On Friday, September 28th, Facebook announced that it had identified a security flaw in approximately 50 million accounts that allowed attackers to exploit sensitive user data. The data breach is likely to have impacted not only Facebook users, but also a vast network of third-party applications and services. Facebook’s practices to enhance the user experience by streamlining log in processes and integrating third-party partners into its platform bring increased complexity to the risk management process. As consumers sacrifice data security for interconnection, vulnerabilities such as the ones discovered in the September 28th data breach hold the potential to disrupt systems on a global scale.
It was reported that hackers targeted Facebook’s “view as” feature, code that lets individuals view their profile as it was displayed to other users. Malicious actors tricked the system into generating what is known as an “access token,” an object that includes the identity and privileges of a user account associated with a specific process or thread. Systems use access tokens to establish permissions while bypassing normal log in requirements. After harvesting these tokens, hackers were able to not only extract sensitive information but also control Facebook profile settings. Officials indicated that Facebook fixed the flaw and had reset over 90 million digital keys.
The attack comes during the social media giant’s campaign to restore its reputation after the Cambridge Analytica data scandal. In that case, data from approximately 87 million users was reported to have been improperly shared with the political consulting firm. The Cambridge Analytica setback exemplified data misuse as the firm harvested personal data by creating an application within Facebook’s system. However, the “access token” flaw resembles a security breach as attackers exploited an unresolved vulnerability within a feature. The ability to not only extract information but also manipulate profiles, indicate a far more damaging attack.
Facebook CEO Mark Zuckerberg stated that the company is working alongside the FBI to investigate the breach. However, the origins remain unknown. The Ireland Data Protection Commission is also preparing to launch an investigation, demanding more information on the nature and scale of the attack. Experts predict that the regulatory body could potentially fine Facebook $1.63 billion. The event marks the first time the newly revamped European Union General Data Protection Regulation law will be implemented to determine regulatory penalties.
The incident portrays the increased data risk posed by Single-sign-on (SSO) functions designed to streamline log in processes. Facebook’s business model and its use of SSO has directly expanded the threat environment. Once gaining access, attackers can now move freely not only within the breached enterprise’s network but across third-party applications and systems. As major companies across all industries continue to implement measures to enhance the user experience, the risk to data security becomes more universal in nature. For risk management purposes, users will benefit from greater discretion when posting sensitive information even in seemingly secure environments like private groups. The Facebook data breach is evidence that in an increasingly globally interconnected system, the consequences of a data breach are unlikely to remain isolated.
David Sanchez Bornstein is an Open Source Analyst Intern at Prevalent Inc. He is a second year graduate student at the Elliott School of International Affairs focusing on security studies and technology policy.
Prevalent helps companies manage third party risk. It is the industry’s only unified platform that integrates a powerful combination of automated risk-tiered assessments, continuous monitoring, and evidence sharing for collaboration between companies and their vendors. Prevalent’s actionable intelligence provides the most comprehensive view of vendor risk, creating maximum efficiency for all Third Party Risk Management programs.
To learn more about the Prevalent platform, visit our webpage.
Focus on preparation, communication, and lessons learned to be better prepared for the next vendor breach...