MANILA, Philippines — Some 50 million users of social media network Facebook have been affected by a security breach involving a vulnerability in one of the features of its mobile application.
Facebook founder and chief executive officer Mark Zuckerberg said they are currently investigating the incident involving the theft of access tokens or digital keys that allow attackers to take over or access accounts.
“The investigation is still very early. We do not yet know if any of the accounts are actually misused. So far, our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts,” Zuckerberg said in a press call on Friday evening (Manila time).
“We’re in touch with law enforcement to help identify the attackers. While we don’t yet know who’s behind the attack, we’re working to understand more details about what happened and who is responsible,” he added.
“We do not yet know if any of the accounts were actually misused,” Zuckerberg said.
The hack is the latest setback for Facebook during a tumultuous year of security problems and privacy issues. So far, though, none of these issues have significantly shaken the confidence of the company’s two billion global users.
The National Privacy Commission (NPC) said they have received an informal notice from Facebook representatives in the Philippines regarding the incident.
“According to the company’s representatives, the investigation is still in its early stages. They have not determined yet how many Filipinos are affected and whether misuse of personal information had resulted from this breach,” privacy commissioner Raymund Liboro said,
“The NPC has prescribed breach management procedures in place and we expect Facebook to abide by these rules,” he added.
Prior to Facebook’s announcement, a number of Filipino users have already reported being logged out of their accounts.
Facebook vice president for product management Guy Rosen said they have yet to determine if there is specific targeting.
“It does seem broad and we don’t yet know who is behind these attacks or where they might be based,” he added.
Logged out
Following the discovery of the breach, Facebook said it has reset the access tokens of the 50 million affected users, resulting in them having to log back in on their accounts.
As a precautionary measure, the company said it has reset the access tokens of another 40 million users who used the “View As” look-up, a privacy feature that lets people see what their own profile looks like to someone else.
Rosen said a recent update in their video uploading feature impacted the “View As” feature, allowing attackers to steal the access tokens.
The attack then moved along from one user’s Facebook friend to another. Possession of those tokens would allow attackers to control those accounts.
One of the bugs was more than a year old and affected how the “View As” feature interacted with Facebook’s video uploading feature for posting “happy birthday” messages, Rosen said.
It wasn’t until mid-September that Facebook noticed an uptick in unusual activity, and not until this week that it learned of the attack, Rosen said.
“We haven’t yet been able to determine if there was specific targeting” of particular accounts, Rosen said in a call with reporters. “It does seem broad. And we don’t yet know who was behind these attacks and where they might be based.”
He said they have already fixed the vulnerability but still decided to reset the access tokens as a precautionary measure.
“People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened,” Rosen said.
“There’s no need for anyone to change their passwords. But people who are having trouble logging back into Facebook – for example because they’ve forgotten their password – should visit our Help Center,” he added.
Neither passwords nor credit card data was stolen, according to Rosen.
He said the company has alerted the US Federal Bureau of Investigation and regulators in the United States and Europe.
Jake Williams, a security expert at Rendition Infosec, said he is concerned that the hack could have affected third party applications.
Williams noted that the company’s “Facebook Login” feature lets users log into other apps and websites with their Facebook credentials.
“These access tokens that were stolen show when a user is logged into Facebook and that may be enough to access a user’s account on a third party site,” he said.
Facebook confirmed late Friday that third party apps, as well as its own Instagram app, could have been affected.
“The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account-holder themselves,” Rosen said.
Intelligence hoard
News broke early this year that a data analytics firm once employed by US President Donald Trump’s campaign, Cambridge Analytica, had improperly gained access to personal data from millions of user profiles.
Then a congressional investigation found that agents from Russia and other countries have been posting fake political ads since at least 2016.
In April, Zuckerberg appeared at a congressional hearing focused on Facebook’s privacy practices.
The Facebook bug is reminiscent of a much larger attack on Yahoo in which attackers compromised three billion accounts – enough for half of the world’s entire population.
In the case of Yahoo, information stolen included names, email addresses, phone numbers, birthdates and security questions and answers. It was among a series of Yahoo hacks over several years.
US prosecutors later blamed Russian agents for using the information they stole from Yahoo to spy on Russian journalists, US and Russian government officials and employees of financial services and other private businesses.
In Facebook’s case, it may be too early to know how sophisticated the attackers were and if they were connected to a nation state, said Thomas Rid, a professor at the Johns Hopkins University.
Rid said it could also be spammers or criminals.
“Nothing we’ve seen here is so sophisticated that it requires a state actor,” Rid said.
“Fifty million random Facebook accounts are not interesting for any intelligence agency.”
Ed Mierzwinski, the senior director of consumer advocacy group US PIRG, said the breach was “very troubling.”
“It’s yet another warning that Congress must not enact any national data security or data breach legislation that weakens current state privacy laws, pre-empts the rights of states to pass new laws that protect their consumers better, or denies their attorneys general rights to investigate violations of or enforce those laws,” he said.
Wedbush analyst Michael Pachter said “the most important point is that we found out from them,” meaning Facebook, as opposed to a third party.
“As a user, I want Facebook to proactively protect my data and let me know when it’s compromised,” he said. – With Louella Desiderio, AP