Facebook’s engineers discovered a serious data breach which was resolved on September 25. The data breach allegedly impacted around 50 million Facebook account holders. Affected users received a breach notification and were automatically signed out of their accounts and are required to sign in again for secure access.
Facebook were down by 1.5% prior to the breach announcement and dropped by a further 2.6% after the announcement was made. But things may get worse for Facebook as the European Union could impose a fine for the breach under the General Data Protection Regulation (GDPR). Penalties may amount to 4% of Facebook’s yearly global revenue. That is a fine of up to €1.63bn.
Facebook CEO and Founder Mark Zuckerberg stated in a Facebook post that they discovered an attacker took advantage of a technical vulnerability in order to steal access tokens. The tokens could enable the attacker to sign into the accounts of 50 million Facebook users. There have not yet been any reports of misuse of the potentially compromised accounts. Facebook was able to fix the vulnerability, but concern has been raised about how the breach was possible.
Facebook explained that the hacker exposed three bugs in the “View As” feature that was introduced in July 2017. The “View as” feature enables users to view how their profile appears to other users of Facebook. The bug was fixed on Thursday night and notifications to appropriate law enforcement agencies such as the FBI and the Irish Data Protection Commission were sent in compliance with the GDPR requirements.
To date Facebook has not identified the cyber attackers, or where they are located. There have also been no reports of the attackers using the access tokens for accessing private messages or posting anything to user accounts. Mark Warner, Virginia Senator and Senate Intelligence Committee Vice Chairman has ordered a “full investigation” of the security breach.
This breach is a reminder of the importance of implementing sufficient security measures on sites that store the personal data of consumers and has highlighted the need for Congress to take action to ensure social media users’ privacy and security is protected.
This year has been bad for Facebook in terms of protecting its users’ personal information. Earlier this year, before the introduction of GDPR, Facebook had to weather the Cambridge Analytica scandal. A third-party firm was discovered to have disclosed personal information obtained first obtaining consent to do so.