The attacks have struck again and this time affecting millions. In yet another unprecedented hack against the internet giant Facebook, it was disclosed that at least 50 million users (later changed to 30) were directly affected by the newly identified source. It is being said that based on this attack, a hacker would be able to get into and take control of user accounts just as if it were them. In light of the requirements of the GDPR, Facebook was under a regulatory burden to report the breach, which it did in time. Details, however, were not released by the company pending investigation. Only the stipulation that data of users including their private messages could have been accessed was made public initially.
It took about two weeks for Facebook after that to release official word on what actually happened. Downsizing the number of affected users to 30 million, Facebook disclosed that the hackers took advantage of vulnerabilities in the “View As” feature to gain access tokens of user accounts. According to Facebook, these access tokens would, in turn, lead to the hackers getting access to only profile information such as contact, places lived, friends, groups, names of people messaged recently etc. and not any private information like messages on Messenger.
This entire process was automated by hackers which lead to the rendering data of 400,000 accounts. In essence, with the use of the “View As” feature and the automated script, Facebook would load the webpage of the user’s profile but including the posts and other data as mentioned earlier. Facebook has reassured that hackers weren’t able to access any private messages or their content unless the breached account was of a Facebook Page admin, in which case, they would be able to see all received messages by way of the architecture of Facebook pages.
Among other concerns was financial information to which no clear stand has been taken but it has been iterated that the full credit card numbers of users were definitely not revealed because the protocol would not allow them to. But if last 4 digits of card numbers were revealed was still unclear. In furtherance to the hack, Facebook has also released a tool for developers to check whether an account was compromised and to what extent. It has however been put on the record that no evidence of the data being misused has surfaced yet.
Some reports are pointing to different data sets being accessed and stolen. Some of which include- usernames, gender, relationship status, birthdate, current city and hometown, device and work information etc. In the wake of this attack, it was also found however that the problem was identified on September 14 but was not acted upon or reported until September 25. It was only when an unusual Facebook access pattern was noticed that Facebook sprung into action. This has raised multiple regulatory questions and concerns about the privacy ecosystem yet again. Given that the attack was not targeted against a specific country or geography, all nations would come into play to enforce their laws. Facebook is most likely looking at tens of lawsuits and regulatory actions in the near future.