Years ago, before there were iPhones, smartwatches, or presidential tweets, I gave Facebook everything. And why not? I was a teenager, probably loaded on Busch Light and desperate to be “friended” by so many new people, their detailed profiles at my fingertips.
What seemed like an amazing promise when I signed up for Facebook in 2005 has become a crushing liability in 2018, when the world’s largest social network has by now suffered too many data breaches to remember. The latest, detailed by the company’s security team in a blog post on Friday, affected 30 million people. I’m one of them, and the prognosis is wrenching.
“Attackers” from an unknown source, with unknown motivations, were able to access the following information through my account:
- My name
- My email addresses
- My phone number
- My birthday
- The fact that I’m married, and probably to whom
- Where I’m from
- Where I live now
- Where I work
- Where I went to school
- The 10 most recent locations where I’ve been tagged
- My 15 most recent searches on Facebook
- Posts on my timeline
- Who I’m friends with
- Who I’m private-messaging with
- Groups I’m a member of
Some people may have had it slightly worse — if, say, they’d listed their religious information — or better; users were affected to varying degrees. Regardless, the potential fallout is difficult to quantify. Any online account that uses my phone number to provide two-factor authentication is now compromised. My email address — which I use to login to, well, everything, is too. I can change any password, but committing to a new phone number, email address, or neighborhood is a different matter entirely. I don’t belong to a sensitive group on Facebook, but many people do; to be outed as a sexual assault survivor seeking support, for example, could be devastating.
None of us should trust Facebook anymore, but it’s much too late for that to make a difference. I’ve poured data into this social network for over a decade, growing its understanding of Damon Beres and his friends bit by bit, day by day. Though users are in some way responsible for the information they’ve given to Facebook — my hometown is in some hacker’s hands because I typed C-h-i-c-a-g-o into a text field years ago — none of us are soothsayers. Like a high school student in 2005, the grandparent who signed up for the service to see baby pictures could not reasonably have expected the social network to turn into an unending web of compromised data. Nor could they have expected that the basic functions of the website would be the ones that betrayed them.
As with the Cambridge Analytica affair, this latest breach was, by Facebook’s own reporting, enabled by the platform’s social connections. Attackers “used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people,” Guy Rosen, Facebook’s vice president of product management, wrote in the company’s blog post.
“The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people,” he continued.
In other words, each friend connection added a new node of liability. It’s a devious wrinkle that makes sense to the tech-obsessed in retrospect, but there’s nothing to be done about it now. Facebook says it’s working with the FBI to investigate the attack, and it’s unclear if the worst is to come. We know a lot of data was exposed, but we don’t know what it’s being used for yet.
Meanwhile, the officials tasked with keeping the social network in check have mostly failed to do anything. Facebook had such a lead on regulators that no law anywhere in the world, perhaps until the European Union’s General Data Protection Regulation went into effect earlier this year, could even come close to halting its hungry advance. U.S. lawmakers have been all but clueless: Remember U.S. Sen. Orrin Hatch asking Mark Zuckerberg, in April, at a Senate hearing, how the company makes money? “Senator,” Zuckerberg replied, “we run ads.”
So, we can’t stuff the genie back into the bottle, but the onus is no doubt on the 1.47 billion of us who use Facebook every day to do anything about any of this. In several full-page newspaper ads that Facebook took out mere months ago, following the Cambridge Analytica scandal, Zuckerberg makes the following promise: “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.” After I change my phone number and email address, Mark, I’ll take my business elsewhere.