All we know about the security breach affecting 50 million accounts.

On Friday, Facebook announced it has discovered evidence of a security breach affecting nearly 50 million accounts.

The company's investigation is still in its infancy, so there are still many unknowns about the cyberattack. Here is an overview of what we know so far based on the details communicated by Facebook to the public.

How did it happen?

Hackers were able to manipulate the code associated with the platform's "View As" feature, which allows users to see what their profiles look like from another account's point of view. Vulnerabilities in this code have allowed hackers to exploit three different bugs and steal access tokens, digital keys that allow users to use Facebook without having to enter their login credentials each time, from 50 million accounts.

The developers introduced these vulnerabilities in July 2017 by updating a tool allowing users to download happy birthday videos. The download tool inadvertently generated access tokens when it was displayed on a user's "View as" page, which hackers then exploited to falsify accounts. Facebook's security team began to notice an unusual rise in user access to the website last December, and finally found the hack last Tuesday.

What do hackers have access to?

Hackers have basically been able to log in and support user accounts. Facebook says nothing to date indicates that hackers are reading private messages, posting something on account pages or stealing credit card numbers. However, they tried to access personal information, which could have included details such as name, gender and hometown.

Hackers may have also been able to manipulate the Facebook login feature, which allows users to use their Facebook usernames and passwords as login credentials for other apps. and websites. This means that hackers could, in theory, have violated apps such as Instagram, Tinder and Airbnb using the access tokens that they stole. Tinder said on Monday that there was "no evidence" that accounts had been accessed, but that it would be "very useful" if Facebook shared more information about the hacking.

Who was responsible for the hacking?

Facebook has released little information about the attackers. Company officials said on Friday that they had not revealed much identification details – for example, they were not able to determine whether hackers were working for the company. account of a nation-state – and that the nature of the attack is such that we may never know who. was responsible.

Carolyn Everson, Facebook's vice president of global marketing, said Monday that the hackers were quite sophisticated because they had stayed a long time undetected and they had to have an intimate understanding of three different bugs to run the attack. She compared them to an "intruder without weight and odor that came in".

What is Facebook doing about it?

Facebook has fixed the vulnerabilities of "View as" and download videos. The company also reset the access tokens for the 50 million accounts involved, as well as 40 million additional accounts, as a precautionary measure. Users will also need to unlink and link their Instagram and Oculus accounts to their Facebook accounts. Facebook users do not need to change their passwords, but they may want to log out and log back in for security reasons.

Facebook has also contacted the FBI, as well as the Irish Data Protection Commission, in accordance with the EU's General Data Protection Regulation, or GDPR.

Will there be consequences for Facebook?

Shortly after Facebook announced the news of the attack on Friday, a resident of Virginia and a California resident filed a class action complaint alleging that the company's lack of appropriate security measures increased the risk of robbery. identity. New York Attorney General Barbara Underwood tweeted"We are studying the massive data breach of Facebook. New Yorkers deserve to know that their information will be protected. The FTC and Virginia Virginia Senator, Mark Warner, also suggested that an investigation might be necessary. Members of the British Parliament also renew their request to see CEO Mark Zuckerberg testify before them.

Yet according to Le Verge, it is the European Union that is most likely to drop the hammer on Facebook. The Irish Data Protection Commission, which is helping to enforce the RGPD, is asking for more information from the company about this violation. If the commission finds that Facebook has been negligent in protecting the safety of users, the fine could go up to 1.63 billion dollars; According to the GDPR, companies that violate this rule must pay $ 23 million, or 4% of its total business turnover the previous year, whichever is greater.

Until we know more about the attack, it's hard to say whether Facebook runs a high risk of being penalized under the GDPR. If, for example, we discover that Facebook was warned of this vulnerability before the offense, the company could be held responsible. It is also unclear whether Facebook would be responsible for violations of third-party applications that use Facebook Login, or if a substantial portion of the relevant accounts even belonged to residents of the European Union.