Sophos Cloud Optix
What is this Facebook breach?
The breach was announced by Facebook itself on 28 September 2018.
It worked something like this…
Facebook has a View As feature that lets you preview your profile as other people would see it.
This is supposed to be a security feature that helps you check whether you’re oversharing information you meant to keep private.
But crooks figured out to how exploit a bug (actually, a combination of three different bugs) so that when they logged in as user X and did View As user Y, they essentially became user Y.
If user Y was logged into Facebook at the time, even if they weren’t actually active on the site, the crooks could recover the Facebook access token for user Y, potentially giving them access to lots of data about that user.
What’s an access token?
When you login to Facebook, you need to put in your username and password, and optionally a two-factor authentication code.
At this point, Facebook’s servers send a unique “cookie” of random data – what’s known in the jargon as an access token – to your browser or app to denote that you’ve passed muster and can access the account.
For as long as you stay logged into Facebook, your browser or app sends this data cookie to Facebook’s servers whenever it wants to interact with your account, thus sidestepping the need to log in all over again.
As Facebook puts it:
Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
In other words, an access token for Facebook or any other online account is a bit like the room card a hotel gives you after you’ve shown your ID and credit card to check in.
Once you’ve proved yourself and received a key card, you can quickly and easily swipe yourself back into the hotel, activate the elevators and unlock your own room – you don’t need to get your passport out every time.
The difference between a regular hotel and Facebook, as Mark Stockley quipped in our podcast (listen below), is that “in [the Facebook] case, you’re not paying for the hotel and the hotel would really like you to stay as long as you like.”
LISTEN NOW
(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)
Should I change my password?
After many breaches, our immediate advice is often, “Change your password.”
This is a routine precaution when the crooks have made off with a password database – even if the passwords weren’t stored in a directly readable plaintext form, the attackers may be able to crack a large number of passwords within a few days or weeks.
In other words, the faster you change your password, the less likely the crooks will be able to crack your account in time.
But in this Facebook breach, a password change isn’t necessary: the crooks got access tokens only, and didn’t get at any password databases.
A Facebook access token is a unique, random value that’s only generated after you’ve entered your password, and the crooks can’t work backwards from an access token to your password.
If you feel like changing your Facebook password anyway, don’t let us stop you. If you’re not using a password manager yet, this is a good chance to try one out. If you’re in the habit of picking the same or similar passwords for all your accounts because they’re easier to remember, watch our video below to find out why that’s a terrible idea.
(No video? Watch on YouTube. No audio or subtitles? Click on the [CC] icon for captions.)
Would 2FA have helped?
Your access token is only generated after you’ve proved yourself to Facebook, including entering any needed two-factor authentication (2FA) codes.
The access token is used specifically so you don’t need to enter any more 2FA codes until after you next log out from your account.
Sadly, therefore, turning on 2FA doesn’t stop this sort of attack.
But we still think you should use 2FA whenever you can, because it makes it harder for cybercrooks in general to take over your accounts.
Remember that crooks can try logging in as you pretty much any time they like, whereas this access token breach required the crooks to figure out a sequence of three related bugs that no one else had spotted before.
How many people were affected?
When Facebook first figured out that the breach had happened, it decided to delete the access tokens of everyone who had used the View As feature in the previous year or more, as a reasonable precaution.
That led to 90,000,000 users experiencing a forced logout, even though not all of them had their access tokens stolen.
Facebook’s original conservative estimate of the users who actually had their access tokens scooped up by the attackers was 50,000,000.
Now, the company is saying that the number is probably 30,000,000.
All those users have been, or will be, contacted by Facebook.
Would a stolen access token let crooks access my other accounts?
One of the biggest worries when this breach was announced was, “What about other online services that I log into via my Facebook account?”
If a crook had your Facebook access token, could they use this to trick other services that allow you to use Facebook authentication – anything from free Wi-fi services and loyalty card accounts to online booking services?
The good news is that the answer seems to be, “No.”
According to Facebook:
This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.
What Facebook data could the crooks have accessed?
For the 30,000,000 affected users:
- 1,000,000 had no Facbook data accessed at all.
- 15,000,000 had at most their name, phone number and email addresses accessed.
- 14,000,000 had contact details and other profile data accessed, including “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, [their] website, people or Pages they follow, and [their] 15 most recent searches.”
Who carried out this hack?
We don’t know, and for now, Facebook is keeping quiet on the issue.
That sort of silence isn’t suspicious or unusual, given that this breach is being investigated not only by Facabook but also by US law enforcement.
As Facebook explains, “We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack.”
Isn’t it ironic that I have to login to access Facebook’s Help Center?
Yes. And no.
Facebook can’t simply reveal what did or didn’t happen to your account without authenticating you first – that would just make a bad thing worse.
The good news in this breach is that logging out and back in invalidates your old access token and generates a new one, thus closing the door on the crooks.
(The security holes the attackers exploited were fixed by Facebook within a couple of days, so the crooks can’t use the same tricks to get back in once you’ve logged out.)
Should I close my Facebook account because of this breach?
We can’t answer that – it’s a choice that only you can make.
In our opinion, Facebook has responded well to this incident: the company detected the breach using its own “just in case” monitoring systems; reacted quickly and openly; patched the hole promptly; and investigated and reported back frankly.
As Mark Stockley put it in our podcast on this issue, “If you don’t like Facebook, you’ve had millions of reasons not to use it and not to engage with it, […] and I don’t actually think this is one of them.”
What’s the last word on this issue?
When it comes to privacy, one simple rule applies whatever the online service you’re using.
If in doubt, don’t give it out.
Who uses Facebook? All my friends and associates do not use it.
Obviously 90,000,000 people at a bare minimum. (I believe it’s actually well over 200,000,000 in reality.) Just because both of your friends and associates don’t use it doesn’t make a data breach (ANY data breach, not just Facebook) any less worrisome.
Facebook is a collective of people waiting to quit it at this point, not sure why people aren’t doing so in larger numbers. There is nothing in it for you, but having your information stolen and being targeted by ads or groups that have carried out the theft of your data.
To be fair, Facebook actually seems to have a very good record when it comes to data breaches, so saying “there is nothing for it but having info stolen” needs some evidence.
Yes, you need to be careful what you share, and installing cockamamie “pyschometric” apps like the one from Cambridge Abalytica was, in hindsight, a really bad idea…
…but if you follow the guideline given at the end of the article it is IMO possible to be part of Facebook without major privacy concerns.
If you’re a business it makes sense to have a Facebook presence – people can still search and look up what you have posted without logging in themselves.
Vulnerability Lab claims to have exploited this late 2017 and notified Facebook at at time as well. I wonder if that is true?
I seem to recall advice from years ago – make sure that you log out of your account every time you leave a web page. Seems like this is still good advice!
+1.
At least logout regularly, if not every time.
[..sentence about cookies deleted as explained below…]
On a mobile phone you will need to learn how to logout on an app-by-app basis – each social networking app seems to have its own idea on where to hide away the [Logout] button!
Deleting your cookies wouldn’t have helped in this case. The server side session (with its copy of the access token) is still alive, and is still usable until it expires or you ask Facebook to remove all access tokens (I think it’s called “logout all devices”). Actually clicking “Logout” will inform the server to remove the server side session, and would have protected you from this exploit.
Good point. Clearing your cookies would stop *you* getting back in with the access token (because you would no longer know it) but the crooks would still have the magic text string to match up with the one on the server.
I’ve deleted that bit from my original comment – thanks! (I put a […marker…] in my original comment so your comment doesn’t look weird now :-)
I mean it would still be useless if you delete the cookies. It would be useful only if the the hackers have saved the sessions from the servers they had access to (if). Changing the password gives some hope 😀
wow. violation also happened.