On Sept. 25, Facebook discovered it had fallen victim to an attack that breached 50 million user accounts. As a result, Facebook invalidated its Single Sign On (SSO) access tokens for those accounts, as well as 40 million more that had used the "View As" feature exploited by attackers
On Sept. 25, Facebook discovered it had fallen victim to an attack that breached 50 million user accounts. As a result, Facebook invalidated its Single Sign On (SSO) access tokens for those accounts, as well as 40 million more that had used the "View As" feature exploited by attackers. Afterward, those 90 million users had to log in again, which generated a new SSO access token (see Facebook Breach: Attackers Exploited Privacy Feature).
The social media giant says its investigation into the breach is ongoing, but security researchers say this is the rare breach that might deserve to be labeled "sophisticated." Whoever hacked Facebook by abusing the "View As" feature successfully targeted three separate bugs in Facebook's video-uploading functionality.
As a precautionary measure, Facebook temporarily removed the "View As" feature that had the security vulnerability until they could fully investigate.
To drill down a little, Facebook's SSO system allows users to access compatible third-party website services or mobile apps without having to log in again. Such capabilities have obvious ease-of-use upsides for legitimate users. Unfortunately, that ease-of-use benefits any attacker who comes to possess stolen access tokens, because they can automatically carry those users' single sign-ons through to a number of other sites, including Facebook's Instagram and many others. By stealing working access tokens, attackers could have automatically mined not just 50 million Facebook users' accounts, but any other account or service for which they allowed Facebook's SSO functionality to work.
"While SSO is convenient for users, it also represents a single point of failure in security," said Cornerstone Credit Union IT Analyst Michael Salyer. "While this may not directly affect credit unions, in our risk assessments we warn credit unions not to conduct any business with members over Facebook or other social media platforms. This should be both in their policy as well as part of their training to employees."
"Hackers sometimes use multiple points of entry (security flaws) to obtain information or infiltrate a company," Salyer said. "This is a warning for credit union employees not to give out seemingly innocuous information that can be pieced together by hackers/social engineers to breach a system."
National Cyber Security Awareness Month is observed each October since its inception in 2004 in the U.S. Cyber Security Awareness Month encourages vigilance and protection by all computer users.
Security Resources at Your Fingertips
As technology changes, every credit union faces new security issues. Let Credit Union Resources help you stay on top of it—your future could depend on it. Our team of technology professionals provides guidance on compliance, shares best practices, and performs audits. We have a vested interest in your success, and your cybersecurity matters to us. To find out how we can help you manage cybersecurity and operational risks, contact: