Cyber Security for the Overworked, the Uninterested and the Innocent Spectator
5 things we’ve learned from Friday's Facebook breach
Emma Osborn - 30 September 2018
The uncertainty of a breach investigation. Of their 2bn active users, Facebook think 50M may have been exposed, but have reset an additional 40M accounts as a “precautionary step”. In some examples, such as the TalkTalk breach, the number of people affected drops as the investigation progresses. However, let's not forget that Yahoo's investigations led them to inform all 3bn customers that their data had been compromised.
Using credentials from one service to log into another multiplies our vulnerability as users. The breach Facebook have reported let hackers steal the tokens they use to keep us logged in. It's bad enough to lose the data we put on Facebook, but this exposure is multiplied for anyone who succumbed to the ease of clicking the “log in using Facebook” button (and so left this service active on their account). It's a breach that could have an impact on the security of other services, just because we all find multiple passwords onerous to use.
Interconnecting systems to collect data on a Facebook scale makes spotting bugs hard. The value of Facebook is in how many data points they have about each person – they're not just collecting data about us, they're joining all of it together to create a profile and target advertising. That means that they have to link together all sorts of systems in the background, including software bought in acquisitions that may not be immediately compatible. And the people gluing these systems together are probably working under Facebook's famous motto, “move fast and break things”.
Technology needs to be disruptive and innovative, but regulators will eventually catch up. Facebook's acquisition of WhatsApp was followed up by a $122M fine from the EU for “giving incorrect and misleading information” to antitrust officials about the ability or intention to link accounts and data between services. As far as the business world was concerned, the sale wasn’t blocked, so the fine was just 'a cost of doing business’. But on Friday Facebook’s share price dropped by more than 3%... Possibly because their investors think regulators are losing patience and out for blood.
Honest mistakes are a hard sell if you already have a poor reputation for data protection. Facebook are saying the same things that other breached organisations do and have been the victim of a crime (since none of us can manage perfect security, let's be careful not to let lessons learned turn into victim blaming). The problem is that they're saying this having just run an ad campaign trying to redeem themselves after accusations that their systems let other business misuse user data. Reputation influences perception, so Facebook are unlikely to get the benefit of the doubt.