Facebook Friday confirmed that an attack on its computer network had exposed the personal information of nearly 50 million users.
The breach had security companies in the channel buzzing about potential ramifications and what users, both individuals and businesses, could do to protect themselves.
Facebook said it discovered the breach Tuesday. The attackers exploited a vulnerability in Facebook’s code that impacted a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens, which they could then use to take over people’s accounts.
Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app, said Guy Rosen, Facebook’s vice president of product management.
The vulnerability has been fixed and law enforcement has been contacted, he said.
“In something as big and complicated as Facebook, there are bound to be bugs,” said Chet Wisniewski, Sophos‘ principal research scientist. “The theft of these authorization tokens is certainly a problem, but not nearly as big of a risk to user’s privacy as other data breaches we have heard about or even Cambridge Analytica for that matter. As with any social media platform, users should assume their information may be made public, through hacking or simply through accidental oversharing.”
Sensitive information should never be shared through these platforms, he said. For now, logging out and back in is all that is necessary.
“The truly concerned should use this as a reminder and an opportunity to review all of their security and privacy settings on Facebook and all other social media platforms they share personal information with,” Wisniewski said.
Tyler Moffitt, senior threat research analyst at Webroot, said unfortunately there is “very little the 50 million, potentially 90 million, affected Facebook users can actually do here.”
“The attack leveraged an exploit that holds Facebook and its code 100 percent accountable,” he said. “Users right now wondering what to do can always reset their password, which should reset their tokens, but it’s up to Facebook to make sure that attackers can’t steal access tokens again in the future. We always recommend users following other basic cybersecurity best practices as well, such as disconnecting any unnecessary apps or games in social media platforms, making sure two-factor authentication is enabled and never giving out personal or financial information in your profile or private messenger conversations.”
Adam Levin, CyberScout‘s founder, said the number of people affected by this breach is roughly equal to the entire population of the West Coast.
“The takeaway is simple: any changes made to networks, software and other systems must be immediately and continually tested and monitored for vulnerabilities that may have been caused in the process,” he said. “The traditional ‘patch and pray’ approach to cybersecurity is obsolete. An effective vulnerability management program is crucial.”