As Facebook does its best to raise its profile after the Cambridge Analytica scandal and to convince political leaders that it is finally ready to preserve the independence of elections on its platform (see EUROPE 12097), the social network is now a victim of computer hacking gaining authorised access to nearly 50 million accounts.
The head of the American social network giant, Mark Zuckerberg, announced, on Friday 28 September, that the 'View As' feature had been hacked, made possible by exploiting several anomalies. “The breach was repaired last night (Thursday), he said during a telephone conversation with several journalists.
For now, Facebook does not know a great deal about the attack. “Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details”, said Guy Rosen, responsible for Facebook’s Product Management.
On the EU side, one can feel the tension. “I urge Facebook to fully cooperate with DPC Ireland. We need to know if EU users were affected and what had happened to their data”, Vera Jourova, EU Justice Commissioner, tweeted.
The Irish data protection authority (DPC) has made it known that it is urgently waiting for clarification from Facebook, including information on the number of European users who have potentially been affected, in order to correctly assess “the nature of the breach and risk to users”.
This further blow to the social network is very different from the Cambridge Analytica scandal. Apart from the difference in terms of the nature of violation, it occurred a priori after entry into force of the general regulation on data protection (GRDP), on 25 May this year.
According to the new rules, Facebook therefore had 72 hours at most, after becoming aware of it, to notify the breach to the Irish authority. This was done, Guy Rosen assured. The social network must, moreover, inform all persons affected and is liable to a heavy fine in the event of failure to comply with European rules.
The attack used the “complex interaction of many anomalies”, the social network explained. “A suspect peak of activity” was apparently detected on 16 September and, after an internal inquiry, the fault was identified during the afternoon of Tuesday 25 September.
The breach concerns a change of code used for the function for downloading videos in July 2017. This is said to have had an impact on the 'View As' feature, a function that allows users to see what their profile looks like to others.
Between Thursday 27 and Friday 28 September, Facebook thus deactivated the access tokens, allowing automatic connection, without having to enter the password, for the 50 million accounts concerned as well as, by precaution, 40 million other accounts for which the tool was recently used, inviting 90 million users to have to reconnect to the network. The 'View As' feature is deactivated until further notice, the social network states, working with the American FBI to identify those responsible. (Original version in French by Marion Fontana)