Facebook Breach Worries Asian OrganizationsSecurity Practitioners Expect Far-Reaching Impact Beyond Facebook
The recent breach at Facebook, which affects 50 million users, is likely to have a big impact on Asians who use Facebook's single sign-on feature to log into third-party apps (see: Facebook Submits GDPR Breach Notification to Irish Watchdog). India is the world's largest market for the social media giant.
SingCERT, the Singapore Computer Emergency Response Team, says attackers could leverage the breach to access the personal information stored in users' Facebook accounts. "Using such information, scams and phishing attempts could look more credible," it says.
The breach resulted in users' access tokens being stolen. Those can be used to gain access to other third-party websites that the user logged into using their Facebook credentials.
"The number of accounts hacked for Indian users are not specifically revealed by Facebook, but around 13.5 percent of those whose accounts were breached seem to be from India," says Rohan R. Vibhandik, cyber security researcher at an IT firm.
The Facebook data breach comes at a time when the organization is still reeling under the controversy of Cambridge Analytica saga, the data analysis firm that reportedly received data on up to 87 million Facebook users without their consent.
Facebook CEO Mark Zuckerberg described the breach as "a really serious security issue." He said one possible scenario is hackers could leverage the vulnerability in Facebook's "View As" feature to access the personal information stored in users' Facebook accounts.
"Such information could then be used to aid scammers in making scam and phishing attempts appear more credible," he said.
K.K. Mookhey, CEO and founder of NII Consulting, notes that three bugs were chained together by the attackers to open the door to the breach. "These bugs occurred in the 'View As' feature of Facebook, which allows a user to see items posted by a user which he/she had shared to his/her friends on Facebook." (See Facebook Breach: Attackers Exploited Privacy Feature).
By stealing access tokens, hackers potentially gained access to third party apps where the user had logged via Facebook.
Facebook has not yet revealed whether the hacked accounts were misused.
The hackers tried accessing profile information, such as name, gender, location and photos, from compromised accounts, the Economic Times reports.
Many users link their Facebook account with other services, including mobile applications, other social media accounts, and music streaming platforms. For example, in India, users can log into third-party apps such as Swiggy, Zomato, Hotstar and FreshMenu, among others, through Facebook without creating a unique profile.
"This makes all applications vulnerable. This is a very serious breach. The attackers had potential access to complete data of all users whose access tokens they got. They would have been able to replay this token to other apps that used Facebook logins," Mookhey says.
Law Enforcement Action
Some security experts say that because India lacks a strong privacy law, law enforcement authorities would find it difficult to file a complaint against Facebook.
"Without the backing of a strong privacy law or a data protection law, there is little the police officials can do in this case," says Na. Vijayashankar, a cyber law expert.
SingCERT recommends that Facebook users change their passwords immediately and use two-factor authentication. It says users should be on the lookout for phishing attempts and monitor for signs of misuse of their Facebook accounts.
U.S.-based Richard Ford, chief scientist at Forcepoint, says this breach illustrates a fundamental truth of the new digital economy.
"Users need to continually evaluate the type of data they share and the potential impact a breach of that data could cause, to become an active participant in protecting their own online identities, he says. "On the other side, companies need to avail themselves of proactive technologies such as behavioral analysis to hold up their end of the bargain."
(Principal Correspondent Suparna Goswami contributed to this story)