Facebook Security Breach: Here's Everything We Know So Far

Advertisement
By Agence France-Presse | Updated: 4 October 2018 11:04 IST
Highlights
  • The security breach was revealed on September 28 by Facebook
  • It affected tens of millions of accounts at the social network
  • Irish data authority has said it was opening up a formal investigation

The security breach revealed on September 28 by Facebook affected tens of millions of accounts at the social network, which boasts more than 2.2 billion monthly users.

On Wednesday, the Irish data authority said it was opening up a formal investigation into whether the world's biggest social network complied with tough new EU privacy regulations.

Advertisement

What happened?
Hackers took advantage of a "complex interaction" between three software bugs, which required a degree of sophistication.

The vulnerability was created by a change to a video uploading feature in July of 2017.

Advertisement

It involved a flaw in a "See As" feature that showed Facebook what their profiles look like to other people at the social network.

Using the feature generated digital keys, called "access tokens," which let users stay connected to their accounts without having to enter passwords anew.

Advertisement

Hackers were able to steal copies of the digital keys, giving them the same access and control of accounts as their legitimate owners.

On September 16, Facebook noticed a spike in activity that prompted it to investigate.

Advertisement

On September 25, Facebook engineers determined hackers had launched a sophisticated attack exploiting the vulnerability. A fix was in place two days later and stolen tokens rendered useless.

Facebook did not disclose when hackers first took advantage of the flaw, saying the investigation was early.

What data was leaked?
Information hackers appeared interested in included names, genders, and home towns, but it was not clear for what purposes, the executives said in a telephone briefing.

Facebook said it was still trying to figure out what, if anything, hackers did in violated accounts. It did not seem at the outset that messages or posts were tampered with, and there was no access to banking or password information, according to the social network.

Given that digital keys opened Facebook doors wide to hackers, they would have had the ability to reach into third party applications linked to social network accounts.

They would have been able to get into linked accounts including Messenger or Instagram, both owned by Facebook, but not into the social network's WhatsApp service.

An analysis of logs of third-party applications turned up no sign they were meddled with by the hackers, Facebook said on October 2.

Who should worry?
Facebook said that "up to 50 million accounts" were directly affected, meaning hackers swiped digital keys.

According to the Data Protection Commission in Ireland, five million or fewer European users were among those affected.

An additional 40 million accounts that used the "View As" feature had tokens reset although it didn't appear they were targeted by hackers.

Measures taken by Facebook?
Facebook said it sealed the breach late on September 27 in California, where it has its headquarters, and alerted US law enforcement authorities as well as regulators in Ireland.

Facebook invalidated "access tokens" at issue in the breach, requiring people to log in anew with passwords. The social network informed those involved by posting messages atop news feeds.

What is the risk to Facebook?
The risks for Facebook depend on how it complied with various laws and regulations, including the new General Data Protection Regulation in Europe.

Questions likely to be asked will include whether Facebook was fast enough notifying users of the breach and how well it protected accounts.

Protection of people's data falls under the purview of the Federal Trade Commission in the United States, but states could also be interested in making sure local privacy or data protection laws were not violated.

In Europe, the Facebook breach and how it was handled would be examined through the lens of the GDPR, which strengthened protection for personal data.

Companies can now be fined a percentage of annual revenue if they break GDPR rules. Facebook appeared to have complied with a 72-hour deadline regarding publicly disclosing a hack, which could spare it a fine of more than a billion dollars.

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: Facebook, Facebook Data Breach
Advertisement

Related Stories

Popular Mobile Brands
  1. OnePlus Phones Will Soon Run on ColorOS 17 Instead of OxygenOS
  2. Apple Back to School Sale: Grab These Deals on MacBook, iPad Models
  3. OnePlus Exits US, Europe, Continues Operations in India: 5 Things to Know
  1. EU Regulator Exempts Smartwatches, Other Wearables From User-Replaceable Battery Mandate
  2. The Duskbloods' Closed Network Playtest Will Take Place in August, FromSoftware Confirms
  3. Skullcandy Crusher 1080 ANC Announced With With Bose Audio, Up to 60-Hour Battery: Price, Features
  4. Infinix Xpad 30 Pro Listed on Retail Website With 11-Inch 2.5K Display and 8,200mAh Battery
  5. iPad Mini With OLED Screen to Reportedly Launch in October as Apple Prepares Base iPad, iPad Air Refreshes
  6. Google Rebrands NotebookLM as Gemini Notebook; Brings Cloud Computing and Search Integration
  7. Samsung Music Studio 5, Music Studio 7 Wi-Fi Speakers Launched in India
  8. Ostium Suspends Trading Following Oracle Security Incident Drains Millions
  9. Oppo’s New A Series, Upcoming OnePlus Mid-Range Smartphones Tipped to Launch With 10,000mAh Batteries
  10. WhatsApp Reportedly Rolls Out Mic Mode Controls for iPhone Calls
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.