Friday, 5th October 2018 – Facebook reported a massive security breach that compromised the accounts of up to 50 million users. Company officials have been unable to determine the scope of the attack, and pressing questions such as what data was taken, by whom, and for what purpose, remain unanswered. It is also unclear whether specific accounts were targeted, though the company has confirmed that Facebook founder Mark Zuckerberg and its chief operating officer Sheryl Sandberg were among the 50 million affected.
Facebook’s engineering team discovered the breach on September 25, as the result of an investigation launched on 16 September, when the security team noticed an unusual spike in users accessing Facebook. Although the company claims accounts have been secured, the extent of risk faced by users remains unclear, as personal information including date of birth, phone number, family members, and even credit card may have been exposed.
What is perhaps most alarming is that Facebook has been unable to determine the extent of hacker’s access to third-party accounts. Hundreds of third-party platforms that use Facebook’s login feature may also have been compromised, including social networking apps such as Tinder, Instagram, Skype, Spotify and even booking platforms such as Airbnb, Skyscanner, Careem, Uber and Ali Express. This leaves a lot of potential for misuse of user data by unknown beneficiaries of the hacked data.
Facebook claims that hackers exploited various software bugs on the platform to steal user access tokens – what allows users to remain logged into their Facebook accounts on certain devices, without having to sign in with every visit — which could be used to access or control user accounts. Ironically, two of the bugs were found in the site’s “View As” feature, which was built to give users more control over their privacy by enabling them to check what information other people can see about them. Another bug was introduced in July 2017 by a tool meant to easily upload birthday videos.
This breach comes amidst a series of major Facebook scandals this year that highlight the fundamental gap in the company’s ability to safeguard the security and privacy of its users. In June, the company announced it had discovered a bug that made up to 14 million people’s posts publicly viewable to anyone for days. In April, Zuckerberg testified in court in response to revelations that Cambridge Analytica had siphoned and politically exploited the personal data of 87 million Facebook users to influence the Trump presidential campaign.
As personal data continues to gain importance in the global political economy, large platforms such as Facebook with 2.2 billion active monthly users and a fast growing user base have an increasing responsibility to improve security and privacy. While the investigation continues, the nature and scope of the incident as well as the extent of risk it has created for users remains to be determined. However, the situation demands taking a look at local data protection laws as well as re-evaluating individual behavior online.
Facebook is facing unprecedented scrutiny in Europe, where under the new General Data Protection Regulation (GDPR) enacted in May, the social media network may face a fine of $1.63 billion of damages for the 5 million users that were affected by the breach in Europe. The GDPR raises the standard for corporate accountability, which can serve to protect EU residents.
The GDPR requires companies to disclose a breach to a European agency within 72 hours of it occurring. In cases of high risk to users, the regulation also requires that they be notified directly. The Irish Data Protection Commission, the main governing body of the new law, has also been putting pressure on the company to provide more information about the nature and scale of the breach, including which EU residents have been affected.
Since this is the first time that the law is being enacted to address an issue of this scale, it is yet to be seen how it will play out. One of the main issues to be determined is whether Facebook invested enough in security to avert a breach. Another striking feature of the new law is that it recommends companies reduce the risk of breaches by minimizing the amount of user data they collect and keep.
The GDPR serves as an example of the dire need for enacting data protection laws in Pakistan. This would enable the country to hold companies accountable and also give individuals a legal channel to claim damages for the breach of their privacy and security. Many digital rights activists also recommend the need to consider an Asian Data Protection Regulation ratified and implemented by Asian countries, that is designed along the GDPR to regulate the control and processing of personal information.
What you can do to secure your account:
With the increasing regularity of security breaches online, individuals need to take a more active role in protecting their own data and privacy. Below are some measures that may help to improve your security in lieu of Facebook’s latest security breach.
Review Authorized Logins
Go to security and login in settings, and check which devices you are logged into. Remove the devices that you no longer use. You have the option of logging out.
If you see a phone or device that you do not recognize, you can choose ‘Not You’ as the option and try to secure the account.
You can also turn on alerts for all logins, so in case there is an unauthorised login, you will be alerted on your email or mobile phone number.
We would recommend activating two-step verification for all social media platforms, and not exempting any devices from asking for the code each time you log in.
Review Accounts/ Apps Linked to Facebook
This information can be found in your settings. First, go to ‘apps and websites’, then ‘logged in using Facebook’. It’s a good idea to remove these, even if you think you haven’t been impacted by the breach. If you have been affected, you’ll also need to change the passwords for those accounts, to be safe.
Extra Security Precautions
Although Facebook claims that it is not necessary to change your passwords, it may be a good idea to change them anyway. Do not keep simple passwords, like the name of your pet or your spouse’s name as the password and choose a strong combination with special characters and numerals in it as well.
Considering the scale and magnitude of data collection, Facebook is responsible and should be held accountable for the security and privacy of users.