Facebook has long been known as a place where young, innovative developers want to work. Employees cite the great perks they have, such as small work teams, trust by the organization, and having a sense of accomplishment. Facebook is also a company that has been mired in scandal for the last two years, specifically over their privacy practices and data handling processes. Thursday was not a good day for the corporate giant, as it announced a data breach that impacted 50 million user records.
If you were one of the 90 million people who woke Friday morning to find that you had been logged out of the application, then you were one of the 50 million whose data was breached or one of the 40 million whose accounts were reset as a precaution. Unfortunately, the company has chosen not to tell users upon log in if they were part of the 50 million or 40 million.
The company announced that the source of the breach was two-fold:
The feature which allows a user to view their account from the perspective of other users, known as “View as”.
A bug in the site’s video upload feature which allowed the hackers to steal access tokens.
Facebook joins a long list of companies who have announced data breaches in 2018, including Macy’s, Adidas, Best Buy, Under Armour, and Whole Foods. Consumers are growing more and more concerned with each announcement and are all asking the same question.
Why does this keep happening?
There is no single, simple answer to that question, but these breaches do share some common traits.
Websites are under constant attack – as companies look to expand their presence and offer their customers more functionality, the attack vector for hackers grows.
Breaches of username and passwords remain a consistent problem – hackers harvest the login credentials from data breaches to breach other systems, so this information is highly sought in an attack.
Shape Security’s 2018 Credential Spill Report noted that “Credential stuffing attacks make up, on average, 80-90% of an online retailer’s login traffic.” and “The US consumer banking industry faces nearly $50 Million per day in potential losses due to credential stuffing attacks.”
Most of these breaches involved the exploitation of coding flaws – whether it is a data leak on a corporate website, a vulnerability in an API, or a security gap in a payment application system, the key takeaway is that these breaches were preventable.
In a corporate culture whose mantra was once “Move fast and break things,” Facebook now must face the consequences of its developers’ coding practices and decisions.
Steve Jobs famously said, “It doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.” In 2018, maybe we need to update that thought.
“Hire smart people, but be sure to provide them the training and tools they need to guide us down the proper paths.”