Today’s technology and retail landscape is being shaped by an epic battle between two forces pulling at the consumer experience — it’s convenience versus privacy and the future is in the balance.
Facebook’s latest security failure shines a stark light on the fight. As many as 50 million accounts may have been vulnerable due to a flaw in the network’s “View As” feature, giving attackers access to Facebook security tokens used to sign into other sites and apps. (Update: Facebook later said the breach affected roughly 30 million people. See below.)
Whether they were actually used in this manner isn’t clear yet. Facebook said it patched the hole, and according to Guy Rosen, vice president of product management, the company hasn’t discovered any such attack.
“We have now analyzed our logs for all third-party apps installed or logged in during the attack we discovered last week,” Rosen wrote in a company blog post on Tuesday.
Still, it’s hard to overlook that the exploit’s scope stemmed from the fact that so many outside sites — including online shopping destinations — use Facebook logins as a convenience feature for consumers. The idea is that, by granting permissions for access tokens, they won’t have to log in over and over again across different web sites and apps.
“While Facebook data are different from sensitive financial information related to credit cards or bank accounts, the data potentially contains a significant amount of personally identifiable information that can be pieced together to form a profile that can then be used fraudulently,” said Scott Grissom, vice president of product leadership, marketing and sales at LegalShield.
The issue matters for a retail industry that’s increasingly collecting individual shoppers’ data for personalization services and customization features. Such measures are wholly reliant on data, as most are eager to discuss. But fewer are racing to shed light on the security that protects that data.
“This is really a bigger issue than Facebook alone,” said Gil Eyal, chief executive officer of Hypr Brands, an influencer marketing platform that counts Alice + Olivia, Michael Kors and Levi Strauss & Co. among its clients. “Users leave personal information on hundreds of apps and web sites they use regularly, and the owners of those channels rarely do as much as Facebook does to protect user privacy.”
Indeed, there are no brands or stores that want to be lumped in with Equifax, which had a data breach that touched 147.9 million consumers. And already, there are plenty of retailers, including Target, Hudson’s Bay Co. and Eddie Bauer, that have been picked at by bad actors.
As for Facebook, the firm appears to be anticipating blowback from Congress. The company preemptively reached out to officials to allay concerns and state directly that it found no evidence that the security problem has spread beyond its walls.
The jury appears to be out on the ramifications of its attack.
“Since cybercriminals may have now gathered personal information of 50 million people on Facebook, we can expect ransom and phishing attacks that will be more personalized and sophisticated,” said Ruby Gonzalez, communications director at NordVPN, a virtual private networking company whose tech is often used for private, secure connections. “The breach can also lead to identity theft.”
The stakes are massive. Cornerstone Capital Group summed it up in its latest data privacy report: “The ambiguity of the current circumstances is unsustainable. While the exact future of data privacy is not possible to predict with confidence, investors should be concerned that companies whose business models rely on increasing quantity and scope of consumer data are at risk if the public ambivalence turns to opposition.”
Update Oct. 12, 2018: After further investigation, Facebook later said the attack affected some 30 million people. The company also stated that, in this case, no other Facebook apps or third-party apps were affected. It broke down its findings as such:
For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.