Building Trust Improving Technical Security

The Facebook Breach: Some Lessons for the Internet

Last week Facebook found itself at the heart of a security breach that put at risk the personal information of millions of users of the social network.

On September 28, news broke that an attacker exploited a technical vulnerability in Facebook’s code that would allow them to log into about 50 million people’s accounts.

While Facebook was quick to address the exploit and fix it, they say they don’t know if anyone’s accounts actually were breached.

This breach follows the Cambridge Analytica scandal earlier this year that resulted in the serious mishandling of the data of millions of people who use Facebook.

Both of these events illustrate that we cannot be complacent about data security. Companies that hold personal and sensitive data need to be extra vigilant about protecting their users’ data.

Yet even the most vigilant are also vulnerable. Even a single security bug can affect millions of users, as we can see.

There are a few things we can learn from this that applies to the other security conversations: Doing security well is notoriously hard, and persistent attackers will find bugs to exploit, in this case a combination of three apparently unrelated ones on the Facebook platform.

This is a lesson for anybody who says that exceptional access can be built securely. This is not a moment for schadenfreude, though – I believe that the transparency by which the engineers at Facebook coped with this issue will aid the social network’s efforts to re-build trust with its users. And let’s face it, those engineers found the problem themselves through monitoring of their systems.

Facebook is not only providing the technical means of access to its own services, but also for others. While there is no proof yet that any third-party applications have been compromised, I believe that we must think about decentralising some of these login mechanisms before one of these houses of cards collapses.  That may not be trivial as building and maintaining these systems securely requires lots of resources, not available to everybody.

That is a wicked problem, one that is gaining focus as a significant issue we must resolve very soon if we really wish to see an open, globally-connected, trustworthy, and secure Internet for everyone.