The most recent Facebook hack just got a whole lot worse
- Author: Zachary Reyes Oct 14, 2018,
Oct 14, 2018, 20:31
It wasn't patched until last month, after the company's engineers noticed some unusual activity that turned out to be the attack. Facebook revealed it was working with the Federal Bureau of Investigation on the issue and that people could check whether they were affected by visiting the Help Center. They could do so by exploiting three distinct bugs in Facebook's code.
The exact number hadn't been known before.
In its message to affected users, Facebook wrote, "We have more information abut the security incident we discovered on September 25, 2018".
Facebook isn't giving a breakdown of where the users are located, but said the breach was "fairly broad". "Message content was not available to the attackers", unless you are the Admin of a page that had its access token stolen. Two days later, Facebook had plugged the hole and reset users' tokens, preventing attackers from accessing any further information. Colin Bastable, CEO of Lucy Security which focuses on cybersecurity prevention and awareness, painted an especially grim scenario.
The attackers had access to a limited number of accounts to begin with, and it's not clear if these were bogus to begin with, but they were connected to other "friends" on the site.
Typically, companies affected by large data breaches - such as Target, in 2013 - provide access to credit protection agencies and other methods to lower the risk of identity theft.
"Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen", he said. You need to be logged into Facebook.
Facebook's head of product Guy Rosen refused to speculate on who was behind the hack during a press conference call on Friday morning, but revealed that the company had traced the attack back to a group of "seed" accounts, suggesting that the perpetrator may be traceable.
The social network said in late September that hackers stole digital login codes allowing them to take over almost 50 million user accounts in its worst security breach ever, but did not confirm if information had actually been stolen. Both incidents could further fuel a congressional push for a national privacy law to protect U.S. users of tech company services.
Japan's Personal Information Protection Commission (JPPC) has launched an investigation into the social media company, the Nikkei newspaper reported on Friday.
Facebook data breach: Here is how to find out if your data was stolen and what to do.
Rosen revealed that while the attackers' intent has not been determined, they did not appear to be motivated by the upcoming United States mid-term Congressional election on November 6.
Those flaws were compounded by a bug in Facebook's video-uploading program for birthday celebrations, a software feature that was introduced in July 2017. It was built to give users move control over their privacy. Using some of these accounts, they managed to steal access tokens for an additional 30 million before they were stopped.
Tokens are digital keys that keep you logged in to Facebook so you don't have to re-enter your password every time you open the app. They then used the same vulnerability over and over again until they gathered tokens for around 400,000 accounts, which Rosen referred to as "seed accounts".
"The bottom line is that all this data is still out there", said Corey Milligan, a senior researcher with cyber-security firm Armor.
Facebook is already sending customised messages to the 30 million affected users to explain what has happened.