A Facebook executive Friday said the company has “not ruled out the possibility of smaller, lower level access attempts during the time of the exposure,” but downgraded the number of users whose access tokens were stolen during the breach from 50 million to 30 million.
The attackers, who “already controlled a set of accounts, which were connected to Facebook friends” employed “an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people,” Facebook Vice President of Product Management Guy Rosen wrote in a security update, “In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles.”
That led to the pilfering of access tokens for about 30 million people.
“For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles),” Rosen said. “For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles,” including “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”
Attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else,” Facebook Vice President of Product Management Guy Rosen wrote in a previous security update. “This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.”
Calling the attack a “complex interaction of multiple issues in our code,” Rosen said at the time that the incident “stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As.’”
In the Friday update, Rosen provided details on how the social media company discovered the breach. “We saw an unusual spike of activity that began on September 14, 2018, and we started an investigation. On September 25, we determined this was actually an attack and identified the vulnerability,” he wrote. “Within two days, we closed the vulnerability, stopped the attack, and secured people’s accounts by resetting the access tokens for people who were potentially exposed. As a precaution, we also turned off ‘View As.’”
Rosen said the attack didn’t include “Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.”
Pravin Kothari, CEO, CipherCloud said the Facebook disclosures leave many questions open. “Do any of those 30 million customers potentially impacted reside in the European Community? Is Facebook filing a GDPR disclosure? If so, will this fall under GDPR and how will it be treated?” Kothari asked. “Enforcement of GDPR will come from the Information Commissioner’s Office (ICO). What will their reaction be? Given the horrendous publicity from the Cambridge Analytica data exposures, the EU reaction is not easily predicted.”
Without the details of the breach and who is behind it, “the possible outcomes may be worse than we know today,” he said. “We’ll have to see what Facebook discloses about potential liability if any exists. The calculations of the potential fines under GDPR are a bit mind-boggling with any possible impact to millions of users.”
“What is 30 or 90 million names/emails to the billions of leaked data already out there? Just another small drop. And beside the leaks, I don’t think people realize how easy it is to collect data/profiles with 'public' data exposed in the internet or social media already," said Oliver Munchow, security evangelist with Lucy Security.