What Should I Do About the Latest Facebook Breach?
What Should I Do About the Latest Facebook Breach?
The latest Facebook breach brings reinforcement of various lessons learned in the trenches by information security professionals. We now know the most prudent assumption is to assume breaches are in progress and to update our processes to deal with this certainty.
Two major reasons why we will continue to see large-scale breaches of this type are software complexity and centralization.
If you don’t care about the reasons why, skip to the bottom to learn how to check your Facebook account and protect yourself.
Firstly, software complexity
Focusing on the specifics of the hack aren’t helpful when taking a macro view of the root cause: the process of software development introduces bugs as a by-product.
While attacker sophistication and the value of your data increase over time, persistence (the ability to maintain a foothold in the target company while remaining undetected) becomes the name of the name.
The specific Facebook vulnerability which led to this breach was introduced in July 2017, thus allowing the attackers a 14-month window of time within which to have full access to the data in any account — and data in accounts on other services which benefited from a Facebook login.
Secondly, centralization of identity services simplifies things for both developers (no need to write risky authentication code when you can transfer the risk to another service like Facebook!) and users (no need to remember/store logins for various sites).
However, this encourages bad security habits and creates single points of failure as we have seen with this breach. Facebook and other centralized services are quite attractive to threat actors and will always be high value targets.
Unfortunately, businesses are almost never fully forthcoming with regard to notifying users of the details of a breach. While the recent EU GDPR laws have improved the speed of notification, this now results in the world learning about a breach from an organization which is often under immense public pressure and scrutiny — without the benefit of a completed investigation.
Detailing each unauthorized access to any given account would be incredibly difficult or impossible for most companies, and you will almost certainly never receive this information if it is available without expensive litigation.