As I signed onto Facebook this afternoon, I was greeted with a cheerful message from the company telling me that a wealth of my private personal information had been mass harvested from my account while its security professionals looked on without noticing a thing until it was too late and that they were “very sorry” for the inconvenience of having my private data stolen. The company’s helpful information page offered an Orwellian nightmare of a catalog of information that was taken, exposing users to everything from hypercustomized phishing attacks to potential financial fraud. The company itself conceded that victims of the breach were at considerable risk, yet stopped short of offering any assistance. What does Facebook’s spectacular security failure mean for our online privacy and whether companies have sufficient incentive to protect the data entrusted to them by their users?
Over the past decade and a half, Facebook has grown from a place for college kids to check out dating prospects into a parallel version of the internet itself, enveloping everything from the official communication channels of governments across the world to the news outlets that keep us informed. In short, they are increasingly becoming “the web” for most intents and purposes and thus increasingly mediating, monitoring and mining our communications and daily lives.
As a Silicon Valley company, the public and policymakers have historically deferred to Facebook when it came to questions about its security posture and whether it could reasonably keep its users’ private information safe from attackers. Instead of forcing the company to concede to external audits or asking hard questions about whether it was doing enough to safeguard the private data entrusted to it, Facebook’s heritage as a Valley company has largely shielded it from scrutiny as the outside world merely trusted that any West Coast technology company must have unimaginable security safeguards.
Of course, as we know today, the answer is that it obviously did not. Unknown attackers were able to exploit a core security failure to make off with the personal information of 30 million users right under the noses of the company’s 10,000 safety and security staff without them so much as noticing a thing until it was all over. By the time the company spotted that something was amiss and intervened, 30 million people’s personal data had been mass downloaded.
Most devastatingly, Facebook and the rest of the major web companies have educated the public that to secure themselves against having their accounts compromised, they should adopt two factor authentication, especially authenticator apps or, best of all, hardware keys. Yet, even hardware keys presume that the underlying authentication system guarding the website is intact. They protect the front door, but in this case, Facebook left the backdoor flapping in the breeze. Should companies be forced to spend more time on security, deploying security initiatives with the same vigor they roll out new money-making features?
When asked whether the company would be making any changes to its authentication process, including changes that might have rendered two factor hardware authentication more of a deterrent to these kinds of failures, the company declined to comment. Though, given the nature of Facebook’s vulnerability, it is unlikely that any kind of additional user-facing protections would have helped.
Of course, vulnerabilities happen and they can be extremely difficult to find when a site has as many moving parts as Facebook’s. This means that network and behavioral monitoring is often the most important line of defense against breaches.
When asked how the company’s security teams had missed 30 million accounts being mass harvested, the company emphasized that it “moved extremely fast – within a couple of days” once it identified the attack. For a company as large and technologically savvy as Facebook, it raises the question of why it wasn’t able to spot the mass harvesting sooner. In its call with reporters, the company did not lend any clarity on this point beyond arguing that “a couple of days” was an extremely fast response time in its mind and also declined to comment when asked for follow up.
This raises the question of whether Facebook should have simply shut down its entire site once it detected the breach? The moment it saw mass exfiltration of user data, should it have simply “pulled the plug” and shut down all of its services worldwide, terminating all outbound network connections while it diagnosed what was happening to prevent any further loss of data? Such a shutdown would have been economically and politically devastating to the company but would have at least suggested it saw the breach as something more serious than a “sorry we lost your data” moment.
Little has been disclosed about who the attackers are. The company deflected all questions regarding the motivations of the attack, saying it had been instructed by the FBI not to comment. It declined even to comment on how many countries the attack affected other than to say it was broader than a handful.
While admittedly a very narrow sample, speaking with my own colleagues and contacts representing a number of countries across the world this afternoon, many of those who are regularly subjected to Russian-attributed phishing and other attacks did not seem to be affected, nor did colleagues in sensitive governmental and security roles, while the handful of colleagues I could find that had been affected seemed clustered in roles in specific technology sectors that have been more closely associated with economic espionage previously attributed to certain countries in Asia. Though, again, my quick afternoon triage was extremely limited and hardly a representative sample of any kind, so these trends may not represent the actual totality of attack in any way. At the very least, the attack seems to have been fairly limited in scope, which is quite worrying from the standpoint of what the motivation may have been. It would certainly seem that if the attack was not targeted in any way that Facebook would have labeled it already as an opportunistic random download. Their silence on this matter suggests there may be more to the story.
Far more frighteningly, Facebook seems to still not fully know what was taken. In its call with reporters, the company acknowledged that it is “still looking at other ways the people behind this attack may have used Facebook and we haven’t ruled out the possibility of smaller-scale, low-level access attempts during the time the vulnerability was exposed. Our investigation into that continues.”
It also confirmed that for those users who had provided credit card information to Facebook, the last four digits were available to the attackers, but that “we don’t have any evidence that the attackers specifically took any of this information.” Though, as with other questions, the company stopped short of saying it had definately not been harvested.
My own first reaction upon receiving the notification this afternoon was to want to see a complete list of everything the attackers had downloaded. While Facebook provides a list of categories of things that could have been taken, it is unclear the full extent of what might have been included under some of them and the company declined to clarify. For example, when asked whether phone numbers, email addresses and other contact details provided in the past for two factor authentication or account verification, but which were not otherwise part of the visible profile, could have been accessed by the attackers, the company declined to answer.
This raises the question of why Facebook did not offer each affected user a PDF download that contained a complete and exhaustive inventory of every single piece of information accessed from their profile by the attackers. The company already allows users to download their full profile, so it is unclear why they would not provide a PDF that would at least allow users to see precisely which, out of all of the possible things that might have been taken from them, the attackers actually obtained. For example, since timeline posts were accessed, does this mean the entirety of every single timeline post since they first joined Facebook? Just the most recent month? Having a PDF summary of everything that was taken would at least help victims better understand the privacy and fraud risks they will now face because of Facebook’s security failure.
When asked whether Facebook would consider offering such a PDF summary, a spokesperson said the company had no comment beyond its previous public statements.
Given that Facebook’s own warnings to affected users note that the company’s breach has placed them at a substantially elevated risk of highly targeted phishing and financial attacks, this raises the question of whether the company should be responsible for helping the users whose data it lost. Specifically, what happens if the attackers release the stolen information or use it to commit fraud or targeted phishing attacks that lead to economic, reputational or other damage to the affected users? Will Facebook financially compensate users for harm they endure from the breach?
The answer? Once again, that the company had no comment beyond its previous statements.
Therein lies the problem and the real reason we are grappling with yet another mass harvest from Facebook: companies like Facebook have no real incentive to secure their users’ data. Even a financial penalty of a billion or two dollars is not crippling to a company of Facebook’s size, while the economic cost of maintaining a sufficiently large security staff and the attendant technology development and storage and computational costs can cost more per year than the total cost of multiple breaches combined. In short, it is often far cheaper for companies of Facebook’s size, even with large financial penalties, to invest less in security and simply apologize and accept a fine when things go wrong.
In a twist of irony, when I clicked on my profile this afternoon to see what all information might have been available to the attackers, I was met with a helpful popup from Facebook telling me that “it’s been a while since you’ve updated sections of your profile” and suggesting I fill in all of the fields I’ve left blank, just to make sure the next attackers have more information to walk away with.
It is worth noting, however, that it doesn’t have to be this way. Facebook’s peers seem to be far ahead of it in terms of their security postures. Google relentlessly monitors its global networks for anomalous behavior and is able to identify and block even nation state adversaries, notifying users when it has blocked attacks on their accounts and leading to a very different story.
When nation state attackers targeted my Google account last year the result was notice from Google that it had identified the campaign and halted it without my ever having to worry. A year later when it comes to Facebook, the notice it gives me tells me that attackers managed to make off with most of my account without the company having seen a thing until it was all over and that the best they can do is tell me they are “sorry.” I don’t even have a right to see what the attackers took nor will the company commit to compensating the victims of its breach.
Putting this all together, the fact that Facebook could introduce such a devastating and central security failure into its codebase and not notice for a year, while similarly failing to notice 30 million accounts walking out the door until it was too late, suggests it has a very long way to go before it can be credibly trusted to protect the data of its two billion users. This massive breach of trust should cause us all to #DeleteFacebook, but the sad truth is that the company’s network has become so ingrained in society across the world that we simply cannot function without it anymore. In the end, we will simply accept this breach and keep using Facebook, while the company will get a slap on the wrist and at worst a relatively minor fine. The real question is what must change to make the Facebooks of the world more like the Googles?