Facebook hack: Three million EU users affected by breach

The Facebook logo photographed with rope laid over it as if to resemble imprisonment

The Irish Data Protection Commission (DPC) has confirmed three million EU users were hit by the attack in which hackers made away with millions of Facebook users' access tokens.

The DPC, which is leading the investigation against Facebook for breaches of the EU's General Data Protection Regulation (GDPR), confirmed with IT Pro that 10% of all users affected were based in Europe.

Facebook revealed last week that approximately 30 million users' access tokens were stolen in the hack, which gave attackers access to varying degrees of personal information stored on their online profiles.

For 15 million, they were just able to access name and listed contact details, either phone number or email address. But for 14 million the same data was stolen, as well as potentially sensitive information including location data, search history.

Facebook confirmed this figure with the DPC, but no further information was available at the time, a spokesperson from the regulator said. They added Facebook promised it would provide a more detailed country-by-country breakdown as and when this was determined.

The attack, which was detected in late September, was made possible via a combination of three separate flaws that remained unpatched for more than a year.

An exploit in Facebook's "view as" feature, video uploader, and the way access tokens were generated meant anyone was able to download these directly from a user's profile.

From a base of user accounts already under their control, the hackers were able to run an automated technique to move from profile to profile and harvest access tokens.

They first seized details of their friends and family, totalling around 400,000 people, before using lists of their friends to steal access tokens for 30 million.

Shortly after making the attack public, Facebook logged 90 million users out of their accounts as a precautionary measure. It confirmed five days ago, in its most recent update, that just 30 million of a suspected 50 million had their personal information accessed.

IT Pro approached Facebook to verify the number of EU users affected by the hack, as well as confirm why it hasn't made this information public.

15/10/18: How attackers stole the personal data of almost 30 million users

Attackers made away with access tokens for 30 million Facebook users in a massive attack that took place towards the end of last month, accessing the personal details of 29 million of them.

For 15 million users, the perpetrators accessed both their name and contact information, including phone number, email, or both depending on what was listed on their profile, the social media firm confirmed on Friday.

But for 14 million, the same two sets of data were accessed, as well as a slew of potentially sensitive information. This included username, gender, language and location, relationship status, current city, work, education, religion, device type, pages followed, last ten places checked into or tagged in, as well as their 15 most recent searches.

"We have been working around the clock to investigate the security issue we discovered and fixed two weeks ago so we can help people understand what information the attackers may have accessed," said Facebook's vice president for product management Guy Rosen.

"We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.

"As we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks, we'll continue to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities."

Rosen confirmed once again the attack did not include Facebook's spinoff services Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, or Pages, or apps built by third-party developers.

The attack itself was the result of three distinct bugs that combined to devastating effect, allowing malicious actors to extract access tokens through a misconfigured video uploader.

Although the vulnerability was left unpatched for more than a year, since July 2017, a spike in activity on 14 September this year first alerted employees, who later ascertained on 25 September that this was an attack.

"Within two days, we closed the vulnerability, stopped the attack, and secured people's accounts by resetting the access tokens for people who were potentially exposed," Rosen continued.

"As a precaution, we also turned off "View As." We're cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack."

With a set of accounts already under control, the attackers used an automated technique to move from account to account and harvest the access tokens of their friends and family, totalling about 400,000 people.

From here, the attackers used a portion of the users' list of friends to steal the access tokens of 30 million. For approximately one million users the attackers did not access any information.

03/10/2018: Facebook claims 'no evidence' hackers breached third-party apps using stolen access tokens

Facebook has created a tool for developers to manually judge whether users of third-party apps that use Facebook logins, such as Spotify or Tinder, have been affected by the data breach.

The tool has been developed in spite of the company finding "no evidence" that attackers, who had the tools to leverage access to at least 50 million user accounts, accessed third-party apps using stolen access tokens.

"Out of an abundance of caution" Facebook is aiming its tool at developers who may not use Facebook's SDKs, or regularly check whether access tokens are valid. Developers can check for themselves whether their users might be affected, and log them out if necessary.

"We've had questions about what exactly this attack means for the apps using Facebook Login," said Facebook's vice president for product management Guy Rosen.

"We have now analyzed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login."

Facebook has recommended that developers use the official Facebook SDK for Android, iOS and JavaScript in order to automatically check for the validity of access tokens on a daily basis, and force a fresh login for users when tokens are reset.

The company still hasn't reckoned with the full extent of the massive hack it detected last week, in which unknown malicious actors exploited three distinct bugs on Facebook's platform that combined to devastating effect.

The lack of clarity, especially as to how many EU and UK users might be affected, is a point reflected in a statement issued by the Irish Data Protection Commission (DPC), who is investigating the breach.

Under the General Data Protection Regulation (GDPR) One Stop Shop principle, cross-border incidents which substantially affect users from several EU nations would generally be investigated by a lead supervisory authority; in this case Ireland's DPC.

But concerningly, Facebook's breach notification to the DPC "lacks detail" and may have been submitted late given the three-day gap between the company discovering the hack, and alerting authorities.

"The Data Protection Commission (DPC) has received a preliminary notification from Facebook Ireland," the regulator said in a statement on Friday.

"However, the notification lacks detail and the DPC is concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.

"The DPC continues to press Facebook to clarify these matters further as a matter of urgency."

IT Pro approached the Irish DPC to ask whether it has yet received information about the breach from Facebook to its satisfaction.

02/10/2018: People's Facebook accounts are appearing for sale on the dark web

Personal details of Facebook users have been found on the dark web, following the massive data breach that affected 50 million users.

The Independent claims to have seen where the information is available (including dark web marketplaces such as Dream Market), commenting that records are available for criminals to buy for just $3, up to $12.

However, to stay anonymous, buyers can only purchase the information using digital currencies - making it impossible for authorities to work out who's buying the information.

Although The Independent didn't reveal how much data it was able to find on the dark web, it said the cost of each record would put the value of the information at between $150m and $600m - a huge windfall for those selling the data.

"Personal information is simply too valuable on the dark web. As long as stolen data continues to fetch high prices and equip perpetrators with the means necessary to carry out attacks, hold victims ransom, extort information or destroy property, organisations must exhaust all measures to diligently detect and protect their networks, devices and users," CEO of cyber security firm SonicWall Bill Conner told The Independent.

"What an organisation or nation-state can or intends to do with massive amounts of information on a country's citizens should be taken very seriously."

The information could, of course, be used to steal identities of Facebook users, allowing them to set up fake accounts with the details, as well as rack up debts, cause reputational damage and more. From a less criminal point of view, the data could also be purchased by marketers that could create targeted marketing campaigns. Annoying for Facebook users, but a potentially less scary option than being used to steal your money.

Facebook may be charged a huge amount of money under the GDPR - up to $1.63 billion to be precise - if it surfaces that the company didn't adequately protect its data.

01/10/2018: Facebook may face a series of billion-euro fines after massive data breach compromises 50 million users

Facebook could be hit with a series of multi-billion dollar fines under the General Data Protection Regulation (GDPR) after a massive data breach announced last week saw attackers compromise the accounts of nearly 50 million users.

For more than a year hackers were able to exploit a vulnerability in Facebook's "view as" feature that lets its users see what their profiles would look like to others. They then stole access tokens, a form of digital key that keeps users logged in without needing to re-enter their password, which in turn allowed them to access and potentially hijack entire accounts.

"This is a really serious security issue. And we're taking it really seriously," said Facebook CEO Mark Zuckerberg in a conference call with journalists following the announcement.

"We have a major security effort at the company that hardens all of our surfaces, and investigates issues like this. In this case I'm glad that we found this and that we were able to fix the vulnerability and secure the accounts. But it definitely is an issue that this happened in the first place.

"This underscores the attacks that our community and our service face, and the need to keep on investing heavily in security, and being more proactive about protecting our community. And we're certainly committed to doing that."

A devastating combination of flaws

The vulnerability itself, which is the result of three distinct bugs, was introduced in July 2017 when Facebook implemented new video upload functionality. On 16 September the firm noticed an unusual spike in users, which sparked an investigation.

Facebook finally uncovered the attack last Tuesday, 25 September, before informing the relevant parties on the following day, and fixing the vulnerability on Thursday evening.

It is unclear yet how many UK or European users were affected by the breach, but Facebook has logged 90 million users out of their accounts as a precautionary measure. These include the 50 million users who were affected, and an additional 40 million who may have been subject to a "view as" lookup in the last year.

"It's always the company's responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers," said the ICO's deputy commissioner of operations James Dipple-Johnstone on Friday.

"We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected."

IT Pro approached both Facebook and the Information Commissioner's Office (ICO) to ask whether either has yet ascertained how many UK and European users were affected.

Beyond notifying the FBI and "law enforcement", Zuckerberg added on the conference call that Facebook has also notified the Irish Data Protection Commission. But the investigation is still in its early stages, and the firm hasn't determined whether there was specific targeting.

"This news comes at one of the worst times for Facebook, since the company has already been under fire multiple times this year amid data security concerns," said senior threat research analyst at Webroot Tyler Moffit.

"The attack leveraged an exploit that holds Facebook and its code 100% accountable. The issue was insecure Facebook code that allowed access tokens to be retrieved when using the 'View As' security feature. These tokens allow attackers into the account as if they had entered the correct credentials, which is very scary."

The attack was made possible as a result of three distinct Facebook flaws that combined to devastating effect.

View As, normally a read-only page, accidentally allowed users to post a video through the specific page element for posting birthday messages to friends. This, in combination with the video uploader incorrectly generating access tokens, and generating them for the user being looked up in View As, let attackers see the access token in the page's HTML.

The hackers were able to extract and exploit the access tokens to log in as another user, and then pivot from that access token to other accounts - and perform the same actions to extract yet more access tokens.

There's no need to panic

In the wake of the attack, Kaspersky's daily editor Alex Perekalin advised Facebook users there was no reason to panic, change their passwords, or delete their accounts altogether.

"An access token is, as Facebook describes it, basically a key to your account. If a person has it, Facebook considers that person authorized to enter that account and doesn't request login, password, and 2FA codes," he said.

"So, having stolen 50,000,000 user access tokens, the malefactors could potentially access those 50,000,000 accounts. But that doesn't mean they got access to your passwords or somehow broke the two-factor authentication mechanism. Your password is secure and 2FA is still working as intended. But stealing a token is a way to bypass those defenses."

Perekalin's claiming advice echoed comments by web security firm High-Tech Bridge's CEO Ilia Kolochenko, who was impressed with Facebook's approach after the breach.

"Facebook's reaction to the incident is straightforward and professional, serving a good example of transparency, care and honesty," he said.

"One may, however, inquire why the unusual spike of traffic was detected only after 50 million accounts were already affected. Such a wealthy company as Facebook could potentially afford to have a faster reaction.

"From a legal point of view, this incident may become a notorious milestone of GDPR enforcement by the EU regulators. A multi-million fine is not that impossible under the integrity of circumstances."

A series of GDPR fines?

Under GDPR, if Facebook users from multiple European countries are found to be affected, data regulators from each of the countries may reserve the right to individually fine the company up to 20 million, or 4% of global annual turnover, whichever is higher.

This, in Facebook's case, is a staggering $1.63 billion based on the latest revenue figures, meaning the social networking firm could find be faced with a series of crippling fines, should regulators find the company to have been neglectful and not taken steps to protect users.

According to the One Stop Shop principle, incidents that are cross-border in nature and substantially affect users from several EU countries would generally be investigated by a lead supervisory authority. In Facebook's instance, this would be Ireland.

But a Court of Justice of the European Union (CJEU) ruling in June established a precedent for authorities independent of the lead supervisory authority to exercise their own powers.

Keumars Afifi-Sabet
Contributor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.