Facebook Warned Staff Of 2018 Hack Risk But Not Users Says Court Filing

A court filing says that Facebook warned staff of the risk that led to a huge security breach that last year allowed hackers to access almost 29 million accounts — but failed to warn its users…

The risk was in the use of single sign-on, a way to let you sign into third-party apps and websites using your Facebook credentials. While this doesn’t give the third party service access to your login details, it does generate an access token that hackers were able to misuse to view private content in accounts.

Reuters reports that a class-action lawsuit alleges that Facebook was aware of the security risks inherent in the single sign-on feature, and took steps to ensure the privacy of its own staff was protected, but did not do the same for its users.

The access tokens didn’t give the hackers complete access to accounts, but a flaw in a feature known as View As enabled them to see information that should have been restricted to Facebook friends. The View As feature is designed to allow you to see how your Facebook profile looks to other people.

“Facebook knew about the access token vulnerability and failed to fix it for years, despite that knowledge,” the plaintiffs said in a heavily redacted section of the filing in the U.S. District Court for the Northern District of California in San Francisco.

“Even more egregiously, Facebook took steps to protect its own employees from the security risk, but not the vast majority of its users.”

For 15 million people, hackers were able to access just name and email (or name and mobile number, for those who signed up using that). For a further 14 million people, however, the hackers were able to see a lot more profile information and activity.

Facebook contacted all those affected, and also provided an online tool to allow people to check for themselves if their details were hacked.

I would always advise against the use of any single sign-on service — even the upcoming Apple one. I instead recommend unique, strong passwords for each individual app, website, or service you use.

Photo: Shutterstock