In September 2018, Facebook experienced one of the largest data breaches in history when hackers exploited a vulnerability in Facebook’s code to gain access to user accounts. Over 50 million Facebook users were impacted by the breach, which gave the attackers full access to compromised accounts.
How did the Facebook hack happen?
The hackers took advantage of a vulnerability in Facebook’s “View As” feature, which allows users to see what their own profile looks like to other people. By submitting forged “access tokens” – essentially digital keys that keep users logged into Facebook – the attackers were able to hijack user accounts without even needing login credentials.
The vulnerability arose from issues in three key areas of Facebook’s platform:
- A video uploader that allowed users to upload birthday videos that would be automatically posted to friends’ News Feeds
- The “View As” feature
- Facebook’s API for managing “access tokens” and session cookies
The attackers chained together these vulnerabilities to obtain the digital keys to user accounts. Even worse, the stolen access tokens would continue to be valid even after the breach was discovered, allowing the hackers to maintain persistent access.
When did the hack occur?
Facebook discovered the breach on September 25, 2018 when they noticed an unusual spike in user activity. Further investigation revealed that the activity was unauthorized – somebody was accessing user accounts without logging in. Facebook then traced the intrusions back to the “View As” vulnerability.
However, there is evidence that the hackers may have first gained access several days before September 25. It’s likely they spent some time stealthily exploring Facebook’s systems before ramping up their activity to a level that raised alarms. Some security experts estimate the actual initial intrusion could have been as early as September 14.
How many users were affected?
Facebook originally estimated that 50 million users were affected by the breach. However, on October 12, 2018, they updated this number to 30 million users. According to Facebook, the following user information was potentially exposed in the attack:
- Name
- Gender
- Locale / language
- Relationship status
- Religion
- Hometown
- Self-reported current city
- Birthdate
- Devices used to access Facebook
- Education
- Work
- Website
- Last 10 places checked into or tagged in
- 15 most recent searches
- The last people or groups the user followed
For an additional 1 million users, the hackers were able to access more sensitive personal information from their profiles, including:
- Email addresses
- Phone numbers
- Username
- Gender
- Locale/language
Thankfully, Facebook does not believe that any financial information, credit card details, or passwords were exposed. User messages were also not accessed.
How did Facebook notify affected users?
Facebook began notifying affected users about the breach starting on September 28, 2018. They sent custom notifications based on the type of information that was accessed. For example:
| Information Accessed | Notification Message |
|---|---|
| Only name and contact info | “Your account was one of the accounts impacted in the recent security incident we discovered on September 25.” |
| Name, contact info, and profile data | “Your account was one of the accounts impacted in the recent security incident we discovered on September 25. The attackers may have also accessed your public profile, page likes, date of birth, devices you use to access Facebook, education history, hometown, current city, relationship status, religion, name, locations checked into or were tagged, search history, and the last 10 places you checked in or were tagged.” |
| Name, contact info, sensitive profile data | “Your account was one of the additional accounts impacted in the recent security incident we discovered on September 25. The attackers may also have accessed your email address, phone number, username and/or user ID, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places you checked in or were tagged, your website, people or Pages you follow, and your 15 most recent searches.” |
Users who were not affected did not receive any notification. If you did not get a notice from Facebook about the breach, your account was likely not compromised.
What did the hackers actually do with the compromised accounts?
It’s still not entirely clear what the attackers’ motivations were or exactly what they did once inside Facebook’s network. The investigation is still ongoing. However, Facebook believes the hackers were not necessarily trying to steal personal information about users. Rather, they appear to have accessed user accounts as a means to an end – using them as a stepping stone to further explore and exploit Facebook’s systems and infrastructure.
So far, Facebook says the hackers did not misuse any of the user information they obtained, such as by posting spam or fake content. They also have not seen any accounts be compromised or abused as a result of the breach. It seems the attackers were more interested in understanding the inner workings of Facebook’s platform and finding additional bugs than stealing personal data.
Could user passwords have been stolen?
While the hackers were able to access a tremendous amount of user account information, Facebook emphasizes that there is no evidence that user passwords were stolen. That’s because Facebook does not actually store anyone’s actual password. Instead, they store encrypted hashes of passwords.
When you enter your password to login, Facebook computes a cryptographic hash and compares the hash value to your encrypted password hash stored on their servers. If the two match, you’re granted access. So even if the hackers obtained the encrypted password hashes, they would not have the users’ actual plaintext passwords.
How did Facebook fix the vulnerability?
As soon as Facebook discovered the breach on September 25th, their engineering teams went into high gear to diagnose the problem and shut down the vulnerabilities being exploited by the attackers. By September 27th, they had patched the bugs and made sure the attackers were locked out of all compromised accounts and unable to abuse the “View As” feature further.
Some key steps Facebook took to fully restore security include:
- Shut down the “View As” feature temporarily
- Conducted a thorough security review of the feature
- Fixed the specific vulnerabilities that enabled the attack
- Invalidated the access tokens stolen by attackers
- Enforced feature-specific access tokens going forward to limit damage from potential future bugs
- Additional hardening of their authentication and API infrastructure
The “View As” feature remained offline until Facebook finished an exhaustive security review. It was re-enabled for most users on October 9, 2018 once all vulnerabilities had been mitigated.
Could this happen again?
Unfortunately, it’s quite possible a similar breach could happen again in the future. Security experts note that the root causes enabling this attack were not exactly unique to Facebook:
- Complex internal systems interacting in complicated ways
- Features that allow anonymous access and impersonation of users
- Vast troves of personal data that is highly valuable to attackers
These characteristics make any large social media platform a lucrative target. While Facebook is no doubt reviewing their entire security posture after this incident, determined hackers may likely find ways to exploit overlooked or previously unknown flaws in the future.
However, there are steps Facebook can take to minimize the chances and impact of potential future attacks:
- Implement stronger compartmentalization and access controls for internal systems
- Enforce principle of least privilege and regular privilege rotation for employees
- Routinely conduct penetration testing and threat modeling
- Implement monitoring systems to detect anomalous activity
- Further restrict anonymous access and impersonation features
- Expand bug bounty programs to encourage external security research
How much did this breach cost Facebook?
Facebook suffered major financial consequences as a result of the breach.
Their stock price plummeted 13% in the month following the hack, wiping out nearly $60 billion in market capitalization. Their Q3 2018 earnings took a significant hit in the aftermath.
They also faced numerous lawsuits related to the incident. Facebook settled a class action lawsuit in 2021 for $650 million to address claims they failed to adequately protect user data.
In July 2019, Facebook was fined $5 billion by the FTC for privacy violations related to the hack, as well as other violations like Cambridge Analytica. This was the largest ever fine imposed by the FTC for privacy violations.
Facebook also had to spend significant resources investigating the breach, shoring up their security defenses, and enhancing their systems to prevent future attacks. They had to notify millions of users, field questions, and deal with the public relations fallout.
While difficult to quantify precisely, experts estimate the total costs to Facebook resulting from the hack realistically range from $5-10+ billion when you add up all the factors.
How did users and the public react?
The breach led to strong outrage from users, legislators, and the general public. Many people were incensed that Facebook allowed such a massive violation of user privacy and security to happen. Key reactions included:
- Widespread anger and lack of trust in Facebook’s ability to protect user data
- Users threatening to delete Facebook accounts and use competing platforms
- Calls for Facebook CEO Mark Zuckerberg to resign
- Criticism of Facebook’s initial response and handling of the breach
- Accusations that Facebook was too focused on growth and profits over security
- Renewed scrutiny of Facebook’s data collection practices
- Increased support for more regulation of social media privacy and security
The incident added momentum to ongoing efforts by legislators to impose stricter requirements on technology companies to protect user data and disclose breaches.
Did the hack lead to new regulations?
The Facebook breach contributed to an environment of increased scrutiny of technology companies and demands for improved data privacy laws. Some of the notable regulatory developments that followed include:
- California Consumer Privacy Act (CCPA) – Went into effect Jan 2020. Gives California residents new rights over their data and requires disclosure of data collection.
- General Data Protection Regulation (GDPR) – Sweeping European privacy law that went into effect May 2018, prior to the Facebook breach. Increased fines for violations.
- Consumer Online Privacy Rights Act (COPRA) – Proposed federal online privacy law establishing consumer rights over data. Remains draft legislation as of late 2022.
- State privacy legislation – In the absence of strong federal laws, various states have passed their own privacy statutes, including Virginia, Colorado, Connecticut, and Utah.
While not solely a reaction to the Facebook hack, these new privacy laws demonstrate a shift toward users having more control over their personal data and companies being held accountable for breaches.
Conclusion
The 2018 Facebook data breach represents one of the most serious security incidents to ever impact social media users. Attackers exploited vulnerabilities in Facebook’s code to hijack tens of millions of accounts and access private profile data.
While no evidence shows user passwords or financial data were stolen, the breach highlighted glaring weaknesses in Facebook’s privacy protections. It unleashed a storm of outrage, lawsuits, regulation, and costs to Facebook likely totaling billions.
The hack serves as a cautionary tale of the security challenges faced by companies collecting massive amounts of personal data. It demonstrated how a single overlooked vulnerability can have far-reaching implications for user privacy. Though Facebook has hardened their defenses, the sheer scale of their platform will likely make them an attractive target for years to come.