Facebook’s access token breach impacted 30 million user accounts
15 October 2018
Earlier this month, Facebook announced that by exploiting a complex interaction of three distinct software bugs, unidentified hackers gained access to access tokens of up to 50 million user accounts, less than 10 percent of whom were EU users.
Using the stolen access tokens, the hackers could access Facebook accounts of the affected users and could also access services that Facebook users logged in to using Facebook’s Single Sign-on facility. To minimise the damage hackers could cause, Facebook reset access tokens of up to 90 million users immediately and addressed the vulnerabilities.
Having completed an in-depth assessment of the breach, Guy Rosen, VP of Product Management at Facebook, announced on Friday that the theft of access tokens earlier this month had impacted up to 30 million people, instead of 50 million that the company had initially estimated.
Up to 30 million Facebook accounts affected
Mr. Rosen wrote in a blog post that the hackers used an automated technique to move from account to account so they could steal the access tokens of users who were friends with an already controlled a set of accounts. Using this technique, they stole access tokens of about 400,000 people and gained access to profile information that included posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations.
In the second stage of their attack, the hackers then targeted people who were in the friends’ lists of the compromised 400,000 accounts, thereby gaining access to profile information of millions of accounts.
“The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles).
“For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information,” he added.
Facebook will cooperate with data privacy watchdogs
Facebook has promised to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities in investigating the breach, to determine the number of people affected and in taking corrective measures to prevent similar breaches in future.
However, Facebook clarified that only profile information of affected users was compromised and that services like Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts were not affected.
According to The Wall Street Journal, if the European Union privacy watchdog determines that Facebook did not do enough to ensure the privacy and digital security of millions of users in the EU region, Facebook could face a fine of up to $1.63 billion (£1.26 billion) under the new GDPR regulations.
Lack of compliance to GDPR rules or a violation of the 72-hour breach notification window can attract a maximum fine of either 20 million euros or 4% of a firm’s global annual turnover, whichever is higher. Considering Facebook’s global presence and its dominance in the social media world, the fine imposed on it could easily exceed a billion euros.