The recent Facebook data breach, suspected to have impacted around 90m user accounts is a wakeup call for all users and the technology sector.
For users it is yet another stark example of the fragility of our personal and private lives many so willingly share on social media. This sophisticated attack allowed hackers to steal Facebook access tokens to take over people's accounts. Access tokens are the equivalent of digital keys, they keep users logged in and remove the need to re-enter their password every time they use the app.
The access token concept and the "log in with Facebook" button found on so many sites has caused password and security complacency amongst users. We've placed trust in Facebook to manage the security of our private data to such a degree we've become security lazy!
For the technology sector there are some very sobering lessons that a breach of this size indicates, including:
- failure to understand how technology designed to work on an individual level could be exploited or repurposed when scaled up to apply to millions
- no one involved in the development and deployment of this technology stopped to rethink their approach
- organisations have not changed their attitudes and approaches regarding the use of our data, many organisations still think it is their data - it is not.
- designers and developers are still not embedding the privacy by default approach
Experience also tells us investigating a breach of this size is a very complex and time consuming activity. There will be no quick answers for users who are trying to understand what has happened to their data.
Every user of every social media network should stop for a moment and think about their actions and to whom they entrust the security and use of their personal and private data - and you should change some passwords.
For the technology industry now is the time to learn lessons which go beyond staying out of compliance trouble and moving towards customer and personal data respect.
The vulnerability stems from three linked bugs and has existed since July 2017, but Facebook did not discover it until this month when it spotted an unusual increase in usage of its "view as" feature.