The Facebook Breach: Some Lessons for the Internet Thumbnail
‹ Back
Improving Technical Security 1 October 2018

The Facebook Breach: Some Lessons for the Internet

Olaf Kolkman
By Olaf KolkmanPrincipal - Internet Technology, Policy, and Advocacy

Last week Facebook found itself at the heart of a security breach that put at risk the personal information of millions of users of the social network.

On September 28, news broke that an attacker exploited a technical vulnerability in Facebook’s code that would allow them to log into about 50 million people’s accounts.

While Facebook was quick to address the exploit and fix it, they say they don’t know if anyone’s accounts actually were breached.

This breach follows the Cambridge Analytica scandal earlier this year that resulted in the serious mishandling of the data of millions of people who use Facebook.

Both of these events illustrate that we cannot be complacent about data security. Companies that hold personal and sensitive data need to be extra vigilant about protecting their users’ data.

Yet even the most vigilant are also vulnerable. Even a single security bug can affect millions of users, as we can see.

There are a few things we can learn from this that applies to the other security conversations: Doing security well is notoriously hard, and persistent attackers will find bugs to exploit, in this case a combination of three apparently unrelated ones on the Facebook platform.

This is a lesson for anybody who says that exceptional access can be built securely. This is not a moment for schadenfreude, though – I believe that the transparency by which the engineers at Facebook coped with this issue will aid the social network’s efforts to re-build trust with its users. And let’s face it, those engineers found the problem themselves through monitoring of their systems.

Facebook is not only providing the technical means of access to its own services, but also for others. While there is no proof yet that any third-party applications have been compromised, I believe that we must think about decentralising some of these login mechanisms before one of these houses of cards collapses.  That may not be trivial as building and maintaining these systems securely requires lots of resources, not available to everybody.

That is a wicked problem, one that is gaining focus as a significant issue we must resolve very soon if we really wish to see an open, globally-connected, trustworthy, and secure Internet for everyone.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Improving Technical Security 23 October 2019

Securing the Internet: Introducing Oracle Internet Intelligence IXP Filter Check

Oracle is an Organization Member of the Internet Society. We welcome this guest post announcing a new tool that...

Improving Technical Security 4 October 2019

Network Operators in Latin America and the Caribbean Take Steps to Strengthen Routing Security

2019 has been a very good year for the Internet in Latin America and the Caribbean. In May, during...

Join the conversation with Internet Society members around the world