definitely is an issue that this happened in the first place.”

According to the official security update, the vulnerability was in the “View As” feature, which allows users to temporarily view their profile from the perspective of another user. The interface contained a composer box which incorrectly allowed uploading a video while in “View As.” During the upload, the video uploader could generate an authentication token not for the user performing the upload, but for the user profile being viewed.

Essentially, anyone with a little technical expertise could turn on “View As” to navigate a user profile, try to upload a video and be granted full access to another user’s account. That includes Facebook’s companion services such as Instagram and WhatsApp, as well as linked third-party accounts such as Tinder, Airbnb, and Spotify. This vulnerability has likely been present since Facebook introduced the video uploader in July 2017.

Facebook said they fixed the problem as soon as it was discovered, but this isn’t the first time protected user information has slipped Facebook’s grasp. More than 40,000 passwords were stolen in an attack earlier this year, and, of course, there was the revelation in March that British firm Cambridge Analytica had access to over 87 million Facebook profiles during the 2016 United States presidential election.

Senator Mark Warner (D-Virginia), a vocal critic of Facebook, said that the recent breach “is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. A full investigation should be swiftly conducted and made public so that we can understand more about what happened.” Commissioner of the Federal Trade Commission Rohit Chopra said in a statement that “breaches don’t just violate our privacy. They create enormous risks for our economy and national security. The cost of inaction is growing, and we need answers.” In addition, although Facebook was required to report the attack to the Irish Data Protection Commission under the European Union’s General Data Protection Regulation, the commission voiced strong concerns at the vagueness and timing of the company’s report.

Regardless of the consequences Facebook will face in the coming weeks, this attack exhibits how volatile cybersecurity can be. April Doss, chair of cybersecurity at law firm Saul Ewing, said, “This has really shown us that because today’s digital environment is so complex, a compromise on a single platform — especially one as popular and widespread as Facebook — can have consequences that are much more far-reaching than what we can tell in early days of the investigation.”