Facebook’s busy week included its acknowledgement of yet another massive security breach. This time the company acknowledged that as many as 600 million users’ passwords were stored in plain text and accessible to 20,000 employees, of which 2,000 made more than 9 million searches that accessed the passwords going back to 2012. Making matters worse, the company discovered the breach three months ago but was trying to keep it secret until a concerned whisleblower leaked details to KrebsOnSecurity, which forced the company to make a hasty admission on Thursday. What does this latest breach tell us about Facebook’s approach to security?
It is truly breathtaking that a company of Facebook’s size and influence failed to notice that it was logging user passwords in cleartext for more than seven years and that those passwords had been exposed in more than 9 million searches over that time period.
A breach of this magnitude, covering more than a quarter of Facebook’s entire user base over almost half its existence as a company, suggests internal security controls and sensitive data auditing are essentially non-existent at the company.
More to the point, it reminds us just how little the company cares about its users and their most sensitive data.
Facebook has skilled cybersecurity professionals when it comes to its own systems.
It is important to recognize that Facebook’s never-ending stream of security breaches have almost all involved its public interfaces, rather than remote hackers penetrating its networks and exfiltrating its databases.
It is even more important to remember that almost all of the company’s breaches to date have involved the data of its users, not Facebook’s own data.
In other words, Facebook is quite competent when it comes to securing data it views as valuable, such as its own records. It invests massively in hardening its systems and securing in every possible way its own data.
When it comes to its users, however, the company’s willful disregard for the safety, security and privacy of its users now appears to extend to the company’s handling of their passwords.
The vector through which the breach occurred, developer logging, reminds us of how easy it is for even the most sensitive information to leak across a company through improper logging practices. Gone are the days when companies didn’t think twice about transferring user credentials in the clear and storing them in plaintext in wide-open internet-connected databases with default passwords (though unfortunately this does still happen). Yet, even companies that follow all standard security best practices can suffer breaches if they don’t meticulously control how every piece of sensitive information flows through their entire infrastructure.
After all, even encrypted password storage is useless if a developer can just insert a line of code logging the cleartext password to a remote developer database and make it available to the entire company.
What makes Facebook’s latest breach so damaging, however, is that it comes on the heels of the company’s token breach just six months ago where a bug in its authentication code allowed attackers to log in as any user and steal the sensitive information of more than 50 million users.
The fact that in the aftermath of a massive breach in which more than 50 million users had their data stolen, Facebook did not conduct a top-down security audit of its authentication systems says all there is to say about Facebook’s approach to user security.
Three months ago, the company acknowledged yet another security failure that allowed the private photos of 6.8 million users to be improperly available to 1,500 applications built by 876 developers for more than half a month before the company noticed.
With two major security breaches in rapid succession, one would think Facebook would have finally conducted a massive security audit of its systems. Yet, once again it apparently failed to take any action to inspect how it was handling user authentication information.
Even more troubling is that the company attempted to keep this latest breach under wraps, acknowledging it only after a whistleblower notified a major cybersecurity blog.
When Facebook announced its photo breach last year, the company admitted that it had waited nearly two months to publicly acknowledge the breach, placing it in possible violation of the European Union’s GDPR rules, which require notification within 72 hours.
The company’s response at the time was that it was its belief that it had the power to decide when the 72-hour window began and thus it had decided after two months of waiting to begin the 72-hour clock and finally acknowledge the breach. For its part, the Irish Data Protection Commissioner noted at the time that it was reviewing Facebook’s interpretation of GDPR but declined to go further.
It appears that Facebook is sticking with its approach of treating GDPR as merely a flexible set of recommendations that it can adjust to its business needs rather than a hard set of enforceable laws. This time Facebook says it has been aware of its latest breach for nearly three months without notifying affected users. Asked whether the company believed any of the affected users were covered by GDPR and if so, why it believed it was not in violation of the 72-hour notification rule, the company did not respond.
Similarly, the company did not respond to multiple requests for comment regarding why it did not notify the public immediately upon discovering the breach and what it was waiting for. It also did not respond when asked why it had not spotted such an obvious and egregious leaking of credential data for more than seven years and why its sensitive data audits had not spotted password data residing in cleartext databases outside its authentication infrastructure. It similarly did not respond when asked whether it would permit external review of its security practices.
Putting this all together, once again Facebook reminds us just how little it invests in the security of its users that upwards of half a billion users’ passwords may have been exposed millions upon millions of times over more than seven years.
Yet, perhaps the biggest lesson here is that despite breach after breach after breach of our most sensitive data by Facebook, we don’t leave.
After a year of almost non-stop privacy and security breaches, Facebook only continues to grow and become ever more profitable.
If we keep using the services of a company that suffers breach after breach after breach after breach of our data, there is no incentive for the company to do better. Facebook appears to have learned this lesson well.
Should companies continue to invest heavily in cybersecurity if it no longer matters how many or how severe their breaches are? If a company can hemorrhage its most sensitive user data and even access credentials again and again and again and again without losing any of its users and in fact continue to grow rapidly during that period, perhaps there is no longer a reason to even bother trying to secure our networks, since users apparently no longer care if their data is stolen.
In the end, perhaps the real lesson here is that we don’t actually care about our online security anymore. After all, if we stay with companies that allow our data to be stolen or breached again and again, it is clear security is no longer of any concern to society.
