Poor old Facebook. Just when we all started to forget about Cambridge Analytica and all that craic, they’ve gone and done it again. Guy Rosen, VP of Product Management at the social media giant just released a blog post over on the Facebook Newsroom, outlining what the latest Facebook “hack” is all about. I’m here to let you know what it means for you as a Facebook user.
Was Facebook Hacked?
Yes. There’s no denying this is a hack. My first reaction was to categorise these headlines as scaremongering. Rosen’s post doesn’t mention the term hack once; I checked:
Maybe it wasn’t a hack at all, I thought to myself, but then I looked up the definition of hack:
gain unauthorized access to data in a system or computer
Ah yeah, this was a hack alright.
Ironically, as part of Facebook’s privacy features, you can view your Facebook profile as other people on the platform. This means you can review what your boss sees (why did you add them in the first place) or what your mother sees (yeah, she added you, fair enough). The irony kicks in here as hackers used this “View As” feature to simulate actually being other people.
The technical language here is hackers stole “Facebook access tokens”. Let me simplify this to a point where I understand it better!
Imagine Facebook is a massive building where we all go on a regular basis. There are two options when you get to the front desk. The first is that you sign into a guest book every single time before you are allowed to enter the building. This is the equivalent of entering your password every time you want to use Facebook. The second way in is scanning a card which verifies you are who you say you are before entering the building. This is much easier and faster, right? Well, having a card to scan is the same as having an access token. It’s faster, but if someone else has it, they can pose as you, enter the building and reek havoc.
This is what happened with Facebook. Hackers were able to take people’s access tokens, pose as these people and change their passwords. As a result, people have had their Facebook accounts hijacked. This has also possibly spread to Instagram too.
So, What Did the Hackers Do?
It’s down to some really shitty coding from Facebook. By the sounds of what Facebook has done to fix the vulnerability, hackers were able to lookup accounts using the “View As” privacy option and steal access tokens from here. It’s so simple and stupid a mistake for Facebook to make, seriously.
How Many People Are Affected by the Hack?
This is a big one. The vulnerability was discovered last Tuesday and dates back to a video update the company made to their platform in July 2017. That’s bloody ages ago and Facebook estimates this cock up affects almost 50 million Facebook users.
Have Irish Accounts Been Hacked?
No official breakdown of nationalities affected has be provided, but it’s clear Irish accounts have indeed been affected. I’ve seen social lighting up with people saying they were randomly signed out of their accounts meaning they are within the pool of 90 million logged out either as a direct involvement or from precautionary steps being taken by Facebook.
What is Facebook Doing About the Hack?
First of all, indulge me in some tinfoil hat conspiracy. The timing of this announcement seems to be very convenient. This news broke in Europe on a Friday evening. Considering we just introduced my beloved GDPR and that Facebook knew about this since Tuesday, I can’t help but feel they sat on this until some European media had gone home for the weekend. It feels like damage limitation from Facebook, but anyway…
As the time of writing this article, Facebook has reset the access tokens for over 50 million users known to have been affected and a further 40 million accounts who have been looked up through this “View As” functionality, as an additional precaution. They’ve also disabled the “View As” option altogether for the time being.
Most importantly, Facebook has apologised. Frankly, they can shove that up their arse.
What Should You Do Next?
It’s time for precaution. At least 50 million Facebook users have been affected, but their numbers swelled in the weeks after the Cambridge Analytics scandal so I wouldn’t be surprised to see that number go north too.
Go to the “security and login” section of Facebook settings and log out of all devices. I would strongly recommend doing this for Instagram too. The true horror of these kinds of events means technically you should track down any website you use “Log in with Facebook” and reset that password too. You can find these in the app section of your security and privacy settings.
I’d also recommend you stop using “Log in with Facebook” and either use Google, who do seem to have their privacy in order or just using your email and create a unique password for every website. The best thing you could ever do is move to LastPass which is something I’ll be writing about very soon. I don’t know any of my passwords, except for LastPass itself and I just let them manage everything for me. Seriously, look into it, it’s great.
You should also use two-step verification. This means logging in requires more than just a password. You’ll either need an app to verify it’s you trying to get in or you can receive a code to your phone.
I’ll be following this story over the weekend so keep an eye here and on my Twitter for the latest as it breaks.
Update 12.55am – 2 October 2018
We reached out to the Data Protection Commission, but have yet to hear back directly from them. However, they have been updating their Twitter with their take on the Facebook hack as information becomes available.
Much like my thinking about how unusual the length of time to report the issue was, the DPC seem less than impressed that it broke late on Friday after being discovered on Tuesday:
Facebook data breach. The DPC is concerned that this breach was discovered on Tuesday & affects millions of users. At present Facebook is unable to clarify the nature of the breach & risk to users. We are pressing Facebook to urgently clarify these matters. #dataprotection
— Data Protection Commission Ireland (@DPCIreland) September 28, 2018
Why is the Irish Data Protection Commission So Important for Facebook?
We all know Ireland is a tax haven right? Well, because of that the company is partially based in Ireland and naturally within the European Union. As a result, it’s the Irish Data Protection Commission which will be investigating this on behalf of Europe. This is why there have been calls from the Commissioner for EU Justice for Facebook to cooperate and disclose how many EU citizens have been involved in the hack:
At least 50mln #Facebook users were compromised in the huge security breach. I urge Facebook to fully cooperate with @DPCIreland. We need to know if EU users were affected and what had happened to their data. Here a reminder about the obligations of biz https://t.co/1bZ6IJdJ4B
— Věra Jourová (@VeraJourova) September 30, 2018
How Many EU Citizens Have Been Affected by the Facebook Hack?
According to some digging done by the Irish Data Protection Commission, in or around 10% of those accounts involved belong to European citizens. Given the figures we’ve seen so far, that would suggest five million EU citizens are involved; no small figure. That’s more than the entire population of Ireland!
UPDATE Facebook data breach – @DPCIreland understands that the number of potentially affected EU accounts is less than 10% of the 50 million accounts in total potentially affected by the security breach. DPC Ireland statement beneath. #dataprotection #GDPR #EUdataP pic.twitter.com/oSfGy6DP2S
— Data Protection Commission Ireland (@DPCIreland) October 1, 2018
Here’s hoping there’s more clarity soon.
Update 8.05am – 4 October 2018
The DPC has commenced their official investigation into the Facebook hack:
— Data Protection Commission Ireland (@DPCIreland) October 3, 2018