Facebook faces a potential $1.63 billion fine from European regulators after the social network admitted personal data from at least 50 million accounts was compromised by hackers last week.
The origin and motive of the attack are among the top concerns for the Irish Data Protection Commissioner, who is investigating the breach and could potentially levy the huge fine under Europe’s strict new data protection laws.
“[We are] concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point,” the commissioner’s office told the Wall Street Journal over the weekend.
Facebook said Sunday it would comply with requests from the commissioner’s office for additional information about the breach.
Europe’s new General Data Protection Regulation, introduced in June, levies heavy fines on companies who fail to take sufficient steps to protect user data, giving regulators the ability to fine companies up to 4 percent of their global annual revenue — which for Facebook could amount to $1.63 billion.
Facebook announced the breach Friday, three days after it had detected the problem. The Data Protection Commissioner said Facebook had informed it about the issue in time to avoid triggering an additional fine.
Facebook revealed Friday in a call with reporters that the hackers combined three distinct vulnerabilities in Facebook’s system in order to steal access tokens that gave them full access to victims’ accounts.
The flaws related to a Facebook privacy tool called “View As,” which allows users to check if changes they have made to security settings worked the way they planned.
“Parts of our site use a mechanism called single sign-on that creates a new access token,” Guy Rosen, Facebook’s vice president of product management, said during the call. “The way this works is: let’s say I’m logged into the Facebook mobile app and it wants to open another part of Facebook inside a browser, what it will do is use that single sign-on functionality to generate an access token for that browser, so that means you don’t have to login again on that window.”
While the hackers didn’t get access to usernames and passwords, they did gain full access to users’ accounts, meaning they could view private messages, update an account’s status, send bogus messages, or potentially even sell access to the account to other bad actors.
Facebook said Friday that so far it has found no evidence that hackers tried to access private messages or post fraudulent messages from the accounts, but it continues to investigate.
Who is affected?
Facebook said that it had forced 90 million users to log out and log back in again on Friday morning. Along with the 50 million accounts it knows were breached, there are 40 million other accounts that may have been compromised, the company said.
Facebook has not revealed where the accounts are located geographically, but the Irish DPC is seeking more information about how many EU citizens are impacted, something which is likely to affect the size of the fine Facebook will face.
Among the most embarrassing victims of the attack were Facebook’s founder Mark Zuckerberg and its COO Sheryl Sandberg.
As well as their Facebook accounts being impacted, victims who used Facebook to log into services such as Instagram, Spotify and Tinder may also have had those accounts compromised.
Who did it?
So far there is little indication of where the hacks originated or who was behind them.
Some experts have ruled out the involvement of a nation-state, claiming a government would likely have been less conspicuous and conducted more targeted attacks.
Facebook runs its own bug bounty program, where hackers can report vulnerabilities to the company in return for money. A former Facebook security engineer told Motherboard that the flaw used in this attack could fetch a lot of money.
“As someone who was affected, I'm mostly interested in who was doing it and why, [because] that’s a $30,000 bug bounty report, so they must've had some better way to monetize it which is a little scary,” Zac Morris, who worked on Facebook’s security team from 2012 to 2016 said.
Cover image: The Facebook application is seen on an iPhone in this photo illustration on June 18, 2018. (Jaap Arriens/NurPhoto via Getty Images)