Facebook has had its third security issue since June 2018 and no one besides privacy professionals seems to care. Last Friday Facebook announced that hackers were able to access the personal data stored in 50 million Facebook accounts.
According to Facebook’s statement, the attackers
exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
The attackers could use the account as if they are the account holder
In response to the attack, Facebook forced around 100 million users to log out and back into their accounts. If you have been logged out last week, it means your account data was accessed (and potentially stolen) by the hackers as if they were you. They could then access to everything, including personal information, photos and private conversations if you use Messenger.
The good news is that your password was not revealed to the hackers. However they did not need it as they had stolen the tokens. This means they were also able to access third-party applications that use Facebook login (e.g. Tinder, Spotify), even though we do not know if they took advantage of it.
In order to check whether someone other than you accessed your account lately, head on to ‘Account Settings – Security and Login – Where You’re Logged In’ to review the devices that have access to your Facebook account and their location.
You don’t have control over anything
Now is the time to remember that you do not have control over what Facebook does with your data, neither do you have control over how Facebook handles your privacy. This company keeps screwing up: it fails through incompetence when it comes to security, and it behaves in a deceptive way regarding privacy and personal data usage.
On the one hand, there are constant attacks on Facebook from people who are trying to steal information, and Facebook has to monetise data in order to generate revenue.
On the other hand, we have to acknowledge that Facebook is not getting any better despite their recurring promise to do so. Every now and then Facebook reminds everyone that it is committed to allow users to control what they share and whom they share it with. However, Facebook does pretty much anything with our data without our prior consent or knowledge. The last example was revealed recently: Facebook is using our phone number to run ads although we gave it for security purpose only.
EU Commissioner Jourová reminded lately in a press briefing that
Facebook’s new terms of services from April contain a misleading presentation of the main characteristics of Facebook’s services. In particular, Facebook now tells consumers that their data and content is used only to improve their overall ‘experience’ and does not mention that the company uses these data for commercial purposes.
Facebook gives users the impression of a meaningful control, but they are too ignorant to do anything but being impatient to use its services without asking questions. Users’ trust in Facebook does not seem to erode a lot, if at all. After the Cambridge Analytica scandal, one would have expected a massive wave of users unsubscribing from the social network. It did not happen. Some users complained. The vast majority, however, turned a blind eye to this incredible violation of our fundamental rights and got back on Facebook. As if nothing happened.