In short: The data breach Facebook disclosed two weeks ago isn’t as bad as the company first thought, with the number of affected users now dropping from 50 million to 29 million following a more thorough investigation, Product Management VP Guy Rosen said Friday. The bug in the “View As” functionality of the world’s largest social media platform was originally used by malevolent actors for accessing profiles of some 400,000 people. From there, the hackers leveraged the lists of Facebook friends of originally compromised users to steal their access tokens. While some 50 million tokens were vulnerable to being stolen by abusing the bug, only about 29 million of them were actually taken and used for compromising Facebook users before the Menlo Park, California-based firm discovered the vulnerability and disabled the faulty feature.
The attackers were not able to access Messenger inboxes with the technique gut gained access to names and contact details such as email addresses and phone numbers of 15 million people. Another 14 million Facebook users had that same info leaked but were also compromised in regards to other static data sets, some of which were even more sensitive in nature and included information about their gender, relationship status, religious views, spoken languages, hometown, current city of residents, birthdays, and even devices used for accessing Facebook. The same group stole digital tokens of about a million more users but did not access any data with them, Mr. Rosen said.
All Facebook users compromised during the ordeal will be notified of the happening in the coming days, Facebook promised. Besides warning them of their data being leaked, Facebook will inform affected users about the exact information sets the malevolent third parties accessed, in addition to providing them with suggestions on how they can do a better job at protecting their online privacy. Mr. Rosen explicitly stressed the attack did not affect any other Facebook products such as Instagram, WhatsApp, Messenger, Messenger Kids, Workplace, and Oculus. Even within the scope of the social media platform itself, only personal user profiles were compromised, whereas Pages, third-party apps, developer and advertising accounts, and payment services were unaffected.
The Internet juggernaut is currently cooperating with the FBI that’s investigating the matter and has asked the company not to publicly speculate about the identity of the attackers until the probe is concluded. Facebook is also already working with the FTC and the Irish Data Protection Commission, both of which are investigating the matter independently.
Background: Facebook has already been targeted by consumer protection organizations and privacy watchdogs over the ordeal, having been repeatedly criticized for not doing enough to protect the privacy of its users. Between the Cambridge Analytica scandal and a number of smaller incidents that followed once Facebook started investigating all third-party apps using its APIs this past spring, as well as the newly disclosed vulnerability, the company is currently facing heavy scrutiny over its data management practices.
Google ended up taking some heat off of Facebook after disclosing a potential data breach of its own earlier this week, though the scope of that incident was much smaller and only included some 500,000 users of Google+. Regardless, one of the two most prominent names in the stateside technology industry have now once again shifted the public focus toward the issue of digital privacy with their latest set of gaffes. The exact nature of the bug leveraged for the purposes of hacking millions of Facebook users isn’t anything out of the ordinary as essentially every software product ships with some problems, albeit Facebook is now being criticized for not doing enough to test the reliability of its “View As” feature before rolling it out globally given how every one of its security missteps is potentially much more devastating than similar issues would be for smaller companies given the sheer size of its user base which is over 2.23 billion strong as of the second quarter of the year, according to the company’s consolidated financial report.
Impact: Given how Facebook’s services have a track record of being prone to abuse from actors interested in sowing discord among its users, particularly those from the United States, almost no data is so insignificant that it couldn’t be used for organizing new misinformation campaigns aimed at polarizing a certain demographic, whether for political gains, profit, or other reasons. As the bug that allowed the still-unidentified hackers to access profiles of millions of people provided them with the means to surreptitiously harvest some rather sensitive data, they were most likely compromised to the point that they could be targeted by fake-news campaigns or similar manipulation attempts by the attackers or anyone else who ends up buying or otherwise obtaining the data they’ve stolen.
While only a smaller portion of the affected users were EU nationals, the fact that European authorities already got involved into the matter is another cause for concern on Facebook’s part as the recently enacted General Data Protection Regulation provides regulators on the Old Continent with a clear-cut road to litigation should they determine Facebook failed to provide its users with a basic level of protection. The legal situation is much more complicated in the United States but the ordeal will at the very least push stateside legislators closer to enacting their own version of the GDPR, which is something that’s been the subject of numerous legislative discussions ever since the Cambridge Analytica scandal first broke in late March.
None of that spells good news for the company that has just launched a pair of Portal-branded smart speakers equipped with a camera that it wants consumers to put in their homes. The gadgets were already delayed due to the Cambridge Analytica debacle but the social media giant now pushed ahead with their debut, having officially announced them on Monday. That particular episode underlines the firm’s issues on the digital privacy front as Facebook apparently didn’t manage to find a scandal-free month to launch its smart speakers since the turn of the year and has now just conceded to do so amid yet another privacy debacle that compromised its users.