As details about the Facebook data breach continue to emerge, experts sound off on what companies can do to secure what has become a prime target for hackers: user account data.
The Facebook security breach that affected at least 50 million users could also cost the company up to $1.6 billion in fines under GDPR rules.
Attackers exploited a vulnerability in Facebook's code that impacted "View As" -- a feature that lets people see what their own profile looks like to someone else, the company said in an online post. This allowed the attackers to steal Facebook access tokens that could be used to take over user accounts.
These tokens -- the equivalent of digital keys -- allow users to stay logged in to their accounts without having to re-enter their passwords each time they use the app, explained Jessica Ortega, product marketing associate and member of the SiteLock research team. With unauthorized access to these tokens, attackers could log in to unsuspecting user accounts without credentials, she said.
"If continuous access is a feature that users demand, then businesses must be proactive in scanning and testing their application features for vulnerabilities to identify and address bugs before cybercriminals do," Ortega said.
Details about the extent of user data affected by the Facebook security breach are yet to emerge.
The access tokens that were compromised would typically be limited to particular aspects of data within a user's account, such as location, age or photos, explained William Knowles, security consultant at MWR InfoSecurity -- a company recently acquired by F-Secure.
"This approach follows the security best practice approach of only granting the least privileges required for a particular action," Knowles said. "It may be the case that … only a limited amount of data was exposed from other user's profiles; however, it could equally be the opposite, and users will be unable to determine the extent to which they were affected until confirmed by Facebook."
What businesses can learn from the Facebook security breach
Attacks on large sites to steal user account data have become perpetual, according to Vijay Pullur, CEO at ThumbSignIn.
"It is clear the future of security is in relying on 'true identity' by marrying physical possession of a device and digital access," Pullur said. "Even though vulnerabilities on these sites exist, the user gets notified of breaches immediately, or even better, their accounts cannot be accessed at all through the use of biometrics, which grant permissions on a device in [their] physical possession."
Bryce Austin, CEO of TCE Strategy, said the Facebook security breach is a prime example of how sophisticated cybercriminals have become.
The developers of computer systems can write good code that will keep out low- and midlevel hackers, but a high-level hacker will approach your system from an angle that developers never imagined.
Bryce AustinCEO, TCE Strategy
Austin believes the trick to fighting cybercrime is to hire white-hat hackers to try to find vulnerabilities before a real cybercriminal does.
"The developers of computer systems can write good code that will keep out low- and midlevel hackers, but a high-level hacker will approach your system from an angle that developers never imagined," Austin said.
With behavioral cybersecurity detection systems getting more sophisticated, companies need to assume that cybercriminals will find their way into their systems and be proactive about it, he said. For example, the next generation of antivirus programs does not look for viruses based on a signature in their code and instead look for abnormal behavior to stop breaches that are in progress, he added.
Knowles believes businesses can also benefit from bug bounty programs that can help companies reduce their online attack surface.
Facebook has been an active participant in the rising popularity of bug bounty programs, where security researchers are given permission to actively search out vulnerabilities on the Facebook website and receive financial compensation for findings that are reported under Facebook's responsible disclosure policy, Knowles said.
However, he added that these programs "should also be paired with traditional security assurance activities, such as having gated validations or technical assessments, at different stages of the development lifecycle in order to minimize the likelihood of high-impact vulnerabilities making it onto production systems."
