//Attackers exploited 3 bugs and Facebook's once-touted social graph to steal 29 million user data

Attackers exploited 3 bugs and Facebook's once-touted social graph to steal 29 million user data



Facebook provided an update on the investigation of the large-scale data exploit reported to users on September 28. (30 million instead of 50 million), that's pretty much the only good news.

How it happened. Attackers were able to take advantage of a combination of three separate software bugs to obtain Facebook access tokens (used to allow users to stay connected to the application) and support user accounts. They stole the chips from some 30 million Facebook users.

Calendar. Facebook said it discovered the attack of September 25 and began to warn users on September 28. For two weeks, from September 14 to 27, hackers were able to use access tokens to extract data. This means that it took two days to solve the problem and invalidate the access tokens.

Falling network effect. As with the Cambridge Analytica scandal Facebook's social chart opened access to Facebook friends and allowed attackers to take advantage of the network effect. Starting with their own friends, "(the attackers) used an automated technique to switch from one account to the other in order to be able to steal the access tokens of these friends and for the friends of these friends, and so on, totaling about 400,000 people. "Wrote Guy Rosen, vice president of Facebook product management, in a blog post . They then accessed lists of friends belonging to a group of these 400,000 initial people to gain access to the tokens of some 30 million people.

For these 400,000 profiles, attackers could access their chronological messages, their friend lists, the groups they belong to and the names of the latest Messenger conversations. Messages sent to Pages were also exposed if their page administrators were part of this group.
15 million people had their name and contact information (phone number, email or both) consulted.
14 million people had their names, contact information and 'other profile details'. This list of other details is extensive: username, gender, location / language, relationship status, religion, hometown, current city declared, date of birth, types of devices used to access Facebook, education, at work, at the last 10 places in which they opened or marked, at a website, at the people or pages they follow, and at the latest 15 searches.
Another million people had their chips stolen, but their information was not consulted, said Facebook.

Who did it? Facebook says that he works with the FBI and was asked "not to discuss who might be behind this attack".

Why this is important. The consequences for those affected could last for years, including compromised two-factor authentication, identity theft and lingering concerns about hacking. Facebook is already facing regulatory investigations in the EU and the US because of its data processing practices. After two very bad years, this feat will bring even more regulatory control and further erode user confidence in society. Nothing, so far, seems to have really shaken the advertisers. If this triggers a greater number of dropouts, advertisers could follow.

About the author

Ginny Marvin is the editor-in-chief of Third Door Media and manages the daily editorial operations of all our publications. Ginny writes on paid online marketing topics including paid search, social networking, targeted posting and retargeting for Search Engine Land, Marketing Land and MarTech Today. With over 15 years of marketing experience, she has held senior management positions in both internal and agency management. It can be found on Twitter under the name @ginnymarvin.