Brian Jackson - Fotolia
Facebook admitted its network was breached and the cyberattack affected nearly 50 million accounts, though the extent of the damage is still unclear.
Guy Rosen, vice president of product management at Facebook, gave the few details currently available regarding the Facebook breach in a blog post. Rosen said the Facebook breach was first discovered on the afternoon of Tuesday, September 25. Rosen claims attackers exploited a vulnerability in the "View As" feature -- a way to let "people see what their own profile looks like to someone else" -- and obtained access tokens for nearly 50 million accounts.
"We have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We're also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a 'View As' look-up in the last year," Rosen wrote in the blog post. "As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened."
One point in Rosen's explanation of the cause of the Facebook breach that is still unclear is how many vulnerabilities were exploited by attackers. Most of the blog post references a single vulnerability in the "View As" feature and Rosen said Facebook "fixed the vulnerability". However later in the post Rosen described a different attack path where malicious actors "exploited the complex interaction of multiple issues" in Facebook.
"It stemmed from a change we made to our video uploading feature in July 2017, which impacted 'View As.' The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens," Rosen wrote.
Additionally on a press call, Rosen described the attack as leveraging "multiple bugs that interacted together." Rosen could not say what data might have been stolen in the Facebook breach or what else the attackers could have accessed with the tokens.
Facebook breach reaction
Tim Mackey, technical evangelist at Synopsys Software Integrity Group, said the Facebook breach "shows how important an incident response plan is."
"In this case, the incident response includes information surrounding access tokens. Because this issue impacted access tokens, it's worth highlighting that these are the equivalent of a username and password combination but are used by applications to authenticate against other applications," Mackey wrote via email. "If you've ever used a Facebook login button on a website, now would be an excellent time for Facebook users to review their App Settings to see which applications and games they've granted access rights to within Facebook."
Chris Wysopal, CTO at CA Veracode, said he believes "the execution must have been automated in order to collect the access tokens of 50 million users."
"We don't know if the attackers were able to scrape all of the profile data from each of those users. It isn't clear exactly how long the attackers may have had access, but Facebook determined it could have been a year," Wysopal wrote via email. "Making an educated guess based on what's been revealed, but having two-factor authentication enabled on the account might not have protected a user since the vulnerability was exploited via an access token as opposed to the normal authentication workflow that would trigger verification of the second factor."
Tim Erlin, vice president of product management and strategy at Tripwire, said that the Facebook breach could prove interesting given new privacy laws around the globe.
"Inside the walls of Facebook, there has got to be concern over any GDPR-related repercussions," Erlin wrote via email. "This could be a real litmus test for the fledgling regulation."
Brian Vecci, technical evangelist at Varonis, said regulations like GDPR force companies that collect user data "to think about it and treat it differently."
"For Facebook and other tech giants who want to play an active role in shaping data privacy regulations, this news couldn't come at a worse time. The big names in tech might hope for more lenient regulations, but this breach makes that less likely," Vecci wrote via email. "The takeaway for consumers should be that we're glad rules like GDPR and the California Consumer Privacy Act are there -- they're designed to protect us. The takeaway for companies should be that these kind of regulations are the future and new normal. Security and privacy needs to be part of the way they do business, not an afterthought."