Facebook security wasn’t something most of us worried about just five years ago. Most users happily went about their Facebook lives and never thought twice about their privacy and security. Since the latest Facebook security breach has affected nearly 50 million accounts, many users are finally getting concerned. So are security experts and pundits. I’ve said it before and I’ll say it again, cybersecurity and personal data privacy are only going to get more difficult as the year’s tick by.
Greg Foss, Senior Manager of Threat Research at LogRhythm:
The view-as feature within Facebook’s platform, while well-intentioned, is difficult to implement programmatically, in that you are viewing your account as another individual – essentially a light version of account impersonation. When implemented properly, you’re given a specific view of an account based on what is programmatically known about the account you’re viewing from.
Based on information available, a video uploading feature implemented in July of last year exposed this feature to a flaw that allowed attackers to impersonate other user accounts and effectively obtain full access to their Facebook profiles. It appears that attackers are able to access the accounts of ‘friends’ or those already connected to the compromised account.
If that’s true, it may be possible to trace the attacks back to a single point of origin, given the nature of how the attack spreads to other accounts. That said, the
originaccount will most likely not be that of a real Facebook user, so determining an individual or group behind this will take some digging.
Facebook has access to the personal information of
billionsof people; a relative gold mine to threat actors and consumers alike. And with all that great power comes great responsibility. When you’re entrusted with billions of personal records, on your flagship platform, the security of your software must be paramount.
Ray Rothrock, CEO at RedSeal:
Facebook’s latest compromise is a textbook example of exactly what digital resilience is not. They weren’t prepared for the unexpected intrusion of their systems. Given Facebook’s already shaky public perception, their number one priority should be protecting their customers, who are also their highest-value asset. On the heels of their already challenging year, it will be difficult – perhaps impossible – for Facebook to recover from both the impact on customers’ trust
and its resulting business performance. Conversely, companies that can isolate or limit the bad guys once they’re inside the network will maintain their value and the trust of their customers and investors. Digital resilience is the strategic proactive answer.
There’s no question that not only does Facebook security need to be examined more closely but the security of any company that holds user data should be examined. It will be interesting to see how Facebook handles this latest breach and what steps they take to be more secure.