The Biggest Breach in Facebook History - Weekly Mobile ID Roundup #005

October 3, 2018
4 minutes read
Category: Mobile Identity
Author: IPification Team

We are back with another installment of our Weekly Mobile Identity Roundup.

This week we are covering big Facebook-related news which you might have heard. And if you were one of the 50 million unlucky ones - experienced it, as well.

We are talking about the biggest data breach in the history of Facebook. This being such a big deal, we’ve decided to dedicate a big portion of this roundup to it.

Nearly 50 million users were compromised in a huge security breach

Facebook has revealed that the attackers were able to successfully exploit the vulnerability in its code, which allowed them to have access to and to take control of nearly 50 million Facebook accounts.

The breach was discovered by Facebook engineers on Tuesday, September 25 and two days later. As written in their official report “attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

Users whose accounts were affected by the breach have been logged out of their accounts - so if you’ve been one of the people who was confused as to why their account was logged out - this was the reason. You were almost certainly affected by the breach.

What makes this breach severe is the fact that attackers were able to steal the “access tokens”, a sort of a security key which allowed them to stay logged on to Facebook over multiple browsing sessions without having to enter the password every time. These tokens also allowed attackers to access third-party applications that use Facebook Login authentication.

In response to this discovery, Facebook claims that it fixed the vulnerable spot and disabled the “View As” feature. The investigation is still in the early stages, at this point it is still unknown who is behind the attack.

Experts from different areas of security shared their point of view and invaluable opinion on this matter. Some were surprised that the attack wasn’t detected sooner - but almost all of them believe that it is users who should be more careful with providing private information on social media platforms because they might not have the ability to protect their personal data adequately.

Every new breach further proves that the public needs to preserve and protect their own data because the providers won’t always be able to.

Zero Trust Cybersecurity for Protecting Customer Information

Right off the bat, this seems contradictory, but hear us out.

Some of the most expensive data breaches happened only because the hackers accessed internal systems. Once they did, they could easily move through and around them, compromising confidential information - which is what happened to Facebook.

Zero Trust works on a basis of distrust - to truly protect the data, organizations must not trust any activity that might take place either inside or outside of their networks. Instead, they should verify every request to access their networks to ensure it’s safe.

There are three main benefits of adopting the Zero Trust Networking approach.

1. Zero Trust lowers the potential of a breach

To lower breach potential, Zero Trust focuses on the application workload rather than the perimeter or endpoint. In this model, the network continuously checks the workloads against their intended states. Anytime a workload fails to match its state, its communication with the rest of the system is halted. Any alteration, whether from an accident, misuse or adversarial activity, is a signal for automatic distrust by the system until the situation is corrected, following prescribed policies.

2. It provides a better control over cloud environment

All of the information available is either stored locally, or on the cloud, and the combination of the two is what is used most commonly today. With that being said, information security remains a shared responsibility between the Cloud Service Provider and the client company. As a result, security teams don’t get as much control over the network as would be ideal. Zero Trust gives security teams a greater ability to detect disparities within the workload, which are easy to spot.

3. Zero Trust boosts compliance and improves trust

Compliance is what matters to audits - and IT audits are designed to expose technological weaknesses in the organization. Any issues concerning data and the systems that handle it are subject to scrutiny. Any hole the security team seals before the audit contribute to a smoother audit process and generally better protection for the network.

Zero Trust goes above and beyond the audits, it includes members of the organization who can understand the organization’s data flow as they interact securely within the network. Transparency is what increases customer's trust in the brand, and what ultimately Zero Trust believes in.

Who would’ve guessed that being distrustful might be a good way to trust technology.

Facebook is using your 2FA phone number to target you with ads

Now that we are on the topic of trust, we have to mention another news regarding Facebook.

There is another issue Facebook has tried to avoid but confirmed recently, is that it uses phone numbers that users provided it for security purposes to target them with ads.

And we're not talking about any number - they use phone number given for two-factor authentication (2FA).

There were some rumors about Facebook using contact details of individuals who never personally provided their information for ad targeting purposes. A few months ago Facebook addressed the issue of 2FA phone number targeting as a "bug".

Facebook’s confession follows a story Gizmodo several days ago, related to research work carried out by academics at two U.S. universities who ran a study in which they say they were able to demonstrate the company uses pieces of personal information that individuals did not explicitly provide it to - and target them with ads.

No one seems to be surprised of the lengths Facebook is willing to go just to target the right audience, but these issues should be fully addressed so average user know what might happen with the information provided to Facebook.