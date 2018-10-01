Facebook had its data stolen once again. By its, I mean your and my data, of course. Yeah, I know, what else is new! I’m now considering going the same route as Gene Hackman’s character in the film Enemy Of The State - as off-the-grid as possible, with all electronic gadgets confined to a secure basement.

After a testimony before the US Congress earlier this year, which gave rise to memes that portrayed Facebook as the tech equivalent of the devil, people are once again stunned. Probably because they assumed the social media behemoth would change. What happened again is what we will be answering today on our Story of the Day. My name is Rakesh, and you are listening to Moneycontrol.

So here’s what happened.

According to reports, on September 25, Facebook discovered a security flaw that affected approximately 50 million accounts. Instagram, which is owned by Facebook, may also have been affected. Tinder, Airbnb, and Spotify, three prominent companies that use Facebook’s login, are yet to respond on this issue. The flaw could have allowed attackers to take over those accounts, Facebook said in a statement. The social network, which now claims to have around 2.2 billion users, said it has fixed the vulnerability and informed law enforcement.

Reports indicate that the attackers stole Facebook access tokens through something called a "view as" feature. "View as" allows users to see what their own profile looks like to someone else. Taking over someone’s account from a page that tailors how we would like to be seen by the world. Delicious irony there.

Wait, didn’t something similar to this happen just the other day? Well, sort of. The most recent episode wasn’t so much data security as sharing private information. In that instance, the maker of a personality quiz app on Facebook transferred his database of profile information to a third party, Cambridge Analytica.

Back in March of this year, Christopher Wylie, a Canadian data scientist working with Cambridge Analytica (CA), tweeted that his company had harvested the data of 50 million Facebook users in an alleged attempt to influence American voters ahead of the 2016 elections there. That number would eventually settle at 87 million. It was an important moment in our understanding of social media, data and how all our online habits are tracked. It was the first time most of us even realized that we had something known as “online habits” or that it is something companies use as a business. CA told Facebook it had deleted the information, but it had lied.

The New York Times, reporting on the CA scandal, said software flaws in Facebook’s systems allowed hackers to break into user accounts, including those of the top executives Mark Zuckerberg and Sheryl Sandberg. Two bugs were introduced by an online tool meant to improve the privacy of users. Another was introduced in July 2017 by a tool meant to easily upload birthday videos. The bugs were especially awkward because Facebook takes pride in its engineering.

The aftermath of that scandal saw the company spouting catchphrases like a breach of trust, data breach, mistake etc. And they pledged to make changes and reforms in Facebook policy to prevent similar breaches. Yes, they pledged. You can see why some people would have trust issues with Facebook. Some analysts say Facebook’s stock price fell as a result of this scandal. So while it wasn’t data security, a strong perception took hold that Facebook isn’t very proficient at handling user data.

This week, once again, events took an expected turn. CEO Jesse Eisenberg...sorry, that’s the guy from the movie...CEO Mark Zuckerberg said, “We do not currently have any evidence that suggests these accounts have been compromised.” Is it just me, or does the CEO sound just a bit too rhetorical? In any case, the company’s stock fell more than 3 percent in Friday afternoon trading on Wall Street.

Facebook says it has reset these access tokens for the 50 million accounts that were affected. As a further precaution, the company said it had also reset access tokens for another 40 million accounts that have been looked up through the "view as" option over the last 12 months. So, approximately 90 million people will have to log back in. However, Facebook users should note that the "view as" option is being disabled temporarily. Zuckerberg said his company needs to continue developing new tools to make accounts more secure and prevent similar breaches.

A report by Wired says affected users will see a message at the top of their News Feed about the issue when they log in. It reads, "Your privacy and security are important to us. We want to let you know about the recent action we've taken to secure your account."

While many reports claim the current instance is the largest data breach in the company’s 14-year history, it is not Facebook’s first brush with data security problems. Facebook hasn’t exactly been blindsided by unforeseen assaults in 2018. In 2008, a technical glitch revealed confidential birth-dates of 80 million Facebook users.

In 2013, Facebook disclosed a software flaw that had exposed 6 million users' phone numbers and email addresses to unauthorized viewers for an entire year. There’s a reason senior executives had to testify in congressional hearings where some lawmakers suggested the US government might need to step in if the company couldn’t get its act together.

From that point of view, the latest breach is coming at the worst time for Facebook. Some people in American politics were quick to capitalise on the incident.

Mark Warner, a Democrat senator, was blunt in his views. He said, “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. A full investigation should be swiftly conducted and made public so that we can understand more about what happened.”

His words could prove problematic for Zuckerberg and company. Warner is the Vice Chairman of the Senate Select Committee on Intelligence, and co-chair of the Senate Cybersecurity Caucus. Rohit Chopra, a commissioner with the Federal Trade Commission, said, “Breaches don’t just violate our privacy. They create enormous risks for our economy and national security. The cost of inaction is growing, and we need answers.”

It could get more painful across the pond. Ireland’s Data Protection Commission, Facebook’s main regulator in Europe, has demanded more information regarding the attack.

The Economic Times reported that Facebook could face a steep $1.63 billion fine from the European Union’s privacy watchdog if it is found not to have taken appropriate steps to protect user data. And it indeed does look like the company might be in trouble this time around. Facebook said it is cooperating with authorities but does not yet know who is behind the attack, or even where it originated. Vice president of product, Guy Rosen, said, “We may never know.”

The company claims its own investigation into the matter started on September 16, following an unusual spike in users accessing Facebook. On September 25, the company’s engineering team found that hackers appeared to have exploited bugs related to the View As feature.

New Scientist reported that the attackers exploited an interaction between several different bugs in Facebook’s code, tricking the site into handing over the digital keys to individual accounts. When using the “View As” feature, a video-upload box was incorrectly left activated. Using this box to upload a video then generated a key that gave access to that other person’s account.

This allowed the hackers access to anything that users could view on their own profiles. That includes names and dates of birth of friends and/or family members, private photos etc. This information can also be used in phishing attacks.

Rosen said, “This is a complex interaction of multiple bugs.”

Wired claimed that Chang Chi-yuan, a Taiwanese hacker had promised to live-stream the deletion of Mark Zuckerberg's Facebook account, but Rosen dismissed it saying the company was not aware that he was related to this particular attack.

Lukasz Olejnik, a member of the W3C Technical Architecture Group and a security researcher, said, “If the attacker exploited custom and isolated vulnerabilities, and the attack was a highly targeted one, there simply might be no suitable trace or intelligence allowing investigators to connect the dots.” David Kennedy of cybersecurity firm TrustedSec is sympathetic to Facebook’s problem. He says, “...these types of security vulnerabilities can be extremely difficult to spot or catch since they rely on having to dynamically test the site itself as it’s running.”

Some media reports said there are indications that Mark Zuckerberg has learnt from the Cambridge Analytica fiasco. When that scandal broke, Zuckerberg didn’t communicate with the media for days. This time around, he connected with the media right away to explain what went wrong. And Facebook’s Cambridge Analytica misadventure doesn’t help shore up its credibility. Or it could just all be Putin’s fault. As Guy Rosen said, “We may never know.”