Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on YouTube
marknca

Mornings With Mark
no. // 0 0 0 5

50 Million Facebook Accounts Hacked?!?

Subscribe to the podcast.

Watch the episode here

Join the discussion on LinkedIn

Tweet about this episode

Full machine generated transcript follows

Morning, everybody. How you doing today in this episode? I want to talk about Facebook. I don't want to talk about Facebook. But I feel obliged compelled to keep talking about this network at the network. Everybody loves to hate. You may be watching me alive on Facebook right now. It's an interesting sort of conundrum for all of us, but there's big news out of Facebook on the downside on Friday.

They announced that over 50 million accounts habitat, and of course everybody rightfully so started to freak out but has the technical details kind of came out. I started diving into the situation a little bit deeper to try to figure out if they handle it. Well really what the consequences were for us as users.

So here's what happened at least as far as we know based on publicly available information 50 million accounts were exposed through a combination of three separate bugs or vulnerabilities. That's that's an interesting chain where attackers didn't use just one issue or even to they actually have the leverage three separate things that in isolation.

That big of a deal and it's something we're seeing more and more in general. I'm with hackers with most of actors were there chaining little things together to create a bigger problem now from Defenders, that's a real big issue because now we are we normally today classified vulnerabilities based on their individual isolated impact.

So you said well, that's a minor vulnerability. We're not going to worry about it right now. We've got this other thing that's much more important, but we seen time and time again. We saw it at the poem 209 which is a hacking competition. I'm on a positive way for positive research.

We've seen that for the last couple years where attackers have in this case researchers have been using multiple but Goldies to create a far worse outcome and that's exactly what happened to Facebook on Friday. They announce the release date announced it on Friday was that hackers use three different vulnerabilities from basically three different teams from all we can tell on the Facebook side at least so that's why it wasn't caught to escalate their access to the Facebook infrastructure know you may have noticed a couple years ago logging into Facebook.

There's a reason for that is obviously that would reduce your engagement would be a pain in your butt. If everytime picture before we had to log into Facebook the way that sat down in the back of this once you successfully log into Facebook Facebook create a token and that's a creampie unique a really long complicated set of characters and it stores that token on your device would have your login for and it keeps a copy of that token on the Facebook side so that when I then pick up my phone and click on the Facebook app and it checks that token with Facebook Facebook looks as you know, what that really long complicated string that token that's valid right now.

I'll let you have access to Mark's account and what happened with these hackers after they escalated through these three bugs they gain access to the Facebook side of the token. So your device wasn't broken into but Facebook has list of those matching tokens was accessed and they got 50 million on In response when Facebook found out about the issue.

The first thing they did was they looked at every account that had used the view as feature. And this is one of the vulnerable features that the attackers used when it does is it allows you to check your security policy ironically on your Facebook account to see what it would look like.

If Joe was looking at her counter Francine or Fred or whoever was looking at her counsel's away for you being logged in to see how other people would see your information super useful very powerful feature that's currently disabled because of this. So what happened was they were able to leverage a bug here to pull down a copy of Facebook's token I have for your login.

So now they had a valid token and so to you on your device. So what Facebook did was they looked at everybody who would ever use that feature. So that's what the normal usages for users as well as the hackers and they wiped all of those tokens out. So that's why ninety million is a number to hear 50 million accounts are actually affected 90 million accounts were reset because 90 of those extra 40 million / users who had taken advantage of this.

procedure to see how their profile looked from other people's profiles The problem with all this so it's a great reaction Facebook solve the issue. They they took it out. They went overly conservative and you know, even though they knew their 50 million that were accessed. They just wiped everybody just to be sure which is great is a minor inconvenience for users when they've got picked up their app on Friday.

They had to re login. The problem is the level of communication because bad things happen if they're always going to happen. If you need to be out in front of it you need to be honest and you be open with a user. So these people just have the login and there wasn't from my knowledge from any reporting.

There wasn't a prostitute have your account was potentially affected we've reset it. There is a no, I guess I have to log in and then trying to dig up the information on Friday. It wasn't immediately apparent now. In Facebook's defense not a phrase. I say often when is cyber security incident like this is involving.

There's not a lot of information. You don't have all the answers upfront it takes awhile to get them but at the point where they invalidated those login tokens and force 90 million users to relog anything new that there was a potential to affect them. So that's when the communication should have come out in more than just a Facebook blog.

They have the ability to push a message to all these users. They should have done that. In fact, they should have done it to all users and said hey if you're not affected right because you think about it 90 million users is Probably about 6 to 8% of their user base depending on the numbers you see lately.

So it's a significant chunk of users and it would make sense. In this case to alert all users and say if you did not have to re login you were not affected or better yet. Hey, we are impacted you or you weren't impacted and because there's no further steps.

You can take as a user Beyond invalid any of those tokens Facebook already took their logical stack of in validating token so that the hackers now are denied access but that information potentially out there. The only thing additional user can do is go back in your timeline to see if there's anything posted that you didn't post that maybe they posted but really that doesn't seem like the root of this attack was it was seems like it was harvesting personal information of 50 million people in this seems like it was quite successful.

So that's the deal with tide in Swift reaction in users favor, which is always a positive thing. But that communication definitely could have been better, especially for a platform that is all about communication. You would hope that they would have come out and said hey everybody you were Here's what went on.

I'm as opposed to just putting up a blog post. A man is letting the media report on things as the information kind of came out and as they could locate various experts. So absolutely critical. I'm sure I'll cover that more in-depth but really at this point, I be easy take away for breach notification and talking to users is it happened? It's already a sucky situation shutting people out and I'll give me the information they needed the right time just makes things worse.

What do you think? Let me know hit me up online at Mark NCAA after those of you on the blogs and ironically on Facebook hit me up in the comments down below as always for podcast listeners and everybody you can hit me up on email me at Mark n.

C a I hope you have a fantastic day this week, but I will keep trying to broadcast on though Wednesday won't hit the time because I'll be alive. I keynoting a sector in Toronto. If you're there. I'll swing them by say hi. Have a fantastic day. Will talk to you online.

on the show tomorrow Morning, everybody. How you doing today in this episode? I want to talk about Facebook. I don't want to talk about Facebook. But I feel obliged compelled to keep talking about this network at the network. Everybody loves to hate. You may be watching me alive on Facebook right now.

It's an interesting sort of conundrum for all of us, but there's big news out of Facebook on the downside on Friday. They announced that over 50 million accounts habitat, and of course everybody rightfully so started to freak out but has the technical details kind of came out. I started diving into the situation a little bit deeper to try to figure out if they handle it.

Well really what the consequences were for us as users. So here's what happened at least as far as we know based on publicly available information 50 million accounts were exposed through a combination of three separate bugs or vulnerabilities. That's that's an interesting chain where attackers didn't use just one issue or even to they actually have the leverage three separate things that in isolation.

That big of a deal and it's something we're seeing more and more in general. I'm with hackers with most of actors were there chaining little things together to create a bigger problem now from Defenders, that's a real big issue because now we are we normally today classified vulnerabilities based on their individual isolated impact.

So you said well, that's a minor vulnerability. We're not going to worry about it right now. We've got this other thing that's much more important, but we seen time and time again. We saw it at the poem 209 which is a hacking competition. I'm on a positive way for positive research.

We've seen that for the last couple years where attackers have in this case researchers have been using multiple but Goldies to create a far worse outcome and that's exactly what happened to Facebook on Friday. They announce the release date announced it on Friday was that hackers use three different vulnerabilities from basically three different teams from all we can tell on the Facebook side at least so that's why it wasn't caught to escalate their access to the Facebook infrastructure know you may have noticed a couple years ago logging into Facebook.

There's a reason for that is obviously that would reduce your engagement would be a pain in your butt. If everytime picture before we had to log into Facebook the way that sat down in the back of this once you successfully log into Facebook Facebook create a token and that's a creampie unique a really long complicated set of characters and it stores that token on your device would have your login for and it keeps a copy of that token on the Facebook side so that when I then pick up my phone and click on the Facebook app and it checks that token with Facebook Facebook looks as you know, what that really long complicated string that token that's valid right now.

I'll let you have access to Mark's account and what happened with these hackers after they escalated through these three bugs they gain access to the Facebook side of the token. So your device wasn't broken into but Facebook has list of those matching tokens was accessed and they got 50 million on In response when Facebook found out about the issue.

The first thing they did was they looked at every account that had used the view as feature. And this is one of the vulnerable features that the attackers used when it does is it allows you to check your security policy ironically on your Facebook account to see what it would look like.

If Joe was looking at her counter Francine or Fred or whoever was looking at her counsel's away for you being logged in to see how other people would see your information super useful very powerful feature that's currently disabled because of this. So what happened was they were able to leverage a bug here to pull down a copy of Facebook's token I have for your login.

So now they had a valid token and so to you on your device. So what Facebook did was they looked at everybody who would ever use that feature. So that's what the normal usages for users as well as the hackers and they wiped all of those tokens out. So that's why ninety million is a number to hear 50 million accounts are actually affected 90 million accounts were reset because 90 of those extra 40 million / users who had taken advantage of this.

procedure to see how their profile looked from other people's profiles The problem with all this so it's a great reaction Facebook solve the issue. They they took it out. They went overly conservative and you know, even though they knew their 50 million that were accessed. They just wiped everybody just to be sure which is great is a minor inconvenience for users when they've got picked up their app on Friday.

They had to re login. The problem is the level of communication because bad things happen if they're always going to happen. If you need to be out in front of it you need to be honest and you be open with a user. So these people just have the login and there wasn't from my knowledge from any reporting.

There wasn't a prostitute have your account was potentially affected we've reset it. There is a no, I guess I have to log in and then trying to dig up the information on Friday. It wasn't immediately apparent now. In Facebook's defense not a phrase. I say often when is cyber security incident like this is involving.

There's not a lot of information. You don't have all the answers upfront it takes awhile to get them but at the point where they invalidated those login tokens and force 90 million users to relog anything new that there was a potential to affect them. So that's when the communication should have come out in more than just a Facebook blog.

They have the ability to push a message to all these users. They should have done that. In fact, they should have done it to all users and said hey if you're not affected right because you think about it 90 million users is Probably about 6 to 8% of their user base depending on the numbers you see lately.

So it's a significant chunk of users and it would make sense. In this case to alert all users and say if you did not have to re login you were not affected or better yet. Hey, we are impacted you or you weren't impacted and because there's no further steps.

You can take as a user Beyond invalid any of those tokens Facebook already took their logical stack of in validating token so that the hackers now are denied access but that information potentially out there. The only thing additional user can do is go back in your timeline to see if there's anything posted that you didn't post that maybe they posted but really that doesn't seem like the root of this attack was it was seems like it was harvesting personal information of 50 million people in this seems like it was quite successful.

So that's the deal with tide in Swift reaction in users favor, which is always a positive thing. But that communication definitely could have been better, especially for a platform that is all about communication. You would hope that they would have come out and said hey everybody you were Here's what went on.

I'm as opposed to just putting up a blog post. A man is letting the media report on things as the information kind of came out and as they could locate various experts. So absolutely critical. I'm sure I'll cover that more in-depth but really at this point, I be easy take away for breach notification and talking to users is it happened? It's already a sucky situation shutting people out and I'll give me the information they needed the right time just makes things worse.

What do you think? Let me know hit me up online at Mark NCAA after those of you on the blogs and ironically on Facebook hit me up in the comments down below as always for podcast listeners and everybody you can hit me up on email me at Mark n.

C a I hope you have a fantastic day this week, but I will keep trying to broadcast on though Wednesday won't hit the time because I'll be alive. I keynoting a sector in Toronto. If you're there. I'll swing them by say hi. Have a fantastic day. Will talk to you online.

on the show tomorrow