By: Craig Taylor, Chief Information Security officer, Neoscope

Breach Summary:

A Facebook change in July of 2017 exposed Facebook’s “Access Tokens” which are little bits of computer code used to maintain a persistent connection to Facebook on your mobile devices or your computer’s web browser without requiring you to authenticate again and again.  This convenient feature was exploited by hackers to download (allegedly) the private Facebook profiles of over 50 million users putting all that personal private data in the hands of hackers.

Potential Impact and What to do:

This flaw wasn’t reported through Facebook’s Bounty Program, implicating a nation state or organized crime group as being behind these attack. Since Facebook has fixed the flaw and reset all users “Access Tokens” there is nothing end users can do to further protect themselves short of deleting their Facebook accounts. Regardless of who’s behind the attacks, 50 million Facebook users’ personal private details previously available only to friends and family have been exposed, enabling sophisticated social engineering email phishing attacks (and possibly phone-based attacks). Imagine this scenario:

Hi John,

We, at [favorite sports store], have noticed you haven’t been playing [insert favorite sport] since your knee surgery last June. We’d like to get you back out there playing once you’re fully recovered with this exclusive 50% off injury time-out coupon. Download, print and bring it in during the month of October for your exclusive discount.

Sincerely,

Your teammates at [sports store]

I do not profess to be a super-hacker or devious social engineer. I’m sure folks can imagine sneakier phishing attacks given the wealth of personal private information contained in our online Facebook profiles. Great social engineering attacks just might succeed in convincing unsuspecting end users to download malware disguised as coupons, visit malicious websites that compromise a computer or steal credentials, and ultimately lead to ransomware infected machines, compromised email credentials, or even remote access to our computers. Don’t get me started on how we don’t educate our students about these types of attacks and how to avoid them!

Key Take-Away Message:

The days of reasonable privacy are over. We all must be hyper-vigilant in our online lives. Unfortunately, we must carry a healthy degree of skepticism that if something seems too good to be true, or has the Hallmarks of a Phishing attack, it is.  Delete the email, hang up the phone, and move on.  You’ll be glad you did.