It’s been a few days now since Facebook reported that hackers obtained access tokens for 50 million user accounts, in what is believed to be the largest such data breach in its history. Here’s what we’ve learned since then — and what we haven’t.
One, the breach may have affected other third-party services that use the Facebook Connect identity platform. Several large internet services rely heavily on Facebook logins, including Spotify, Airbnb, and Tinder. Anyone who had full access to a user’s account would have been able to log into those services as well, possibly undetected. Notably, none of these Facebook Connect customers have had much to say about the effect of the breach on their own services, likely because they are still investigating. Tinder was the exception, saying Facebook had shared only limited information and calling on it to share more.
The third-party developer situation set off a secondary debate about the wisdom of using Facebook login. On the pro side, Facebook login offers enhanced security measures such as “risk-based logins” — challenging users to provide additional information if it suspects a password has been stolen. On the con side, Facebook’s dominance has created something resembling to a single point of failure for online security.
Two, the legal consequences of the breach are becoming apparent. A class-action lawsuit was filed with terrifying speed. And while Facebook appears to have disclosed the breach within the 72 hours required by the General Data Protection Regulation, the European Union privacy watchdog could still fine Facebook up to $1.63 billion, Sam Schechner reported in the Wall Street Journal. Separately, the Irish Data Protection Commission said Monday that less than 10 percent of the breach’s victims live in the European Union.
Three, a Facebook executive on Monday repeated the idea that the breach came as the result of “a sophisticated attack.” Speaking at an Advertising Week panel, the company’s global head of marketing, Carolyn Everson called the still-unknown attackers an “odorless, weightless intruder that walked in” and that Facebook could only detect “once they made a certain move.” (Everson also had the one-liner of the day. When asked about the acrimonious departures of the billionaire WhatsApp founders earlier this year, she replied: “I’d like to hear more about their philanthropy.” Which deserves a spot on any list of the funniest things ever said on stage during an Advertising Week presentation.)
Finally, the breach has given the world fresh occasion to assess its trust in Facebook. On Friday’s press call, two reporters asked Mark Zuckerberg why people should continue to trust the platform with their data.
I spent Monday waiting for further shoes to drop on the breach. But the truth is we learned very little over the weekend. The best explanation for that is that GDPR forced Facebook to disclose the breach just as its investigation was getting underway. We’ll know more eventually, but it might not be soon.
More News
Facebook names longtime executive Adam Mosseri as new head of Instagram
After a weeklong interregnum in which seemingly very few people understood what was happening, Adam Mosseri has been named head of Instagram. (This is his official title.) Mosseri is smart and well liked, but his job here is to be a good soldier rather than an auteur. The most notable thing in this blog post is the look-we’re-all-friends photo of Mosseri sitting in between Mikey Krieger and Kevin Systrom; the second-most notable thing is the founders’ doomed cry in their new farewell blog post. “To us, the most important thing is keeping our community — all of you — front and center in all that Instagram does.” That is not the most important thing to Facebook and, they know it. (Which is why they wrote it.)
If you liked the article and want to read more tech news click here and if you want to see the services we offer, for home and businesses!
