Donate
The Facebook Breach: Some Lessons for the Internet Thumbnail
‹ Back
Improving Technical Security 1 October 2018

The Facebook Breach: Some Lessons for the Internet

Olaf Kolkman
By Olaf KolkmanChief Internet Technology Officer

Last week Facebook found itself at the heart of a security breach that put at risk the personal information of millions of users of the social network.

On September 28, news broke that an attacker exploited a technical vulnerability in Facebook’s code that would allow them to log into about 50 million people’s accounts.

While Facebook was quick to address the exploit and fix it, they say they don’t know if anyone’s accounts actually were breached.

This breach follows the Cambridge Analytica scandal earlier this year that resulted in the serious mishandling of the data of millions of people who use Facebook.

Both of these events illustrate that we cannot be complacent about data security. Companies that hold personal and sensitive data need to be extra vigilant about protecting their users’ data.

Yet even the most vigilant are also vulnerable. Even a single security bug can affect millions of users, as we can see.

There are a few things we can learn from this that applies to the other security conversations: Doing security well is notoriously hard, and persistent attackers will find bugs to exploit, in this case a combination of three apparently unrelated ones on the Facebook platform.

This is a lesson for anybody who says that exceptional access can be built securely. This is not a moment for schadenfreude, though – I believe that the transparency by which the engineers at Facebook coped with this issue will aid the social network’s efforts to re-build trust with its users. And let’s face it, those engineers found the problem themselves through monitoring of their systems.

Facebook is not only providing the technical means of access to its own services, but also for others. While there is no proof yet that any third-party applications have been compromised, I believe that we must think about decentralising some of these login mechanisms before one of these houses of cards collapses.  That may not be trivial as building and maintaining these systems securely requires lots of resources, not available to everybody.

That is a wicked problem, one that is gaining focus as a significant issue we must resolve very soon if we really wish to see an open, globally-connected, trustworthy, and secure Internet for everyone.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Post Equifax, We Need to Reconsider How to Identify People 
Post Equifax, We Need to Reconsider How to Identify People 
Building Trust26 September 2017

Post Equifax, We Need to Reconsider How to Identify People 

Victims of identity theft will tell you the experience is like having your personal life broken into, tossed around, and...

“Keep those eyebrows up!” – Cybersecurity at the Global Women’s Forum
“Keep those eyebrows up!” – Cybersecurity at the Global Women’s Forum
Internet of Things (IoT)6 October 2017

“Keep those eyebrows up!” – Cybersecurity at the Global Women’s Forum

News of cyberattacks is slowly becoming a new normal. We are still at a stage where high-profile cases, like the...

Minimizing Risk: How to Be Secure on Twitter and Other Social Networks
Minimizing Risk: How to Be Secure on Twitter and Other Social Networks
Building Trust11 May 2018

Minimizing Risk: How to Be Secure on Twitter and Other Social Networks

Last week’s news that the passwords of every Twitter user around the world had been exposed in plain text is a...

Join the conversation with Internet Society members around the world