On Friday, Facebook's VP of Product Management, Guy Rosen, revealed the impact of last month's inevitable security breach as their stock continues to slide. Over 30 million users have been impacted by the hack, with over 14 million people at risk of continued serious privacy invasions, and Facebook has no plans to provide any protections to the users affected by lax security and over-collection of personal data. But there is far more to the story than what is being reported on by mainstream media, most notably the misleading statements issued by Facebook to mitigate the damage, the resulting risk of security breaches on other services, the extent of the information exposed, and Facebook's incompetence at mitigating the damage to only 400,000 users when they had the opportunity.
"These companies have a staggering amount of information about Americans. Breaches don't just violate our privacy, they create enormous risks for our economy and national security," Federal Trade Commission Commissioner Rohit Chopra told USA TODAY after Facebook disclosed the data breach last month. "The cost of inaction is growing, and we need answers."
It all began in July 2017, when Facebook added a feature that allowed users to upload “Happy Birthday” videos. This addition inadvertently introduced three security holes in the “View As” function, a feature that lets a person view their own profile page from the viewpoint of another user. By exploiting the security holes, an attacker could select which person they were “viewing as” and then escalate their level of access. By leveraging the escalated privileges the hackers were able to steal the “secure” access token, which serve to let a user remain logged into Facebook, of the account they were targeting.
Once the hackers determined that the hack was reliable, they were able to begin setting up a network of seed accounts under their command. These seed accounts were then used to exploit the vulnerability and steal the security access tokens for the accounts of anyone on their friends list and subsequently steal the tokens of friends of friends, creating a chain reaction predicated on the “7 degrees of separation” principle. Emboldened by their success, on September 14th the hackers deployed automated scripts and spread the chain of jeopardized accounts until they had taken control of some 400,000 Facebook accounts. This level of access allowed the attackers to load an administration view of the personal data on the compromised accounts. The data exfiltrated covered all the minutiae such as contact information, where they worked, where they lived, etc, but also more sensitive details like Messenger contacts, friends lists, groups, and posts on their timelines even if the user security settings were configured to hide such information.
"The 400,00 accounts are the ones where [the attackers'] script loaded the ‘View As’ view, so that actually loads the Facebook profile for that person, and as part of that, when that web page loads and renders in their script it would have included ... things like their posts on their timeline, list of friends or groups they’re members of..." - Guy Rosen
On September 14, Facebook engineers noticed the anomalous spike of activity centered around the afflicted “View As” feature and notified senior management that something was amiss. Facebook failed to follow through and investigate it with the vigor that such a breach commands, instead electing to attribute the unusual spike of "View As" to increased awareness and usage by legitimate users. This delayed security response gave the hackers time to improve their attack vectors and scope of access, allowing them to pilfer increasingly sensitive data unchallenged until September 25 when Facebook finally determined that they were under attack, identified the exploit, and disabled the “view as” function. Due to the sheer incompetence of Facebook's security response, the attackers had purloined information on over 30 million accounts before finally being thwarted. In Friday's press call, Facebook refused to elaborate on why they failed to take action stating instead:
“There was a spike in activity, these things do happen, there is always variation in how Facebook is used over the course of any given day”
Damage control in full swing, Facebook revoked the security tokens of 90 million users whose accounts were potentially violated and issued a press statement that downplayed the extent of private data stolen, a sentiment they echoed in Friday's press release. Nothing could be further from the truth, especially for around 14 million of the affected users who will continue to suffer from the reverberations for years to come. Of the 30 million people who were compromised, around 15 million were “lucky” that only basic information was exposed such as their names, email addresses, phone numbers, and various connections in the Facebook ecosphere such as Messenger contacts and friends lists. The other 14 million victims were not so lucky, as in addition to the basic info the hackers were also able to retrieve usernames, photographs, private messages, birth dates, religious preferences, gender, device & browser details, tagged locations, liked Pages, language settings, hometown, current city, work places, education, linked websites... even the last 10 location check-in details and search histories for the last 15 things a user looked up.
The severity of these revelations should not be understated nor underestimated. Despite the unprecedented leak, Facebook is refusing to own up to the grievous breach of public trust and will not be providing ID theft protection or employing similar countermeasures to assist affected users. It is generally expected that they should be held responsible for such expense, just as other companies in similar positions provided for their customers. In 2013, Target went beyond just credit monitoring and offered full identity theft protection. Playstation and Equifax also owned up to their transgressions and provided similar services. It would appear that Facebook's contention is that no financial data was exposed, so they aren't on the hook. To the contrary, the information exposed is extensive enough that it may very well have financial ramifications for the victims. As Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology put it:
“The stolen data could be highly valuable for hackers. What I'm worried about is about being able to break into other accounts. If you look at the list of data, it's not financial data. But there is stuff in there that's useful for 'knowledge-based authentication', which is definitely important for setting up [financial] accounts."
So far, the only damage mitigation offered is a statement that the FBI is investigating, and that afflicted users will be notified if their personal information was released. Facebook announced that they will insert a customized message into the News Feeds of individuals, when the full scope is determined, in a few days. One analyst told the BBC the decision was "unconscionable", and Brian Acton, co-founder of WhatsApp (which is owned by Facebook), has called for people to delete their Facebook accounts. Facebook's statements on Friday contain several misleading statements, as they attempt to whitewash the impact people will have to deal with on their own.
"The truth is that, as a result of this news, millions of phishing attacks will now be launched, pretending to be from Facebook. Up to 20 percent of recipients will click, and a large number of those will be successfully attacked, many of them using work computers and mobile devices. Businesses and governments will lose money, ransomware attacks will result from this leak, and the attack will reverberate over many months." - Colin Bastable, cybersecurity expert and CEO of Lucy Security
Of course, Facebook has a fiduciary duty to downplay the impact so as to protect their investors from the fallout. While issuing vague statements and dismissing the severity is one thing, telling a lie is whole different ballgame. Facebook has repeatedly told journalists and the public that the damage is so far contained and that it is not “in the wild” or being sold / traded on the Internet or the Dark Web. This is not something Facebook can claim, as reported on by Crypto Globe. The accounts were openly being sold on the dark web marketplace Dream Market, available for anyone with modicum of tech skills to purchase with Bitcoin (BTC & BTH) or Monero (XMR). According to one analyst, the accounts and sensitive user data is worth between $150 million and $600 million on the black market.
"Hackers have some sort of a goal,” said Oren J. Falkowitz, CEO of the cybersecurity company Area 1 Security and former National Security Agency official. “It’s not that their motivation is to attack Facebook, but to use Facebook as a lily pad to conduct other attacks. An attacker may use that information to conduct sophisticated “phishing attacks,” a method used to get into financial accounts, health records or other important personal databases. Once you’ve become a target, it never ends.”
We can expect to see a myriad of subsequent security breaches in the coming months as the data filters down to less than savory characters through the shadowy realm of underground hackers. It is highly likely that the information, if not the already compromised accounts, will be utilized to bypass security and authentication measures for many third party apps and services as the shockwave ripples. Facebook at least deployed a tool that developers can use to check the security of their applications by screening for any compromised accounts, which they announced in a press call on Friday without drawing attention to the likelihood that such attacks are inevitable.
The woes for Facebook continue, as a result of Europe's General Data Protection Regulation (GDPR) which went into effect in May. Under the terms of the regulation, Facebook could be fined up to $1.63bn (£1.25bn), or around 4% of their annual global revenue. Facebook's European headquarters is located in Ireland, and the Irish Data Protection Commission announced on Twitter that an investigation has been initiated:
Facebook breach: today’s update from Facebook is significant now that it is confirmed that the data of millions of users was taken by the perpetrators of the attack. @DPCIreland’s investigation into the breach and Facebook’s compliance with its obligations under #GDPR continues
All of this comes on the heels of Thursday's massive purge of more than 800 pages and accounts unrelated to the hack, a move that was widely denounced across social media as Orwellian censorship of alternative media on both sides of the political spectrum. It is further ironic that such a massive data breach would coincide with Facebook's planned launch of Portal, an in-home video phone with an “always on” microphone and face tracking camera.
At this point, folks around the world are calling for Zuckerberg to step down from his position as CEO of Facebook given his clear lack of respect for privacy and data security. Last month, the co-founder of Instagram resigned from Facebook right before the security breach was announced; in April, WhatsApp co-founder Jan Koum also resigned from Facebook citing serious concerns about Facebook's approach to user data, advertising, and encryption. If you are concerned that you were a victim of this new incident, you can check here to see if your account was compromised (scroll to the bottom of the page).
If you are concerned about being a future victim, you should be. This isn't the first time Facebook has been hacked and private information was exposed, and it is doubtful that it will be the last. The only true measure you can take to protect yourself is to join the others who have had enough, and delete your account. Perhaps seek a new social network that respects your privacy, like Unfollo. We are not a blog, we are a privacy centric social startup that seeks to replace both Facebook & Twitter in a single platform. We have a full team of dedicated and passionate developers who work tirelessly every day to polish and improve the site, introduce new features, and above all else ensure that your data is kept safe.
Unfollo is growing at an astonishing rate with hundreds of new signups every day, but hundreds is not enough to put a dent in the Silicon Valley titans who fail to respect your privacy. In order to be competitive and gain ground, we are currently offering 10 cents per referral. Sign up, and select “Invite Friends” from the main drop menu for your referral link. Feel free to connect with us and give feedback, you would be surprised at how quickly we fix things (hours, not months). We can't leak or sell your data, because we don't collect it in the first place!