Assailants exploited 3 bugs and Facebook’s once-vaunted social graph to rob 29 million users’ data

Facebook offered an revise on the investigation to the massive information exploit it documented to users on September twenty-eight. While the overall number of people affected is leaner than previously thought (30 mil rather than 50 million), that’ s i9000 about the only good news.

How it happened. The attackers were able to benefit from a combination of three separate software insects to get Facebook access tokens (used to allow users to stay logged in to the app) and take over users’ balances. They stole the tokens associated with some 30 million Facebook customers.

Timing. Facebook says it uncovered the attack on September twenty five and started notifying users upon September 28. For two weeks, Sept 14 to 27, the cyber criminals were able to use the access tokens in order to extract data. That means it required two days to address the problem and invalidate the access tokens.

Network effect downfall. As with the Cambridge Analytica scandal , Facebook’ s social graph opened access to Facebook friends and permitted the attackers to take advantage of the particular network effect. Starting with their own group of friends, “ (the attackers) utilized an automated technique to move through account to account so they can steal the access tokens of these friends, and for friends of those close friends, and so on, totaling about 400, 500 people, ” wrote Guy Rosen, Facebook VP of product administration, in a article . They then accessed lists associated with friends from a set of that preliminary 400, 000 to gain access to the particular tokens of the roughly 30 mil people.

  • For all those 400, 000 profiles, the assailants could access their timeline content, lists of friends, Groups these people belong to and names of latest Messenger conversations. Messages sent to Webpages were also exposed if their Web page Admins were part of that team.
  • 15 million individuals had their names and get in touch with details (phone number, email or even both) accessed.
  • fourteen million people had their titles, contact details and “ additional details people had on their information. ” That list of other information is extensive: username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device varieties used to access Facebook, education, function, the last 10 places they examined into or were tagged within, website, people or Pages they will follow, and the 15 most recent lookups.
  • Another 1 mil people had their tokens taken but their information wasn’ t seen, said Facebook.

Who did it? Facebook says it is working with the particular FBI and has been asked “ not to discuss who may be at the rear of this attack. ”

Why it matters. The consequences for people affected can last years, including compromised two-factor authentication, identity theft and on-going hacking concerns. Facebook is already dealing with regulatory investigations in the EU and the U. S. over the data handling practices. After 2 very, very bad years, this particular exploit will bring even more regulatory overview and further erode users’ trust in the business. Nothing so far seems to have truly shaken advertisers away. If this triggers a lot more user abandoment, advertisers could adhere to.


About The Author

Ginny Marvin is Third Doorway Media’s Editor-in-Chief, managing day-to-day content operations across all of our publications. Ginny writes about paid online marketing subjects including paid search, paid interpersonal, display and retargeting for Internet search engine Land, Marketing Land and MarTech Today. With more than 15 years of advertising experience, she has held both in-house and agency management positions. The girl can be found on Twitter as @ginnymarvin.

If you liked Assailants exploited 3 bugs and Facebook’s once-vaunted social graph to rob 29 million users’ data by Ginny Marvin Then you'll love Marketing Services Miami

Leave a Reply

Your email address will not be published. Required fields are marked *