Security Breach Compromises 50 Million Facebook Accounts

In the wake of concerns that the social media giant collects too much personal data, Facebook, Inc. discovered a security breach on September 25, 2018 that affected almost 50 million accounts. Recent privacy regulations, including those recently enacted in the European Union, may have forced Facebook into promptly reporting the breach just three days after it was discovered. Based on the breaking-news reports, the FBI is working with Facebook to investigate the breach to determine the extent of the breach, what information was accessed, whether any accounts were misused, and to identify the attackers.

In its statements to the press, Facebook has come to the initial conclusion that hackers exploited a vulnerability that impacted a feature known as “view as,” which allows users see what their own profile looks like to another user. The attackers stole digital keys called “access tokens” that kept users logged into their Facebook accounts without having to re-enter their password with every use. Facebook reports it has fixed the vulnerability as of September 27th and the “view as” feature has been temporarily disabled. The early count is that 50 million accounts have had their access tokens reset, and an additional 40 million accounts had their tokens reset out of caution. The initial impact on those 90 million users is minimal, which will require those users to re-enter their password upon login.

Although Facebook has initially confirmed that affected users do not need to change their security settings, the breach will undoubtedly spur continued investigation into whether, and to what extent, user data has been compromised. Mark Zuckerberg has acknowledged that Facebook needs to do more to stop breaches, and this breach underscores the need for companies, large and small, to be wary and address the increasingly complex cyber attack vectors that could impact their business. And, while Facebook’s disclosure of the breach appears to have been prompt, regulators will likely examine the timing of the disclosure in any event.

Leave a Reply

Next ArticleSEC’s First Cybersecurity Enforcement Has Many Lessons