Social Network Spiraling - Everything Going On with Facebook Up Until Now | blog | Control Gap

In case you missed it, Facebook has had some issues recently and its only getting uglier. Catch up on the news below:

September's Breach

The most recent breach announcement came late last week and the exposure lasted over 13 months:

• User single-signon “access tokens” were exposed through the “view as” feature.  At least 53M users  with a further 40M user accounts reset as a precaution https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html
• Brian Krebs article on the breach  https://krebsonsecurity.com/2018/09/facebook-security-bug-affects-90m-users/
• More details on how the attack exploited multiple bugs and put many other applications that use Facebook single-signon logins at risk https://www.forbes.com/sites/thomasbrewster/2018/09/29/how-facebook-was-hacked-and-why-its-a-disaster-for-internet-security/

As the new week dawned we began to get more information as Facebook rushed to comply with GDPR notification requirements:

• (Updated) Facebook detected breach on September 16th, 11 days before their GDPR notice  https://www.cnn.com/2018/10/04/tech/facebook-hack-explainer/index.html
• Facebook submits their initial GDPR notification https://www.databreachtoday.com/facebook-submits-gdpr-breach-notification-to-irish-watchdog-a-11573
• A lack of details naturally leads to public uncertainty and frustration. Possibly an unintended consequence of the new regulations. https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/10/02/the-cybersecurity-202-facebook-disclosed-a-major-hack-very-quickly-but-the-alert-was-short-on-details/5bb24c311b326b7c8a8d1797/ and https://www.schneier.com/blog/archives/2018/10/theeffectsof_5.html
• Speculation mounts over the potential for fines of up to $1.63B https://www.wsj.com/articles/facebook-faces-potential-1-63-billion-fine-in-europe-over-data-breach-1538330906
• Ireland among the first to prepare for an investigation https://www.irishexaminer.com/breakingnews/world/eu-preparing-to-investigate-facebook-over-latest-data-breach-873019.html
• _(Updated) A class-action lawsuit has been proposed in Canada against Facebook [https://www.huffingtonpost.ca/2018/10/01/facebook-security-breach-lawsuit-canada\a_23547591/](https://www.huffingtonpost.ca/2018/10/01/facebook-security-breach-lawsuit-canada_a_23547591/)
• _(Updated) _Hackers accessed personal information of 30 million Facebook users https://www.cnn.com/2018/10/12/tech/facebook-hack-personal-information-accessed/index.html
• _(Updated) _Facebook hack victims will not get ID theft protection http://www.bbc.co.uk/news/technology-45845431

More information emerges about the impact, remediation, and GDPR as the week goes on:

• _(Updated) _Proliferation of useless advice in the wake of the Facebook breach https://www.cnet.com/news/after-facebooks-hack-theres-a-lot-of-useless-post-breach-advice/
• Initially, the impact on single-signons to other apps is unclear https://www.wired.com/story/facebook-security-breach-third-party-sites/
• Tinder, Pinterest and others struggle to determine how Facebook hack affects their users https://money.cnn.com/2018/10/01/technology/facebook-hack-tinder-pinterest/index.html
• Potentially thousands of apps could be affected https://www.nytimes.com/2018/10/02/technology/facebook-hack-other-sites.html
• Early adopters of Facebook's Workplace collaboration tool may have also been affected https://www.businessinsider.com/facebooks-warns-some-business-customers-about-its-giant-data-breach-2018-10
• Facebook claims that NO 3rd party apps were exploited https://www.independent.co.uk/life-style/gadgets-and-tech/news/facebook-hack-update-external-app-website-data-breach-a8566561.html

Other Recent Issues

Even without the breach Facebook has had other security and privacy issues come to light:

• Users who provided a security phone number for two-factor authentication will be upset to find out they also used it to was push ads https://www.eff.org/deeplinks/2018/09/you-gave-facebook-your-number-security-they-used-it-ads
• They keep shadow contact information about you, the problem is you can’t see it or even find out if it exists.  And of course it is also used to push ads  via the “custom audience” feature https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-shadow-co-1828476051
• Child experts file FTC complaint against Facebook kids' app https://business.financialpost.com/pmn/business-pmn/child-experts-file-ftc-complaint-against-facebook-kids-app
• Facebook is being sued for allegedly facilitating sex trafficking https://www.thedailybeast.com/facebook-sued-for-allegedly-facilitating-sex-trafficking

A few very recent developments that would normally be positive are likely being completely drowned out by the bad news:

• New anti-harassment tools were announced https://gizmodo.com/facebook-makes-it-easier-to-report-bullies-1829465444
• Warnings issued to police over the use of fake accounts was largely overshadowed https://www.eff.org/deeplinks/2018/09/facebook-warns-memphis-police-no-more-fake-bob-smith-accounts

Facebook's Annus Horribilis

Facebook is still dealing with the fallout from previous troubles. In fact  2018 has been a terrible year:

• (Updated) Are Facebook's breach, privacy troubles, and fix attempts to blame for loosing 30% of its value since July https://www.cnn.com/2018/10/11/tech/facebook-stock-dip/index.html
• A GDPR notice from July came to light last week over the previous Facebook/AIQ related events https://www.zdnet.com/article/uk-issues-first-ever-gdpr-notice-in-connection-to-facebook-data-scandal/
• UK law firm seeks to expand on lawsuit started over previous troubles https://www.telegraph.co.uk/technology/2018/10/03/facebook-hit-uk-legal-claim-massive-data-breach/

• Those troubles have been featured in 38 out of 81 of our weekly security news roundups and have  included:

  • The Cambridge Analytica scandal in March and Aggregate IQ (AIQ)
  • https://controlgap.com/blog/cambridge-analytica-facebook-scandal/
  • https://www.pymnts.com/facebook/2018/cambridge-analytica-aggregateiq-user-data/
  • Controversial data sharing arrangements
  • https://www.cnbc.com/2018/04/05/facebook-building-8-explored-data-sharing-agreement-with-hospitals.html
  • https://www.eff.org/deeplinks/2018/04/facebook-isnt-telling-whole-story-about-its-decision-stop-partnering-data-brokers
  • https://www.theguardian.com/technology/2018/jul/02/facebook-user-data-access-companies-privacy
  • https://epic.org/2018/06/facebook-overrode-users-privac.html
  • Overly broad tracking
  • http://www.theregister.co.uk/2018/04/17/facebook_admits_to_tracking_non_users/
  • https://freedom-to-tinker.com/2018/04/18/no-boundaries-for-facebook-data-third-party-trackers-abuse-facebook-login/
  • Naughty apps, partners, fake accounts, and bugs
  • https://threatpost.com/tens-of-thousands-of-malicious-apps-using-facebook-apis/131566/
  • https://www.theregister.co.uk/2018/06/28/facebook_data_abuse_bug_bounty/
  • https://www.theguardian.com/technology/2018/may/15/facebook-closed-583m-fake-accounts-in-first-three-months-of-2018
  • https://www.wral.com/facebook-suspends-boston-analytics-firm-over-data-usage/17710861/
  • https://www.theregister.co.uk/2017/07/17/facebook_login_security/
  • Legal and regulatory issues including fines
  • https://www.theregister.co.uk/2018/08/24/irish_data_protection_commish_opens_inquiry_on_facebook_data_transparency/
  • https://www.theregister.co.uk/2017/05/16/facebook_fined_in_france/
  • http://thehackernews.com/2017/09/facebook-privacy.html
  • https://www.theguardian.com/technology/2018/feb/12/facebook-personal-data-privacy-settings-ruled-illegal-german-court
  • https://www.pymnts.com/news/regulation/2018/gdpr-facebook-data-breach-fines-compliance/