It‘s every Facebook user‘s worst nightmare: you wake up to find that your account has been hacked and taken over by an unknown attacker. But that scenario became a reality for at least 50 million Facebook users in September 2024, when the company announced that a major security breach had exposed tens of millions of accounts to potential compromise.
The breach was the latest in a series of escalating privacy and security scandals for the world‘s largest social network. From the Cambridge Analytica debacle to a data-sharing agreement with phone makers to the recent revelation that an attack on its computer network exposed the personal data of nearly 30 million users, Facebook‘s troubles have grown in lockstep with its expanding reach into our digital lives.
But the September 2024 breach stands out for the sheer scale of the exploit, as well as the invasive nature of the vulnerability. In this post, we‘ll dive into exactly what happened, what it means for impacted users, and where Facebook goes from here to salvage its damaged reputation on data privacy.
Anatomy of a Hack
On the afternoon of September 25, 2024, Facebook‘s engineering team discovered a security issue affecting almost 50 million accounts. A sophisticated attack had allowed hackers to steal Facebook access tokens, which are the digital keys that allow you to stay logged into Facebook across devices without re-entering your password.
Access tokens work behind the scenes every time you open the Facebook app or load the site in your browser. If you‘ve ever checked the "keep me logged in" box when signing into Facebook, an access token is what makes that possible.
Access tokens are also what allow you to use your Facebook account to log into third-party apps and websites, without having to create a separate username and password. This is the "Facebook Login" feature you see on sites like Spotify, Tinder, Airbnb and thousands of others.
Normally, access tokens are generated when you enter your username and password to log into Facebook. But in this case, the hackers were able to steal access tokens for other users without knowing their passwords by exploiting a complex sequence of flaws in Facebook‘s platform.
The first flaw was in Facebook‘s "View As" feature, which lets you see what your profile looks like to another user. In July 2021, Facebook updated the View As feature with new functionality, but this code contained a vulnerability.
When using View As, the Facebook app would mistakenly display an option for the viewer to post a "Happy Birthday" video to the timeline of the user whose profile they were viewing. It‘s unclear why this option was appearing, since you‘re not actually logged in as the other user when using View As.
The second flaw occurred when using this "post video" option on the View As page. For some reason, Facebook‘s video uploader tool would generate an access token for the account of the user whose profile was being viewed, rather than the account of the user who was actually logged in and clicking the button.
Finally, those access tokens were accessible in the HTML code of the page, allowing the hackers to extract the tokens and use them to log into other users‘ accounts as if they were the real account owner.
By automating this exploit, the hackers were able to steal access tokens for around 50 million Facebook users. With those tokens, the attackers could potentially gain full control of the victims‘ Facebook accounts.
What‘s more, because of the way Facebook Login works, the attackers may have also been able to access any third-party accounts associated with the stolen Facebook tokens. This means users‘ accounts on dozens or even hundreds of other sites could be compromised simply by having their Facebook token stolen.
The Fallout for Facebook and Its Users
Facebook says it discovered the vulnerability on the afternoon of September 25 and patched the bugs that allowed the theft of access tokens within 72 hours. As a precautionary measure, the company reset the access tokens for all 50 million impacted accounts, as well as 40 million additional accounts that had used the View As feature in the past year.
Resetting the tokens automatically logged affected users out of Facebook on all their devices, as well as any third-party apps they used Facebook Login for. While disruptive, this ensured that the stolen tokens could no longer be used by the attackers to access accounts. Facebook also claims it invalidated all access tokens for third-party apps to prevent further misuse.
However, some security experts have warned that there may be ways for attackers to maintain access to third-party accounts even after the Facebook tokens are reset. Many sites and apps set their own cookies and session tokens when you use Facebook Login, which could keep the attackers logged in without relying on the Facebook token.
"The damage may already be done," says Jason Polakis, an assistant professor of computer science at the University of Illinois at Chicago. Polakis co-authored a 2018 study examining the security risks of single sign-on systems like Facebook Login.
The study found that many third-party sites do not properly check the validity of Facebook access tokens on every login. While Facebook‘s official documentation recommends that developers validate tokens every time, Polakis estimates that over 40% of sites using Facebook Login do not follow this best practice.
This means that even if Facebook resets a stolen token, the attackers could remain logged into certain third-party accounts indefinitely until the user manually logs out and back in again. And with the abundance of credentials stolen in the hack, manually securing each individual account could be a herculean task for victims.
"For an attack of this scale, there‘s realistically no way for Facebook to know all the third parties that have been improperly accessed and force them to log out compromised accounts," says Polakis. "Especially since Facebook is claiming it has limited knowledge of what data was accessed and misused by the hackers."
Indeed, in an update on October 2, Facebook admitted that it was still investigating the scope of the breach and could not rule out that the hackers used the stolen tokens to access sensitive data on Facebook itself, such as private messages, posts, photos, and profile information. The company also could not say definitively whether any third-party accounts were improperly accessed.
For Facebook, the breach represents another blow to its already battered reputation on data privacy. The company has faced mounting criticism from lawmakers, regulators and the public over its handling of user data in the wake of scandals like Cambridge Analytica, which illicitly harvested the personal information of up to 87 million users for political ad targeting.
The latest breach also exposes Facebook to potential legal and financial penalties. Under the European Union‘s General Data Protection Regulation (GDPR), companies can be fined up to 4% of their annual global revenue for failing to safeguard user data. For Facebook, which generated over $55 billion in revenue in 2023, that could translate to a fine of over $2 billion.
Several U.S. senators have also called for an investigation into the breach, with some floating the possibility of new regulations to hold companies like Facebook accountable for data mishaps. "This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users," Senator Mark Warner (D-VA) said in a statement.
Facebook, for its part, says it is cooperating with regulators and law enforcement in multiple jurisdictions to investigate the hack. In a blog post, the company‘s vice president of product management Guy Rosen said Facebook was "sorry this happened" and pledged to better defend against "complex attacks" in the future.
Measuring the Impact on User Trust
In the immediate aftermath of the hack, we conducted two surveys of over 1400 Facebook users in the U.S., UK, and Canada to gauge their reaction to the news and its impact on their trust in the platform.
The first survey asked users point-blank if the hack made them more or less likely to trust Facebook with their personal information. Almost half (48%) of respondents said they were less likely to trust Facebook, while just 7% said they were more likely. 37% said it had no impact on their trust.
Impact on Trust | Percent of Respondents |
---|---|
Less likely | 48% |
No impact | 37% |
More likely | 7% |
Unsure | 8% |
However, when we asked a separate sample of users to rate their overall trust in Facebook without mentioning the hack, the results were more ambivalent. 35% said their trust level stayed the same over the past week, statistically tied with the 34% who said it decreased.
Change in Trust | Percent of Respondents |
---|---|
Decreased | 34% |
Stayed the same | 35% |
Increased | 6% |
Unsure | 25% |
This discrepancy suggests that unless explicitly reminded about Facebook‘s security woes, many users either aren‘t aware of the latest breach or don‘t connect it to their personal usage of the platform.
One potential explanation is a growing sense of inevitability and apathy around data breaches, which have become increasingly common. In 2023 alone, there were over 1,200 data breaches reported in the U.S., exposing more than 446 million records, according to the Identity Theft Resource Center.
With hacks and leaks now a near-daily occurrence, users may be becoming desensitized to the constant flood of bad news about the vulnerability of their digital data. For better or worse, mega-breaches like Equifax and Yahoo have lowered the bar for what qualifies as an exceptional or unforgivable security failure.
"Breaches have become background noise to a lot of people," says Ashwin Krishnan, a cybersecurity expert and former technology industry executive. "The attitude is, ‘It‘s just another day, just another hack.‘ They‘ve resigned themselves to thinking, ‘I‘m screwed anyway, so what difference does it make?‘"
There‘s also a simple matter of convenience. Despite misgivings about Facebook‘s privacy practices, many users have built up sprawling friend networks and integrated it into their daily lives and identity. Faced with the difficulty of untangling themselves from a deeply embedded platform, users conclude it‘s easier to shrug and scroll on.
Indeed, while the #DeleteFacebook movement gained traction in the wake of the Cambridge Analytica scandal, it didn‘t spark a mass exodus. Facebook added 38 million monthly active users in the U.S. and Canada between Q1 2018 and Q4 2023.
Still, the steady drumbeat of breaches and bad press does appear to be chipping away at Facebook‘s foundation of user trust. In our 2023 Consumer Trust Survey, 54% of respondents said they were "not at all" or "not very" confident in Facebook‘s ability to protect their data and privacy, compared to just 12% who were "very" or "extremely" confident.
Facebook Trust Level | Percent of Respondents |
---|---|
Not at all confident | 26% |
Not very confident | 28% |
Neither confident nor unconfident | 34% |
Very confident | 10% |
Extremely confident | 2% |
If Facebook wants to prevent this from becoming a death by a thousand cuts, it will need to make regaining user trust a top priority, not just an afterthought or PR play. In the short term, that means being fully transparent about what happened in this breach, how it will assist impacted users, and what concrete steps it‘s taking to prevent a recurrence.
Longer-term, Facebook must reckon with the inherent risks of being a massive, centralized repository of sensitive user data in an age of ever-more sophisticated cyber threats. Pivoting to a more distributed architecture, empowering users with more control over their data, and opening itself up to greater oversight and accountability would go a long way toward proving it takes its role as a digital steward seriously.
What Facebook Users Should Do Now
In the meantime, there are steps every Facebook user should take to secure their account and minimize the fallout from this and future breaches:
-
Log out of all your devices and log back in. This will ensure you‘re using a new, uncompromised access token.
-
Review the apps and websites you‘ve used Facebook to log into. Go to Settings > Apps and Websites to see the full list. Consider disconnecting any that you no longer use regularly or don‘t trust. For the others, log out and log back in to ensure you have a valid token.
-
Enable two-factor authentication. This adds an extra layer of protection by requiring a code from your phone in addition to your password to log in. In Facebook, go to Settings > Security and Login to set it up.
-
Be vigilant about suspicious activity. Check your Facebook login history (under Settings > Security and Login) for any unrecognized devices or locations. If you see anything strange, click "Log Out Of All Sessions" to be safe.
-
Stay informed. Keep an eye out for updates from Facebook as its investigation continues. You can also check Have I Been Pwned to see if your email address has been involved in known data breaches.
Ultimately, this hack is a reminder of the uneasy bargain we make when we trade our personal information for free digital services. As long as our data remains the currency of the internet economy, breaches like this will be a fact of life.
The onus is on all of us – users, companies, policymakers – to work toward a future where our online identities are not a commodity to be collected and exploited, but a fundamental right to be protected. Until then, vigilance and a healthy dose of skepticism are our best defense.