Security Week 13: Open Facebook Passwords

Facebook has a problem with user data security. Again? Yes, how much can you! On March 19, journalist Brian Krebs reported that the company had kept users' passwords open for years ( news , Krebs article , official Facebook message ). Judging by the official statement and according to Krebs (obtained from an employee of the company who wished to remain anonymous), the base of open passwords was formed as a result of the actions of the developers.

The password from your account with a high probability was in this database if you used the Facebook Lite application, but other options are possible. Facebook plans to notify all victims individually, offering to change the password - these are "tens of millions" of Facebook and Instagram users.
The database was discovered during regular security audits and has existed since 2012. Social network users suffered conditionally: Facebook claims that no suspicious activity (base leaks or unauthorized access by insiders) was recorded. Nevertheless, according to Krebs, obtained from an anonymous source, within the company there were more than 9 million calls to the password database from two thousand developers.

In general, the quotation from the film fits in well with this situation


Such a sharply negative assessment of the security situation on Facebook is possible only against the background of other troubles of the social network. It all started with a scandal with massive profiling of users by third-party company Cambridge Analytica in 2018. After that, many features of Facebook's work were discovered that it would be nice to improve in the context of the privacy of these users. These are problems with content moderation , and the operation of an advertising system that allows people to be targeted by phone numbers, and much more. On March 6, the founder of the network, Mark Zuckerberg, announced radical changes in the social network, which in the future should become "focused on privacy." This is commendable, although we should not forget that the business model of the social network (and any other free network service) still depends on the sale of the personal data of users to advertisers in one form or another.
')
So, if we are distracted from this, the problem with passwords does not look so terrible - simply because many services regularly encounter similar problems. Last year, the company Twitter asked to change the password from 330 million users - it turned out that the passwords in clear text, before hashing, were stored in the internal logs of the social network. A similar problem with logs occurred in Github . Instagram recently introduced the ability to download all user data (according to the requirements of the GDPR) so that the password at a certain stage was transmitted directly as part of the URL.

It seems to be okay: Facebook claims that it’s not a fact that even with the correct password, an attacker can log into someone else’s account - the security system will work. Two-factor authentication also reduces the chances of unauthorized access. Our data is securely protected - well, not counting other incidents that allowed, for example, to enter someone else's account without a password at all . And the problems of a frivolous approach to privacy, which is why our data is stored not only for network giants, but also for everyone.

The demands that are gradually beginning to impose on large organizations, such as Facebook, Google and Apple, turn out to be more serious than on smaller companies because of the scale. Even a small problem or flaw in their case affects the number of users equal to the population of not the smallest country. Apparently, it becomes more important not even the security of the account of an individual user, but the privacy of users in general. Each message from the series “again something went wrong” makes one wonder: what else do they know about us? What data have access to? How are they used?

And it's not just that they show you ad claws, if you regularly write about cats. We do not even know what the wide availability of user data on the network will lead to. A relatively small (no Facebook was mentioned there, so no one noticed) a scandal recently occurred around the IBM face recognition algorithm. It turned out that a user photo database from Flickr was used for training. From a legal point of view, everything is clean, the photos were distributed under the Creative Commons license. It seems that the generation of Internet users of the beginning of the two thousandth will be the most documented: before that there was no technology, after that, the newly developed privacy standards will no longer allow. The fact that technologies are developing on the basis of our data with you is good. I would like to avoid a situation where the algorithms pumped up with information know users better than themselves, and use this not only for incredibly smart and useful services, but also for manipulation.


Source of

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.