View profile

Facebook has good news and bad news about its data breach

Revue
 
The good news about the Facebook data breach is that it affected fewer people than previously believe
 
October 12 · Issue #226 · View online
The Interface
The good news about the Facebook data breach is that it affected fewer people than previously believed — a rarity, in the cybersecurity realm. The bad news is that the types of data stolen were quite personal, and could have bad consequences for the 14 million people affected.
Facebook held a morning press call to discuss new details about the breach, which it discovered last month. Here’s Russell Brandom in The Verge:
According to today’s statement, the hackers stole access tokens for 30 million accounts (revised down from an initial estimate of 50 million), allowing them to gain complete access to the profiles. Of those 30 million, the hackers accessed basic contact information (name and either email or phone number) for 14 million accounts, and additional information including gender, religion, location, device information, and the 15 most recent searches for another 15 million accounts. No information was accessed for the remaining one million accounts.
“We take these incidents really, really seriously,” said Guy Rosen, Facebook’s vice president of product management, told reporters in a call afterwards.
You can check to see whether your account was affected here. (Mine wasn’t, depriving me of a crucial opportunity to post aggrieved tweets about the situation. Fortunately, it seems that every other tech reporter that I follow had their information compromised.)
This, it bears repeating, is a privacy disaster. The ripple effects may go unnoticed for weeks or months, but as long as users’ deeply personal information is floating around the internet, it is exposed and open to misuse. And what recourse do people have to reclaim that information? Two factor authentication, for example, will now be much harder for users who’ve had their email address and phone number compromised by the attack. As Slate’s Will Oremus noted, unlike a password, location histories and search histories aren’t things you can change. “If your password is stolen, you change your password. The damage is done and you move on. But if all your identifying personal information is stolen? You can’t change that. It could haunt you for the rest of your life,” he tweeted.
Some reporters have called on Facebook to offer free credit monitoring to breach victims; the company has so far been mum on the subject. The FBI is investigating, and has asked Facebook not to tell us who the company suspects is responsible for the attack.
Sarah Frier notes that the worst of the damage will likely be felt by a subset of 400,000 people, who served as an entry point for the attackers. (You’ll recall that they were able to exploit a series of bugs to view profiles as if they were the person who owned them.) For those people, in addition to profile data about hometowns and such, they also have to worry about hackers see their timeline posts and names of recent Messenger conversations. Notably, the attack affected even those users who employed two-factor authentication on their accounts.
What to make of all this? Weeks after Facebook revealed that the breach had happened, I’m still not sure that there is a smarter take than the extremely obvious and oft-stated one: it’s another blow to the trust that people have in Facebook, at a time when (1) that trust is already at a low, and (2) when the company is asking us to trust it more than ever.
The breach is the thread that has so far tied together every story about Facebook’s Portal video phone, which it announced on Monday. It’s the backdrop for Facebook’s head of health research going on stage this week to promote the idea of hospitals sharing anonymized patient data with the company. It’s the retort to the full-page newspaper ad Facebook placed earlier this year that began: “We have a responsibility to protect your information. If we can’t, we don’t deserve it.”
Over a long enough time span, all data is liable to be breached. It’s why some security researchers call on companies to store as little data about their customers as possible, to minimize the damage when the inevitable happens. As an advertising company, Facebook cannot easily adopt such an approach. But it could modulate the other ways in which it asks us for our trust — perhaps deciding, as Google did, to leave the camera out of its home speaker; or not to put on stage an executive soliciting our most personal information, however well anonymized, while the investigation into a data breach affecting millions is still underway.
Instead, it’s full speed ahead.
Perhaps Facebook will shrug off this breach, as it has so many privacy flaps before it. But credibility, once lost, is hard to regain. Facebook has been appropriately open and straightforward about the breach, in ways that could have rebuilt trust with its user base. But the story of this week has been how efforts elsewhere in the company have continually undermined them.

Democracy
Google CEO Tells Senators That Censored Chinese Search Engine Could Provide “Broad Benefits”
A military expert explains why social media is the new battlefield
Social media use and political knowledge in two U.S. Presidential elections
Microsoft Chief Backs Federal Privacy Law Over State Efforts
WhatsApp hits the road with skits to stamp out fake news in India
In Brazil's presidential election, hoaxes about voter fraud run rampant
Elsewhere
YouTube is cracking down on creators who post duplicated content
YouTube Stars Accused of Profiting Off Fans' Depression
Facebook mistakenly deleted some people’s Live videos
The Connecticut Resistance to Zuck’s Summit Learning Program
Facebook prototypes Unsend 6 months after Zuckerberg retracted messages
Launches
Facebook’s gaming hub Fb.gg launches into beta on Android
Instagram tests tapping instead of scrolling through posts, first in Explore
Outvote
Firefox Election Bundle
Takes
Memo to the media: Stop spreading Trump’s fake news
Silicon Valley’s Saudi Arabia Problem
Kanye West and Donald Trump and the Rise of Human Clickbait
And finally ...
Deepfakes helped Charli XCX imitate the Spice Girls in her latest music video
Talk to me
Send me tips, comments, questions, weekend plans: casey@theverge.com.
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here
If you were forwarded this newsletter and you like it, you can subscribe here
Powered by Revue