Facebook is under investigation for third major security breach of 2018
2018 hasn’t been the best year for Facebook ever since the Cambridge Analytica scandal back in April, and not to mention the one in September affecting 30 million users through a bug in their ‘View As’ feature; but if they planned to end the year with a bang; they did it in all the wrong ways.
What happened in the latest Facebook data breach?
Over the past few months, Facebook has once again been all over the news and under investigation for their third major security breach of the year. For 12 days, between September 13th and September 25th 2018, bugs in their system allowed photos of approximately 6.8 million users to be leaked to app developers. This includes images uploaded to Facebook’s Marketplace and Stories, plus any images that were uploaded to Facebook but not posted. Tomar Bar, Facebook’s Engineering Director has released an official statement regarding Facebook’s data breach, which explains that if a user started to upload an image onto their Facebook profile but did not publish it, perhaps because they had a meeting to attend or lost reception, then this may have been leaked too, as Facebook keeps a draft of any unplished posts on their system for 3 days.
Who has been affected by Facebook’s latest data breach?
Facebook has confirmed that this latest breach may have affected up to 6.8 million users and up to 1,500 apps which have been created by 876 developers. All of the affected apps are ones that request permission to access your photos and are authorised by Facebook and the user. In addition to this, any third-party websites that users logged into using their Facebook account may also be affected. CEO Mark Zuckerberg has confirmed that the hackers were believed to be using these apps to obtain information such as name, gender and location, but so far, no profiles seem to have been compromised or accessed. The investigation is still underway, but at this point, it is also believed that no private messages have been seen, and no credit card information has been stolen.
How did this data breach happen and who did it?
At this point, Facebook does not know who attacked their site, but the FBI are investigating the case. In the past, it was discovered that Russians were responsible for using Facebook to spread fake news and influence the American elections, but there is no proof that they are also responsible for this attack. We do know that three bugs were used to expose the data in this latest breach through vulnerabilities in Facebook’s system. The attack was identified after Facebook noticed an unusual spike in login activity back in September. It is unclear why it took Facebook so long to report this attack, but it may have something to do with the fact that they were already battling an even larger data breach caused by an error in their ‘View As’ feature, which allowed hackers to acquire users’ access codes when they previewed how their profile appears to other people. This attack affected a massive 30 million users (originally thought to be 50 million) and was again down to the negligence of Facebook itself.
Has Facebook’s latest bug been fixed?
Despite the third-party applications having access to millions of users’ photos back in September, Bar has announced that Facebook will be rolling out tools early next week to help developers identify and delete the leaked photos. In the meantime, Facebook has assured the public that this bug was fixed on the 27th September and apologises that this ever happened in the first place.
How do I know if my Facebook photos have been leaked?
Facebook has announced that those affected by the bug will have been logged out of their accounts and notified via an alert which they will see when they log back into Facebook. This will direct the user to their Help Centre which will then identify any affected apps that have been used.
If you see this notification however, it does not definitely mean that your photos and data have been compromised, as Facebook have contacted an additional 40 million accounts as a precaution. If you are still concerned, it may well be worth logging into any apps where you have given permission to access your photos and checking the settings to see which photos they actually have access to. There are useful guides in Facebook’s Help Centre, including information on how to manage your apps, control your permissions and contact app developers. Users have been reassured that they do not need to change their passwords, but logging out and back in resets the access code which keeps you logged in without having to enter any credentials. You can also visit the Facebook Security and Login page to see where you are currently logged in and if there has been any unusual activity.
Does Facebook’s data breach affect WhatsApp and Instagram?
Facebook has advised that they do not believe their other subsidiaries, such as WhatsApp and Instagram, have been affected by this latest breach, although the investigation is still underway. If you are concerned, then it may be wise to unlink your accounts and logout before logging back in and relinking. Whilst this is somewhat good news, it does beg the question as to whether one company should be allowed to control so many services that all share the same data.
What will happen to Facebook after this third data breach?
Mark Zuckerberg was already struggling to convince lawmakers and regulators that Facebook is a firm capable of protecting user data when these most recent attacks happened. It is unclear what Facebook’s fate will be exactly as the investigation continues, but The Wall Street Journal has already predicted that a maximum fine of up to $1.63billion (£1.25billion and 4% of their annual turnover) could be imposed if they are found to be in breach of GDPR. Other than potential fines, it is likely that more regulations will be put in place to protect user data in the future, and increase Facebook’s transparency. What we do know, is that Facebook needs to work hard to gain user trust again, as their market share begins to be impacted.