Cyber Incident Victim: Meta
Date:
Sep 2018
Location:
United States of America
Summary
A major security breach exposed approximately 50 million user accounts through vulnerabilities in the platform's "view as" feature, allowing attackers to exploit bugs and steal access tokens that enabled unauthorized account access without requiring passwords. The attackers leveraged these tokens to compromise accounts sequentially, also affecting linked third-party applications including Instagram. The company detected unusual activity prompting an investigation, forced logouts for 90 million users as a precaution, and notified law enforcement and data protection authorities. The vulnerability originated from a code change related to video upload functionality introduced over a year prior, though the full scope of data accessed and attacker identities remained undetermined at disclosure. Regulatory scrutiny intensified following the incident due to concerns over systemic data security risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 28, 2018, Facebook disclosed a security breach affecting approximately 50 million user accounts. Attackers exploited vulnerabilities in the platform's "View As" feature, a privacy tool allowing users to preview their profile as seen by others. The attackers leveraged two interconnected bugs introduced during a July 2017 update that added a "Happy Birthday" video upload prompt. When hackers used "View As" to access a profile, the video tool occasionally appeared improperly due to the first bug. A second bug in this video uploader enabled attackers to generate Facebook access tokens – digital keys permitting continued account access without requiring passwords – for the targeted profiles.
The attackers systematically scaled this exploit by using stolen tokens to compromise additional accounts through the same method, creating a chain of access. Facebook detected the breach in September 2018 after observing unusual activity spikes and initiated an investigation. The company reset access tokens for 50 million directly affected accounts and preemptively logged out 90 million users as a security measure. Third-party applications linked to Facebook accounts, including Instagram, were also impacted. Facebook notified the FBI and Irish Data Protection Commission but hadn't identified the attackers or confirmed whether data was exfiltrated. Lawmakers including Senator Mark Warner criticized Facebook's data security practices following the disclosure, citing parallels to prior incidents like the Equifax breach. The breach investigation remained ongoing at disclosure, with Facebook emphasizing users didn't need to reset passwords since the compromise involved tokens rather than credentials.