It is being reported that Facebook said an attack on its computer network led to the exposure of information from nearly 50 million of its users. The company discovered the breach earlier this week, finding that attackers had exploited a feature in Facebook’s code that allowed them to take over user accounts. Facebook fixed the vulnerability and notified law enforcement officials.
More than 90 million of Facebook’s users were forced to log out of their accounts Friday morning, a common safety measure for compromised accounts. Facebook said it did not know the origin or identity of the attackers, nor had it fully assessed the scope of the attack. The company is in the beginning stages of its investigation.
Please see below for commentary from cybersecurity experts.
Tim Mackey, senior technical evangelist at Synopsys:
“While it is early in the investigation, the Facebook network breach shows how important an incident response plan is. In this case, the incident response includes information surrounding access tokens. Because this issue impacted “access tokens”, it’s worth highlighting that these are the equivalent of a username and password combination but are used by applications to authenticate against other applications. If you’ve ever used a Facebook login button on a website, now would be an excellent time for Facebook users to review their App Settings to see which applications and games they’ve granted access rights to within Facebook.”
Gary McGraw, Vice President of Security Technology at Synopsys:
“Another day, another software problem that leads to security disaster. Only this time it is Facebook whose software features have apparently been exploited by attackers, impacting around 90 million people.
Getting software security right is difficult, but not impossible. This breach emphasizes just how important software security is, and how subtle solid security engineering can be. When a feature like “View As” can be turned on its head into an exploit, it indicates a design problem that led to unanticipated security vulnerability. Design flaws like this lurk in the mind boggling complexity of today’s commercial systems, and must be systematically uncovered and corrected when software is being designed and built.”
Sam Curry, Chief Ssecurity Officer at Cybereason:
‘In the big picture this is just another day and another breach and once again ‘privacy’ is the victim. Whether 50 million, 100 million or 1 billionFacebook users were compromised is immaterial as the real issue with any compromise is that this is another blow to our collective privacy. Today, consumers should be working under the assumption that their private information has been stolen by hackers ten times over. Today, consumers are reminded again to watch their identities and credit for abuse. As an industry until we can start making cyber crime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts.”
Paul Bischoff, Privacy Advocate at Comparitech.com:
“There’s very little information to go on as of now, but it should be made clear that this is distinctly different from the Cambridge Analytica leak that made headlines a few months ago. This is a direct attack by hackers that exploited a vulnerability in Facebook’s “view as” feature, which was designed to allow users to see their profile pages as a friend or stranger would. In contrast, the Cambridge Analytica incidentresulted from the abuse of data that Facebook willingly provided.
It’s surprising to me that as popular as Facebook is, no white hat hacker ever discovered and reported this flaw in the past, neither an external pen tester nor Facebook’s internal IT security team. I would be interested to know how long this flaw existed before it was discovered and exploited.”
Rachel Aldighieri, MD at DMA:
“This breach appears to have impacted 50m users of the social network site meaning that a vast amount of personal data is now in the hands of criminals. It is therefore imperative that Facebook are forthcoming in contacting all those affected, provide information on what this breach means for them, and offer support to those who are likely to be very concerned by the news.
We would encourage any concerned users of Facebook to contact the website through its official channels and also follow the updates that they are likely to provide over the next few days. It is important to remain vigilant in checking your account and bank statements to ensure there’s nothing unusual. There’s no need to panic or cancel cards, but if you do see any suspicious activity we recommend contacting your bank immediately.
It is encouraging to see that Facebook have reported the attack promptly and have already begun their investigation into how the breach occurred. It isn’t yet clear how many EU citizens data has been affected but should it come to light that these citizens are among those whose data was breached, Facebook would be subject to hefty fines under GDPR. It appears that the breach was the result of a cyber-attack and not due to negligence, if this is the case then any fines will be proportionate and will take this into account.
However, fines are just one of the risks to organisations like Facebook. We believe the long-term effects on customer trust, share price and public perception could have more lasting damage.
Facebook now has the challenge of re-building the trust of its customer base, a job that might be difficult given the events involving Cambridge Analytica earlier this year. To do this, it’s vital that the organisation focuses its efforts around two of the core principles of the GDPR – accountability and transparency. They need to show that they have done everything possible to ensure such a breach won’t happen again.”
Adam Levin, Founder of CyberScout and author of “Swiped”:
“Facebook has had a hard year, and it just got worse. In a world dominated by trillion-dollar advertising platforms consisting of multi-billion member communities, 50 million users may no longer seem like a big deal, but it is. The number of people affected by this breach is roughly equal to the entire population of the west coast of the United States. Just because you are secure at 9:01 does not mean that will still be the case at 9:02. The latest Facebook breach was caused by an upgrade. The takeaway is simple: Any changes made to networks, software and other systems must be immediately and continually tested and monitored for vulnerabilities that may have been caused in the process. The traditional “patch and pray” approach to cybersecurity is obsolete. An effective vulnerability management program is crucial. ”
Mark Weiner, CMO at Balbix:
“Even hyper-scale cloud and Internet providers like Facebook, which serves over one-third of the world’s connected users, is prone to vulnerabilities. In this case, their own software for access tokens had the vulnerability, not a third-party component. This latest breach highlights the critical need to continuously and real-time monitor your entire IT infrastructure — not just packaged or cloud apps, but every IT asset and application that touches the network — to ensure vulnerabilities are proactively managed and prioritized by their business risk.”
Jacob Serpa, Product Marketing Manager at Bitglass:
“There can be zero tolerance for error when a company handles the personally identifiable information (PII) of 2.2 billion active monthly users. This hack highlights the need for proactive security measures that are constantly monitoring for vulnerabilities and threats. In the era of cloud, this means that organizations must secure access to sensitive data and protect information flowing to any device or application – all in real time. The fact that Facebook allowed hackers to exfiltrate the private details of 50 million users is likely to have a detrimental effect on the company’s reputation for quite some time.”
Zohar Alon, Co-founder and CEO at Dome9:
“As Facebook has just discovered, any vulnerability that is not remediated will be quickly exploited. In this case, the data of 50 million users was exposed.
User data is an organization’s most valuable asset and customers trust companies to protect it. Facebook and other organizations must have continuous visibility into their infrastructure so vulnerabilities can be quickly remediated. They must also add more layers of defense to their cybersecurity strategy to prevent login credentials from being compromised in the first place.”
Jeannie Warner, Security Manager at WhiteHat Security:
“What the hackers accessed is interesting to me– information about the accounts having to do with user data rather than financial. This really underscores the new value currency of privacy and personally identifiable information, which includes demographics like gender, hometown, name, age (birthdate) and anything else a person has under their ‘About’ tab. After the misuse of personal information by Cambridge Analytica, one starts to speculate that the same information is being harvested for similar militant bot and troll activity online, especially heading toward elections and other significant activities. Sometimes why hackers go in and what is taken can give clues as to who the hackers might be – in this case, I can speculate at a probable nation state or other political group data harvesting operation.
How it was detected is also interesting – user logins increased dramatically last December. Companies looking to assemble evidence of attack or compromise can look at user behavior and traffic patterns changing as evidence of ‘something different’ that requires investigation. The OWASP Top 10 Risks for Web Application Security Risks was updated a month before the traffic pattern was noticed last December 2017, adding a new item: A10 Insufficient Logging and Monitoring. This attack and the length of time it went undetected and verified represents the truth of that rating and inclusion as a major risk.”
Eric Sheridan, chief scientist at WhiteHat Security:
“One of the best proactive strategies in reducing the risk of introducing vulnerabilities in applications is the enumeration and systemic adoption of ‘secure design patterns.’ While they may be unique to each organization and perhaps each application, secure design patterns help solidify those code level patterns that developers must adhere to in order to ward off the introduction of exploitable vulnerabilities. Facebook looks to have been exploited as a result of a Direct Object Reference, whereby an attacker could modify an ‘id’ parameter in order to access unauthorized user information. In this case, a secure design pattern dictating the use of a façade known to enforce data layer security constraints could be adopted to mitigate such vulnerabilities. The adoption of a secure design pattern is not enough, however. We need automation to help enforce the use of the secure design pattern at scale, which presents its own set of challenges.”
Greg Annette, Technology Evangelist at Barracuda Networks:
Every new breach further proves that the public needs to preserve and protect their own cloud data, because the providers are not. Free services like Facebook are even less likely to care about user data protection, so the public must take ownership in protecting and preserving data. With Account Takeover attacks on the rise, successful protection requires proactive measures, not a reactive panic. According to recent data, 78% of account takeover incidents result in a phishing email, with the goal of infecting additional accounts, via user impersonation. In order to protect themselves, the public should implement a few baseline proactive measures, including:
- Back up data in a controlled environment. This will allow you to recover any deleted or compromised items.
- Use unique passwords for all services, and where appropriate, use a password manager.
- Enable multi-factor (MFA) or two-factor authentication (2FA) for any and all cloud-based accounts. While you should take personal steps to enable MFA and 2FA, you should also demand these authentication protocols from your vendor if it’s not automatically provided.
Bill Conner, CEO at SonicWall:
“Despite the CEO’s previous testimony and efforts, today’s Facebook data breach is evidence that despite their size, investments and elite security teams, they are unable to protect their business and your privacy. Personal information is simply too valuable on the Dark Web. As long as stolen data continues to fetch high prices and equip perpetrators with the means necessary to carry out attacks, hold victims ransom, extort information or destroy property, organizations must exhaust all measures to diligently detect and protect their networks, devices and users. What an organization or nation-state can or intends to do with massive amounts of information on a country’s citizens should be taken very seriously.”
Dan Pitman, Principal Security Architect at Alert Logic:
“The time between detection and public notification on this one may be one for the record books, likely driven as much by risk to reputation and a wary eye on some of the large fines levied lately, as much as by GDPR and other compliance requirements.
Facebook has identified this was a vulnerability in its website code that allowed the attacker to gain authenticated access, which then allowed them to get effective access permissions for a huge numbers of users, giving the attacker the ability to access those users’ accounts as if they were the user themselves. Forcing a logout on the users changed the access keys to help ensure no use of them remained.
They will be working to establish if any of these accounts were actually accessed and what personal data may have been lost, especially in the case of high profile users.
New features increase the risk that vulnerabilities like this can become part of the live application, and Facebook is known to implement new features at a high rate, having been acknowledged as the leader in agile web development practices in the past.
This ‘continuous delivery’ of new features, combined with the modular nature of that delivery, increases risk that vulnerabilities like this can become part of the live application. Testing all of the myriad combinations of the sometimes hundreds of components, or modules, that can interact is the challenge. The applications are made up of components built by different developers at different times working based on older best practices, all of this means that vulnerabilities are an inevitability. In Facebook’s case, there will be people working hard to identify flaws in both trenches and this time the attackers got there first.”
Pravin Kothari, CEO at CipherCloud:
“Facebook just discovered a security issue that could have enabled hackers to access information on over 50 million accounts. The hackers exploited three separate vulnerabilities which allowed hackers access to approximately 50 million user tokens. User tokens allow users to stay logged into the service without re-entering their password. Attackers can access the accounts as long as the token remains active. Facebook, of course, deleted the tokens upon discovery of the breach and as users login again their tokens will be refreshed.”
“The real $50 million dollar question is who did this impact, exactly? Do any of those 50 million customers impacted reside in the European Community? If so, will this fall under GDPR and how will it be treated? Enforcement of GDPR will come from the Information Commissioner’s Office (ICO). What will their reaction be? Given the horrendous publicity from the Cambridge Analytica data exposures, the EU reaction is not easily predicted. Not knowing all of the detail of when the breach was discovered, who, exactly was impacted, who was responsible, etc., the possible outcomes may be worse than we know today. We’ll have to see what Facebook discloses about potential liability if any exists. The calculations of the potential fines under GDPR are a bit mind-boggling with any possible impact to millions of users.”
Ameya Talwalkar, Chief Product Officer and Co-founder at Stealth Security:
“Apart from 40 to 90 million customers being impacted, this is going to have long-term ripple effects with other large enterprises. This means there are up to 90 million new leaked credentials out there in the market. We expect a significant increase in credential checking or password list attacks at other large online properties in the coming days. This will result in increased number of accounts compromised overall, which will ultimately lead to more fraud losses.
Since the investigation is still ongoing, we are waiting for more details. But given the scale of this attack, it is quite possible that this was orchestrated by bots abusing APIs. First generation bot mitigation technologies, which use JScript and Mobile SDK based device fingerprinting, fail to stop such bot attacks that use APIs.”
Satya Gupta, Chief Technology Officer and Co-founder at Virsec:
“While the “View As” feature sounds like a useful way to see what your profile looks like to your ex-girlfriend, it was clearly built without thinking through security. Instead of just seeing through someone else’s eyes, Facebook essentially lets you borrow their identity. Armed with someone else’s access token you can get to lots of private and highly privileged information. In addition, millions of people use their Facebook ID (authenticated through their access tokens) to connect to other services where they might be storing files, making purchases, or doing other things that they thought were private. Facebook claims to not know what these 50 million access tokens are being used for, you can bet that the thieves have found them to be very valuable.
These problems could easily have been avoided and services that prioritize security, like banks, hospitals and even airlines rarely make these basic mistakes. It’s a bad idea to let users stay logged on indefinitely while there is no activity. Many people will open a Facebook browser tab and not close it for hours or days while doing other things. If you’re logged into your banking site and are inactive for more than a few minutes you are automatically logged off and need to re-authenticate. This is a small burden for users and a no-brainer for security. There are also solutions that provide continuous authentication requiring users to confirm their identity if there is any unusual behavior.”