Blog
10.03.2018

Facebook breach could have impacted third-party apps; Is huge GDPR fine on the horizon?

Personal information and possibly third-party applications compromised

Facebook can't seem to get off the hot seat. Now they’re facing another, possibly even bigger and worse data breach affecting 50 million, possibly even 90 million or more people. What makes it worse is other accounts users are connected to – Instragram, Spotify, and more – are likely also impacted by the breach.

Bugs in the “View As” feature responsible for theft of access codes

The breach was discovered last week after staff noticed a spike in traffic on September 16. The breach was made possible thanks to a series of bugs in Facebook code around its “View As” feature and video uploader implemented last year. The code bugs make it possible for hackers to get a hold of user access tokens, thereby making it possible to gain full access to the users accounts as well as other application account profiles.

Privacy violation fines could be significant

With privacy regulations now or soon to be in place, like the European GDPR and California’s Consumer Privacy Act, companies responsible for data breaches like these may face large fines. Security experts are still assessing the scope of this breach but estimates are already coming in at more than $1.6 billion for a GDPR violation. The Wall Street Journal reached this figure by calculating 4% of Facebook’s global annual revenue from last year – the maximum fine. A flat fine of €20 million is also possible. Already, it’s reported that Ireland’s Data Protection Commission is demanding more information from Facebook, including which EU residents could have been affected. If Facebook didn’t take proper actions to protect its data, it could face punitive measures for that as well.

Facebook has not been overly specific on what data was or wasn’t compromised. But it’s likely the damage is broad, not narrow.

Facebook not giving security high enough priority in its features

Satya Gupta, chief technology officer and co-founder of Virsec told SC Magazine, Security Week and Information Security Buzz that,“While the “View As” feature sounds like a useful way to see what your profile looks like to your ex-girlfriend, it was clearly built without thinking through security. Instead of just seeing through someone else’s eyes, Facebook essentially lets you borrow their identity.

“Armed with someone else’s access token you can get to lots of private and highly privileged information. In addition, millions of people use their Facebook ID (authenticated through their access tokens) to connect to other services where they might be storing files, making purchases, or doing other things that they thought were private. Facebook claims to not know what these 50 million access tokens are being used for, but you can bet that the thieves have found them to be very valuable.

“These problems could easily have been avoided and services that prioritize security, like banks, hospitals and even airlines rarely make these basic mistakes. It’s a bad idea to let users stay logged on indefinitely while there is no activity. Many people will open a Facebook browser tab and not close it for hours or days while doing other things. If you’re logged into your banking site and are inactive for more than a few minutes, you are automatically logged off and need to re-authenticate. This is a small burden for users and a no-brainer for security. There are also solutions that provide continuous authentication requiring users to confirm their identity if there is any unusual behavior.”

Read full Facebook breach impacting third-party apps – is huge GDPR fine on the horizon? article

Read full Industry Reactions to Facebook Hack article

Read full Industry Leaders’ Reaction to Recent Facebook Hack article