On Friday, Facebook revealed that it had suffered a security breach that impacted at least 50 million of its users, and possibly as many as 90 million. What it failed to mention initially, but revealed in a followup call Friday afternoon, is that the flaw affects more than just Facebook. If your account was impacted it means that a hacker could have accessed any account that you log into using Facebook.
That's a lot of them. You can read a fuller accounting of the hack here, but essentially it combines three bugs relating to Facebook’s “View As” feature, which lets users see what their profiles look like when other people view them. A video upload tool—intended to enable “Happy Birthday” videos—would erroneously appear on the “View As” page, and provide the access token of whomever the hacker searched for.
Facebook initially responded by logging out both the 50 million people it knows were affected by the attack, and an additional 40 million who were looked up with the “View As” tool in the last year. It also hit pause on the “View As” feature. But the second revelation Friday indicates that the fallout may be far more widespread than initially indicated.
"You don't want a situation where there's one breach and your entire online identity is gone."
Kenn White, Open Crypto Audit Project
Beyond the impact on Facebook accounts themselves, the company confirmed that breach impacted Facebook's implementation of Single Sign-On, the practice that lets you use one account to log into others. The idea is to use a trusted service—like Facebook Google, Twitter, and so on—to log into sites and services across the web, rather than create a unique profile for each one. That saves time, and ensures you're logging in through an entity you trust. In this case, it also appears to have potentially made Facebook's breach an internet-wide calamity, at least for those impacted.
"The access token enables someone to use the account as if they were the account holder themselves. This does mean they could access other third-party apps using Facebook login," Guy Rosen, Facebook's vice president of product, said in a call with reporters Friday. "Developers who used Facebook login will be able to detect those access tokens have been reset."
It's unclear how long those third-party sites will accept the stolen access tokens, or how difficult it would be for an attacker to use an access token to get into a third-party site.
Facebook separately says it has invalidated data access for third-party apps for the affected individuals, meaning if you're one of the 90 million people potentially affected, you won't be able to, say, share an image from Instagram over to Facebook without changing your password.
Meanwhile, Facebook has still not confirmed whether any third-party accounts were actually compromised, and still has not detailed exactly what type of data hackers could have gotten away with. (That they could gain full access to Facebook accounts gives at least a baseline: Anything and everything on your profile would have been exposed.) Facebook also declined to say exactly how long attackers took advantage of the vulnerability, which was introduced in July 2017. Fourteen months is a very large window to do potential damage.
As for how widespread the attack was, Rosen said the targeting appeared fairly broad. But New York Times reporter Mike Isaac noted that Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg had their accounts compromised as part of the attack.
"The access token enables someone to use the account as if they were the account holder themselves. This does mean they could access other third-party apps using Facebook login."
Guy Rosen, Facebook
Facebook already faces legal challenges as a result of the disclosure; Facebook users Carla Echavarrai and Derrick Walker have filed a class action suit in California "It is shocking that after all the publicity surrounding Facebook's handling of personal information in the wake of Cambridge Analytica and its promises to do better by its users that Facebook has yet again failed to protect consumers' information from hackers," said their attorney, John Yanchunis, in a statement.
The debacle also underscores broader concerns about Single Sign-On, which Friday turned into the ultimate object lesson in the inherent tradeoffs between security and convenience. "Single Sign-on schemes are great in the sense that the federal reserve cash vault in Atlanta is dramatically more secure than the safe at a local credit union," says Kenn White, director of the Open Crypto Audit Project. "But the downside is if a Single Sign-on gets breached you're hosed."
Sticking with one more secure sign-in does make sense, especially for use on sites that don't have the resources or inclination to invest heavily in security development. But just like you want your passwords to be unique so compromising one doesn't expose them all, account diversity is also vital online no matter how ironclad a particular sign-in scheme is. "You don't want a situation where there's one breach and your entire online identity is gone," White says.
It remains to be seen whether that's the case for 50 million—or 90 million—Facebook users. "We're just starting to work through the full scope of what we've seen here," said Rosen. For those affected, it's an excruciating wait.