Facebook data breach affects 110,000 Australians personal information

April 1, 2019 |

Facebook has a tendency to advocate vague improvements to its privacy policies and call for improved and stronger regulation after some or other egregious privacy breach or oppressive monopolistic act is uncovered.  In the last year Facebook has been battered by the Cambridge Analytica scandal, clear evidence of its platform being used by foreign players to influence elections and a seemingly regular stream of less dramatic but no less worrying privacy breaches.  Facebook’s standard response to such problems has been a combination of virtue signalling and getting on board the reform wagon so as to moderate its outcomes. In early March Zuckerberg described the move to private messaging as being his “pivot to privacy” in communications.  After the briefest of analyses it was ridiculed and seen to be more about presentation than product according to the Wire’s Facebook’s Pivot to Privacy Is Missing Something Crucial and Forbes’ Facebook’s Fake Pivot To Privacy and Slate’s Facebook’s Awkward Pivot to Privacy.

Mark Zuckerberg’s reported very recent call for “more active” role for government regulation in internet privacy and election laws has a similar feel about a polished response to criticism. Except that the complaints are long lasting and the potential of real action by governments is real. The last edition of the Economist highlighted the steps being taken by the Europeans, a huge market, against Facebook and Google, amongst others, for their privacy unfriendly practices.   And those steps are not confined to Europe.  American legislators are, for the fourth time, considering more comprehensive privacy laws or trust busting action.

So while there is reason to be sceptical about Facebook’s motives the pressure on Facebook and Google is such that there may be actual improvement.

And there should be given the impact of the privacy breaches in Australia with the Guardian’s report, More than 110,000 Australians caught up in September’s Facebook cyber-attack

It provides:

The detailed personal information of more than 60,000 Australians was exposed in a massive cyber-attack on Facebook last year, giving hackers the ability to access their movements, hometown, search history, email and phone number.

Internal documents reveal the attack on Facebook in September last year affected an estimated 111,813 Australians, among roughly 29 million worldwide.

About 47,912 had only basic personal information – their name, email and phone number – compromised.

But other Australians were more exposed. Hackers were able to access information on 62,306 users’ hometown, most recent check-ins, birthday, education, work history, Facebook search history, name, email, phone number, gender, relationship status and religion. These users also had their most recent Facebook location check-ins exposed.

In another 1,595 cases, the names in private Facebook messenger conversations could be accessed, as could details of a person’s membership of Facebook groups.

The revelations are contained in confidential correspondence between Facebook and Australia’s privacy watchdog, the Office of the Australian Information Commissioner. The documents were released under freedom of information laws on Tuesday.

The correspondence shows Facebook took almost two weeks to discover the cyber-attack, which began on 14 September last year. It discovered the breach on 25 September, and did not notify the OAIC for another four days, at the same time it told other international agencies. When it did tell Australian authorities, it asked them to keep early estimates of the number of affected Australians confidential.

“We would be happy to continue to update you with more information as it becomes available, but we need to set expectations that obtaining clarity on what data was accessed is a considerably time-consuming process to ensure accuracy and complete analysis,” Facebook told OAIC’s principal director, Amie Grierson, in early October.

“We appreciate you will keep this information confidential as we continue to work on this analysis.”

Guardian Australia understands Facebook had been asked to keep certain information secret to protect law enforcement investigations.

Facebook said it did not believe the attack met the requirements of Australia’s notifiable data breach scheme, which legally compels companies to alert individuals and the OAIC if there is a possibility of “serious harm” from privacy breaches.

Facebook, in a subsequent “incident update” to the OAIC, revealed the extent of the impact on Australian users, but said it did not believe passwords or payment card information were at risk.

“Based upon what we’ve learned so far in our investigation, the attackers did not gain access to other personal information such as password information, identity documentation, financial information or payment card information,” the incident update said.

Facebook has now contacted all affected individuals in Australia to advise them of the breach.

The cyber-attack was allowed by what Facebook said was “a vulnerability caused by the complex interaction of three bugs” in its system. It allowed hackers to obtain access tokens, a kind of security key that allows users to stay logged into Facebook over multiple browsing sessions without entering their password every time.

Facebook said it quickly moved to secure its system and invalidated access tokens for almost 90 million accounts across the world.

Initially, Facebook believed the attack had affected 50 million people worldwide. The breach was thought to be the largest in the social media giant’s history.

Facebook has been approached for comment. It directed Guardian Australia to previous public statements about the issue issued in September and October.

“For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles),” Facebook said in October.

“For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”

This article follow from the Wall Street Journal’s  Hundreds of Millions of User Passwords Exposed to Facebook Employees 

Security lapse the latest privacy issue for the social-media giant

The company identified the issue as part of a routine security review in January. 

Facebook Inc. for years stored hundreds of millions of user passwords in a format that was accessible to its employees, in yet another privacy snafu for the social-media giant.

The incident disclosed by the company Thursday involved a wide swath of its users, though Facebook said no passwords were exposed externally, and it hasn’t found evidence of the information being abused.

Facebook estimated it will notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the company’s vice president of engineering, security and privacy Pedro Canahuati said in a blog post Thursday.

Facebook Lite is a stripped-down version of the product for use by people without access to reliable internet service.

The security lapse appears similar to others that have occurred at tech companies, including Twitter Inc., which asked 331 million users to change their passwords in May after discovering that one of its internal systems logged users’ unencrypted passwords.

Because so many people reuse their passwords, they have emerged as a major security problem for tech companies. Password databases have become a prime target for cyber thieves, and hackers will often try a user’s stolen password to break into new sites. Most companies, including Facebook, monitor the internet for publicly released databases of passwords.

“Passwords are extremely sensitive data,” said Deirdre K. Mulligan, an associate professor at University of California Berkeley, who specializes on data privacy. “If passwords are being stored in the clear, accessible by thousands of employees, one can only imagine how poorly other data is being managed,” she said.

Facebook’s data-security lapse attracted more attention than similar stumbles elsewhere given persistent criticism of how the company collects, stores and deploys its users’ data.

It also contradicts at least some of the company’s previous assurances on the matter. In a 2014 post about password security, Facebook’s then-security engineer Chris Long wrote that “no one here has your plain text password.”

Facebook identified that it did log plain-text passwords as part of a security review in January, Mr. Canahuati said.

During the review, Facebook has been looking for ways it stores some information, such as access tokens, and have fixed problems as they were discovered, he said. While Facebook will notify users whose passwords were stored insecurely “as a precaution,” there is no current plan to require users to change their passwords.

The security lapse follows a data breach six months ago in which Facebook said attackers managed to extract data such as name, gender and hometown for around 50 million users. It also comes amid a wide-ranging Federal Trade Commission review of Facebook’s privacy policies and handling of user data. Though that probe began following a scandal over how political consulting firm Cambridge Analytica obtained Facebook user data, Facebook has said it kept the FTC abreast of other privacy and data-handling lapses.

Storing passwords in an encrypted format is “not just best practice, it’s something that industry should always do,” said Jennifer Granick, a lawyer with the American Civil Liberties Union. “Facebook’s failure to do that will really upset the FTC,” she said

The internal exposure of passwords was reported by krebsonsecurity.com earlier Thursday. Citing an unnamed senior Facebook executive, independent security researcher Brian Krebs wrote that as many as 600 million passwords were exposed, with some being improperly stored as far back as 2012. According to Mr. Krebs’s report, the files containing the passwords were accessible to as many as 20,000 Facebook employees, and around 2,000 company developers and engineers interacted with the system that contained them.

Facebook’s post disclosing that it had logged the plain-text passwords came after a company source grew impatient waiting for the company to acknowledge the problem on its own and contacted Mr. Krebs.

“My source did seem to be concerned that Facebook was going to delay disclosing this as long as it could,” Mr. Krebs told the Journal in an email.

Facebook’s hashing algorithm, known internally as “the onion,” is made up of a series of cryptographic techniques that evolved over time and are used internally to obfuscate data such as user passwords. Mr. Canahuati’s post didn’t explain why a vast quantity of login information had not been treated in that fashion in this instance, and Facebook didn’t respond to a request for additional information about what purpose the logged data served.

The risk of mistakes like Facebook’s are greater within large companies because teams of engineers are often working on unrelated projects with different goals, said Chris Vickery, a security researcher for Upguard.

“This was logs of the passwords arriving, data in transit,” Mr. Vickery said. “Whoever designed the logging system didn’t have passwords in mind. Whoever designed the database that stored passwords probably didn’t know this existed.”

Even if no users were harmed by the mistake, Mr. Vickery said, the sloppiness in handling user data is “another example of bad data governance as a culture at Facebook.”

Facebook has been under fire for much of the past year over data-security issues and concerns over how it monitors the platform. Even against that backdrop, the past week has been a difficult one for the Menlo Park, Calif., company. Last week the company’s chief product officer and the head of its WhatsApp division resigned unexpectedly, a move seen as reflective of intense debate within the company over its direction.

This week the company has had to answer questions about its response to the video of the Christchurch, New Zealand shooting, which was live-streamed on Facebook and remained on the site for half an hour after a user brought it to the company’s attention. The company also announced the settlement of a lawsuit alleging that it had discriminated against some users by allowing housing, employment and credit-related ads to be targeted according to gender, age and ZIP Code. Facebook paid less than $5 million and agreed to end the practice.

Leave a Reply

Verified by MonsterInsights