On September 28, 2018, the New York Times reported that Facebook had suffered an attack that exposed the personal information of more than 50 million users. This breach is the largest in the company’s history.
By using three software vulnerabilities in Facebook’s systems, hackers were able to access user accounts, including those of top executives, Mark Zuckerberg and Sheryl Sandberg. Once inside the system, the attackers may have accessed other Facebook apps like Spotify, Instagram and hundreds of others that allow users to authenticate using the “Login with Facebook” button.
The company said the attackers exploited two bugs in the site’s “View As” feature, which is intended to increase users’ control over their privacy. These issues were compounded by a bug in Facebook’s video-uploading program, which allowed the attackers to steal access tokens, the digital keys that control account access.
The severity of this incident shows the importance of locking down access and identities to protect sensitive user data. With a well-defined and enforced security policy applied even to its own apps, Facebook could have blocked the video-upload app from obtaining the user access key from the “View As” feature.
To protect sensitive user data in today’s digital systems, a secure access control system is needed to manage access to, and interactions between, people, machines, apps and data. Access policies must be well-defined and enforced rigorously to avoid single points of failure even in the event that an apparently trustworthy app or service is compromised.
Read more in The New York Times article “Facebook Security Breach Exposes Accounts of 50 Million Users”.