Skip to main content

Social media giant reveals culprit of data breach

10/15/2018
Facebook is coming clean about why it was targeted in a cyber-attack chain last month.

According to the social media company, a complex interaction of three distinct software bugs impacted Facebook’s “View As” feature, an option that lets people see what their own profile looks like to someone else. The vulnerability allowed attackers to steal Facebook access tokens that could be used to take over people’s accounts. (Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they log on.)

The company was alerted to a potential problem after noticing “an unusual spike of activity” that began on Sept. 14. On Sept. 25, Facebook confirmed it was a cyber-attack, and identified the vulnerability.

While Facebook did not reveal who was behind the attack, the company reported that the attackers already controlled a set of accounts, which were connected to Facebook friends. An automated technique was used to steal the access tokens of those friends, and filtered through their friends, and so on — an issue that encompassed about 400,000 people. This technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles, according to Facebook.

“Within two days, we closed the vulnerability, stopped the attack, and secured people’s accounts by resetting the access tokens for people who were potentially exposed,” Guy Rosen, VP of product management said in a blog on Facebook’s website.  “As a precaution, we also turned off ‘View As.’”

Facebook also determined that fewer people were impacted than originally reported. About 30 million members actually had their tokens stolen, not 50 million, Rosen revealed.

The attack also did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.

“As we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks, we’ll continue to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities,” Rosen added.

This is not Facebook’s first data breach. In March, data from 87 million Facebook users was pilfered, without authority, by political data firm Cambridge Analytica.
X
This ad will auto-close in 10 seconds