Story image

40 million more likely affected by massive Facebook data leak - Bitdefender

01 Oct 2018

Article by Bitdefender senior security analyst Bogdan Botezatu

Almost 90 million users have found themselves logged out of Facebook hours ago as a precaution to what appears to be the worst privacy blunder of the social network to date.

The story,by frame

Facebook has announced that almost 50 million accounts have been compromised through a daisy-chained vulnerability in the View As feature, which allowed an unknown party to snatch authentication tokens of 50 million users.

These authentication tokens allow users to stay logged into the account whenever they refresh the browser page, reboot the computer or put it to sleep.

As long as users have the token, they are granted access to their account without having to actually go through the login process.

The token holder is also exempt from going through the login process, including whoever snatched it through this vulnerability.

There is little additional information about this bug, except for the fact that it has been partially mitigated by the social network disabling the View As feature, but it’s worth mentioning that there is no mention of a Bug Bounty reward or an account of a white-hat hacker reporting this vulnerability.

At this point, it’s likely that this was not a controlled report and that a third party has walked away with at least 50 million access tokens to as many accounts.

Here comes the painful part

According to Statista, Facebook Messenger is world’s second largest instant messaging platform with almost 1.3 billion active users.

It’s also world’s largest instant messaging platform that does not have end-to-end encryption turned on by default.

This means that chat history is always available from whatever machine users are logging into.

If you got logged out of Facebook for no apparent reason:

Most likely your account was among the ones that have been hacked. Which brings us to point number 2.

Your private posts, conversations and every piece of information, like check-ins, pictures sent via chat and so on, have likely fallen into the wrong hands. If, at any point, they become public following a data dump. Life will never be the same as before, thanks to a small bug in a platform.

Other accounts using Facebook authentication might have been accessed.

As of now, it is hard to tell what hackers were able to get their hands on.

However, given the complexity of the bug and the generous timeframe (the bug was caught last Tuesday by the social network, but it could have been exploited for a long time prior to this), it is fair to assume the worst.

The reason you had to log in again today was Facebook’s way of denying hackers access to the accounts: they invalidated the access token of both the 50million confirmed compromised accounts as well as the 40milliion accounts suspected of being compromised.

And, as we’re talking about extremely sensitive content such as private chat conversations, group chats and business-to-consumer interactions, changing your password won’t be enough to make everything okay again.

So, if you’ve had sensitive content shared on the Facebook Messenger, it’s time to come to terms with it.

If you’re a company that uses Facebook Messenger for support purposes and you’ve been logged out of your account, you’d better start evaluating what information has been exchanged across the medium and start notifying customers.

This is by all account a data breach that falls under the GDPR and should be treated as such.

What you should do now

Today's disclosure goes along the lines of the old adage saying "never put your eggs in one basket".

Social networks have become the centrepiece of our digital life that blurs into the physical life itself.

It is also an account that social networks can do so much more than influence your shopping behaviour or steal an election: it can have serious consequences on your lifestyle based on private social interactions.

What you should do though is consider your future options:

  • Understand that social networks are not bulletproof places where your secrets are safe. Plan for the worst and act accordingly.
  • Never put something in writing that you would not like to leak several years from now when the platform gets breached.
  • Embrace end-to-end encryption like your life and your freedom depend on it. Sometimes it does.
  • Use privacy-focused IM clients such as Signal for sensitive chats or any other business that should stay segregated from your physical persona.
Veeam releases v3 of its MS Office backup solution
One of Veeam’s most popular solutions, Backup for Office 365, has been upgraded again with greater speed, security and analytics.
Too many 'critical' vulnerabilities to patch? Tenable opts for a different approach
Tenable is hedging all of its security bets on the power of predictive, as the company announced general available of its Predictive Prioritisation solution within Tenable.io.
Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.