Tech giant Facebook had been aware of the security flaw that led to the biggest data breach in the company’s history, a report from the Daily Telegraph has found.
For nine months leading up to the 2018 Facebook data breach in which personal information from 29 million user accounts had been compromised, the Silicon Valley giant had been repeatedly warned about a security risk which later ended up being exploited by hackers. According to the Telegraph’s Laurence Dodds, however, the company failed to take action in time to prevent the data breach.
According to the report—which relied on class-action legal documents from around the time of Facebook’s biggest data breach—alerts had been raised from as early as December 2017 to suggest that hackers possessed the means to make use of a security flaw in the social media platform’s “access tokens” system. These tokens are the method Facebook uses to allow its users to gain access to external web apps by providing “temporary, secure access to Facebook APIs,” according to the company. In short, access tokens are what facilitate the well-known single sign-on feature that many websites and social apps make use of.
The Facebook software engineers who had brought up the concerns with the company prior to its biggest data breach had explained that the access tokens had a loophole, due to their lack of expiry. Ultimately, this ended up being the very same loophole that hackers used to initiate the data breach in the first place.
The report goes on to suggest that Facebook’s lack of swift action on the issue is ultimately what led to the biggest data breach in the company’s history, in which 29 million user accounts were compromised in total and 14 million of which had large amounts of data stolen by the hackers. These data points included the users’ dates of birth, log in devices, location data and search queries, among others. Hackers were also able to gain access to the posts, friend lists and groups of about 400,000 additional users.
A securable security flaw
According to the Telegraph’s report, Facebook employees have voiced their belief that, given how much the company knew about the security flaw leading up to the 2018 hack, the company’s biggest data breach “could have been prevented” in the very first place.
They went on to say, according to the report, that the patches which could have been rolled out to prevent the data breach were not completed in time by Facebook, and that warnings about the impending threat were “almost all ignored” by the company.
The Telegraph report goes on to attribute two Facebook employees as saying that access tokens which do not expire “shouldn’t be launched to the public” and that “in retrospect,” the tech giant “definitely should have killed [the access tokens] months ago.”
The report also suggests that Facebook sought to protect its own employees from the security flaw brought about by access token vulnerability prior to its biggest data breach—indicating that the company was well aware of the risks involved.
As far as Facebook is concerned, however, they are in the clear on the issue. The company denies having had knowledge of the security flaw beforehand, publicly announcing in response that “any accusation that Facebook knew or was warned about this vulnerability is simply wrong.”
However, the company does seem to be taking steps to straighten out its record concerning access tokens. According to a Bloomberg report, Facebook is currently in the process of ramping up security protocols to prevent access tokens from being exploited again in the future in response to its ongoing class-action lawsuit with the US District Court for the Northern District of California.
The lawsuit was initiated by US Facebook users who were affected by the security flaw which led to the company’s biggest data breach in 2018, and follows a European Union (EU) investigation by the Irish Data Protection Commission (DPC), prompted after three million Europeans were affected by the breach.
‘Moving fast’ past the biggest data breach
Facebook’s outright denial of having known about its access token security flaw demonstrate an unremittent attitude that has become expected of the company in its approach to controversy. With Mark Zuckerberg at the head, Facebook has long pursued a strategy known as “move fast and break things”—a phrase which was the company’s internal motto until 2014.
This mentality has likely influenced Facebook’s response not only to its research and development, but also to the manner in which it has handled the numerous data privacy scandals in which it has become embroiled to date—most notably the company’s biggest data breach, in 2018.
In spite of this, however, although the company does indeed have a long way to go, Facebook’s increased amenability to cooperation with authorities would seem to suggest that their former mindset may be coming to a gradual end. Come the time when the next security flaw is detected in Facebook systems, the company’s response will reveal much about the extent to which it is adapting its ways.