Why users should worry more about the recent breach at Facebook

There's been a major security breach at Facebook. Fifty million users have been affected — but we're yet to realize the extent of the attack.
5 October 2018

Facebook COO Shery Sandbery managing the company’s new challenges. Source: Ramin Talaie/Getty Images/AFP

Facebook recently issued a Security Update which raised some eyebrows but in the midst of everything that the industry and the company is going through — especially in the cybersecurity space — it seems that the ‘event’ simply got swept under the rug.

However, that breach is quite significant and can have quite severe ramifications for some users.

According to the company’s note, attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else.

This allowed them to steal Facebook access tokens from 50 million users. The theft could allow them to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.

Stop and think about that for a moment. Facebook access tokens. It’s what users use to log in to other platforms online and to apps on their phone. Airbnb, Spotify, Expedia, and several other key apps that they use every day.

What’s the harm if hackers get into your these apps? Well, you tend to make payments on these apps, and allow them to store your credit card information and sensitive data about you — which may now be vulnerable and easier to retrieve for hackers. Now you get the picture, don’t you?

Facebook nor third-party sites seem to know the precise extent of the damage. The social media giant issued the update as soon as it learned of the attack in order to comply with the provisions of the EU’s General Data Protection Regulation (GDPR) and is expected to provide a full update on the extent and complexities of the breach soon.

According to a recent paper by the University of Illinois at Chicago, if Facebook had done a better job with their access tokens, the impact could have largely been limited to Facebook. In fact, according to researchers, the attack is completely undetectable by the user — so it is up to the tech companies affected to check and let users know.

Although quite catastrophic, the company hasn’t been penalized in any geography as yet. However, the EU is expected to prosecute it for violation of stipulations under the GDPR and cases against the company have been filed in California with regards to this particular breach.

In a few weeks, more details are expected. However, it could turn out to be a cybersecurity nightmare for users — and the companies that signed on with Facebook to let users access their accounts via the latter’s access tokens.