Add to collection(s) Add to saved
  1. No category
Uploaded by gryzlovalex95

Research Paper AG

advertisement 
1
Facebook Breach
Aleksandr Gryzlov
Foundation of Information Security
04/24/2022
2
Cyber crimes can happen to anyone, even to the big mega-corporations with a billion
daily users, such as Facebook. Cases like this are a good example that, no matter how high the
security is, it’s never enough. No one can be a hundred percent safe, but the events that happened
to the “Meta” corporation may bring more awareness to the public and reduce the chances of this
happening again, especially when the corporation is trying to hide that these incidents even
happened.
How much damage was actually done? The social media platforms Facebook and
Instagram store personal information of a billions users on Meta’s personal servers that were
breached in 2013; May and September 2018; March, twice in April, September, December 2019;
and the last one happened recently in April 2021 (SelfKey Identity Wallet, 2022). The amount of
users' personal information that was stolen is on an incredible scale: six million users over 2013,
sixty-four million users total over 2018, over a billion users in 2019, and five hundred
thirty-three millions users over 2021. “In July 2019, months before patching up the March and
April issues, Facebook reached a $5 billion settlement with the U.S. Federal Trade Commission
for violating an agreement with the agency to protect user privacy” (Bowman, 2021). In total the
personal information of over one billion unique users was stolen; some of them may have had
their personal information stolen twice or more over the years while using Facebook and
Instagram. More than a half of these breaches were not announced to the public on time. In the
last breach in April 2021 Facebook decided not to notify their users on the app about the incident
and did not offer password reset protocol. That is why Troy Hunt created a website called
“haveibeenpwned.com” to help people see if their information had been compromised, and if
3
their information has been stolen, then the website provided three steps to secure their data
(Bowman, 2021).
What happened after the data had been stolen? All the user information that had been
stolen can be used by criminals for further social engineering attacks. Hackers might have
people’s personal information such as: first name, last name, email, phone number, etc. Those
attacks can occur over the internet through Facebook, Instagram, or outside the internet over
phone, mail, or in person (Murray, 2021). When users' accounts are compromised, Facebook
itself must act quickly to notify their users about the dangers and recommend changing their
login information or harden it. In all cases Meta made public statements about data breach only
after two or three weeks after the accident. Most of these public statements never went
personally to users with recommendation letters about how to secure their accounts. A lot of
victims never even find out if their data has been compromised and what type of data has been
stolen.
Most of the cases that have been mentioned are the full responsibility of Facebook and
Instagram. From 2012 to 2013 Facebook had a bug that allowed unauthorized users to see other
users' personal information. Another exploit was found in May 2018, and allowed users to see
private posts without permission for it, but this bug was exploited for only 5 days. In September
2018, the first big data breach happened, which was a combination of bugs and exploits on
Facebook’s platform. It allowed criminals to use the feature “View as” to experience how their
privacy settings look to another person. To explain, “The first bug in the system prompted
Facebook’s video upload tool to show up on the “View As” page. The second bug caused the
4
video uploader to create an access token (which is what allows you to stay logged into your
Facebook account on a device without having to log in every time) which gave the attackers the
same sign-in permissions as the Facebook mobile app. Lastly, when the video uploader appeared
in the “View As” mode, it provided an access code for whoever the hacker was searching for ”
(SelfKey Identity Wallet, 2022). At least after this big attack Facebook logged out ninety million
users to make them log in again and reset their passwords for security measures. The biggest and
most ridiculous breach happened in March 2019 when six hundred million users' passwords were
stolen because they were stored in plain text files on Facebook servers. After that same thing
happened to Instagram users because their passwords were also stored in simple text files
(SelfKey Identity Wallet, 2022).
It might seem that all big cases of information theft were Facebook's fault and that simple
users couldn't do anything to protect themselves. So what could be done from their end to protect
their privacy? Users should utilize more complex passwords, two-factor authentication, and
avoid posting personal information in public or private posts. (Murray, 2021). These methods
would not protect them from mass leaks and mass vulnerability attacks but can save them from
social engineering attacks. But what about Facebook? There are big databases of known
vulnerabilities such as NVD, SANS, Metasploit, etc. That might help make Facebook more
secure and probably most of these vulnerability tests were implemented in the system already.
But those databases only store information about known vulnerabilities, so what about unknown?
Well, there is no way to protect against them until they will be discovered by red/blue teams or
hackers.
5
There is no hundred percent safety on the internet. All data breaches that happened to
Facebook are proof of that. But being able to respond quickly and have transparency to their
users might make Facebook a more secure place. These cases must be addressed more and
studied to prevent anything harmful happening to users’ personal data again.
6
References
Bowman, E. (2021, April 10). After data breach exposes 530 million, Facebook says it
will not notify users. NPR. Retrieved April 23, 2022, from
https://www.npr.org/2021/04/09/986005820/after-data-breach-exposes-530-million-facebook-say
s-it-will-not-notify-users
Murray, T. (2021, April 4). After facebook data breach, consumers need to go on
Defense. U.S. PIRG Education Fund. Retrieved April 23, 2022, from
https://uspirgedfund.org/feature/usp/after-facebook-data-breach-consumers-need-go-defense
SelfKey Identity Wallet. (2022, April 19). Facebook's data breaches - a timeline.
SelfKey. Retrieved April 23, 2022, from https://selfkey.org/facebooks-data-breaches-a-timeline/
Related documents
Angelos Strategy April
Angelos Strategy April
Study research 2021
Study research 2021
MAT 22
MAT 22
Ad Campaign with the Facebook Page of your brand(1)
Ad Campaign with the Facebook Page of your brand(1)
"Follow us" on Social Media! - DirectLink e
"Follow us" on Social Media! - DirectLink e
Download
advertisement