Facebook could be hit with a significant fine after revealing a major data breach that left millions of user accounts compromised.
The company revealed the news of its largest-ever data breach in its history late last week, saying that some 50 million users were affected.
According to media reports, the attackers used a vulnerability in the site’s ‘View As’ feature to gain access to user accounts and potentially take them over.
Facebook logged all its users out of the site late on Friday, asking them to log back in manually, although it stopped short of asking for a password change.
“We’re taking it really seriously,” Mr. Zuckerberg, the chief executive, said in a conference call with reporters, New York Times reported.
“I’m glad we found this, but it definitely is an issue that this happened in the first place.”
Greg Foss, senior manager of Threat Research at LogRhythm said that the ‘View As’ feature, while well-intentioned, is quite challenging to implement, as it’s essentially a ‘light version of account impersonation’.
“When implemented properly, you’re given a specific view of an account based on what is programmatically known about the account you’re viewing from. Based on information available, a video uploading feature implemented in July of last year exposed this feature to a flaw that allowed attackers to impersonate other user accounts and effectively obtain full access to their Facebook profiles. It appears that attackers are able to access the accounts of ‘friends’ or those already connected to the compromised account. If that’s true, it may be possible to trace the attacks back to a single point of origin, given the nature of how the attack spreads to other accounts. That said, the origin account will most likely not be that of a real Facebook user, so determining an individual or group behind this will take some digging.”
And now that GDPR is active, Facebook is also looking at a potentially hefty fine in the Old Continent.
Wall Street Journal is saying Zuck’s company could be fined as much as $1.63bn for the breach. Ireland’s Data Protection Commission is demanding more information, saying in an email statement it is “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”
Facebook’s spokesperson in the country said it will cooperate and answer any questions the regulator might have.
Oasis Labs’ CEO Dawn Song said this breach confirms it’s ‘nearly impossible’ for major tech companies to protect data with the tech they have at their disposal today. “It's time to start looking at new solutions like blockchain to defend user privacy," Song said.
Paul Bischoff, privacy advocate for Comparitech.com, said "It's surprising to me that as popular as Facebook is, no white hat hacker ever discovered and reported this flaw in the past, neither an external pen tester nor Facebook's internal IT security team. I would be interested to know how long this flaw existed before it was discovered and exploited."
Image Credit: Alexey Boldin / Shutterstock