On Friday, Facebook announced that it had discovered evidence of a security breach affecting almost 50 million accounts.
The company’s investigation is in its early stages, so there are still many unknowns about the cyberattack. Here’s a rundown of what we know so far based on the details that Facebook has released to the public.
How did it happen?
Hackers were able to manipulate the code associated with the platform’s “View As” feature, which lets users see what their profiles look like from the point of view of a different account. Vulnerabilities in this code allowed hackers to exploit three different bugs and steal access tokens, digital keys that let people use Facebook without having to enter their login credentials every time, from 50 million accounts.
Developers introduced these vulnerabilities in July 2017 when they updated a tool that allows users to upload happy birthday videos. The uploading tool had been inadvertently generating access tokens when it showed up on a user’s “View As” page, which the hackers then exploited to breach accounts. Facebook’s security team began noticing an unusual spike in user access to the website this past December, and then they finally found the hack last Tuesday.
What did the hackers have access to?
The hackers were essentially able to log in and take over users’ accounts. Facebook claims there is no evidence thus far indicating that the hackers read private messages, posted anything to account pages, or stole credit card numbers. However, they did attempt to access personal information, which could have included details like name, gender, and hometown.
The hackers may also have been able to manipulate the Facebook Login feature, which allows people to use their Facebook usernames and passwords as login credentials for other apps and websites. This means that the hackers could, theoretically, have breached apps like Instagram, Tinder, and Airbnb using the access tokens they stole. Tinder said Monday that there was “no evidence” accounts had been accessed, but that it would be “very helpful” if Facebook shared more information about the hack.
Who was responsible for the hack?
Facebook has released little info about the attackers. Company officials said on Friday that they had not uncovered many identifying details—for instance, they were unable to determine whether the hackers were working on behalf of a nation-state—and the nature of the attack is such that we may never actually know who was responsible.
Carolyn Everson, Facebook’s vice president of global marketing, suggested on Monday that the hackers were fairly sophisticated since they went undetected for so long and had to have an intimate understanding of three different bugs to execute the attack. She compared them to an “odorless, weightless intruder that walked in.”
What is Facebook doing about it?
Facebook has patched the vulnerabilities in the “View As” and video upload tools. The company also reset the access tokens for the 50 million affected accounts, as well as for 40 million additional accounts as a precautionary measure. Users will also have to delink and relink their Instagram and Oculus accounts to their Facebook accounts. Facebook users do not need to change their passwords, but they may want to log out and back in to be safe.
Facebook has also contacted the FBI, as well as the Irish Data Protection Commission, as is required under the European Union’s General Data Protection Regulation, or GDPR.
Will there be any consequences for Facebook?
Shortly after Facebook announced news of the breach on Friday, a Virginia resident and a California resident filed a class-action complaint alleging that the company’s lack of appropriate security measures had increased the risk of identity theft. New York State Attorney General Barbara Underwood tweeted, “We’re looking into Facebook’s massive data breach. New Yorkers deserve to know that their information will be protected.” The FTC and Virginia Sen. Mark Warner have further suggested that an investigation may be in order. Members of the U.K. Parliament are also renewing their demands for CEO Mark Zuckerberg to testify in front of them.
Yet, according to the Verge, it’s the European Union that’s most likely to bring the hammer down on Facebook. Ireland’s Data Protection Commission, which helps to enforce the GDPR, is demanding more information from the company concerning the breach. If the commission finds that Facebook was negligent in safeguarding user security, it could face a maximum fine of $1.63 billion; the GDPR dictates that companies that violate this rule must pay $23 million or 4 percent of its global revenue for the previous year, whichever is higher.
Until we know more about the attack, though, it’s hard to say whether Facebook runs a high risk of being penalized under the GDPR. If, for example, we eventually discover that Facebook was warned about this particular vulnerability in advance of the breach, that could make the company liable. It’s also unclear whether Facebook would be responsible for breaches of third-party apps that use Facebook Login, or if a significant portion of the affected accounts even belonged to residents of the European Union.