April 4, 2019

Facebook: still absolutely terrible at security

Get ready to change passwords – again – just to be safe. Facebook has suffered another massive data breach, the biggest one yet.

Researchers at security services firm UpGuard have discovered hundreds of millions of Facebook profiles sitting openly on Amazon AWS cloud servers. The trove of user data includes names, passwords, reactions, shares, and comments; or if you’re a keen Facebook watcher, all the data points used without permission by Cambridge Analytica to analyse, profile and target end users.

The latest breach includes two data sets comprising more than 146 gigabytes and over 540 million records. The information wasn’t exfiltrated from Facebook’s own systems. In this case the data on Amazon servers originated from third-party sources: a Mexico City based company called Cultura Colectiva, and an called “At the Pool” which was shuttered in 2014. The Cultura Colectiva server holds most of the 540 million records while ‘At the Pool’ held more than 20,000 Facebook logins.

Exactly how they got hold of the data is still under investigation, though in the case of ‘At the Pool’ it could simply be loose permissions granted by the Facebook user or a leaky API (the software that allows third party apps to operate as Facebook add ons).

It’s another reminder that Facebook is a security nightmare, and its use at work or at home opens up opportunities for personal data loss and malware infection.

Ongoing problems

Despite the company’s claims about improving privacy, Facebook is still being affected by a legacy of lax controls over third-party access to user data. But even after a particularly bad run starting in 2017, users continue to flock to the site. Too many of them aren’t fully aware of the platform’s issues and vulnerabilities, or haven’t understood the potential for harm. That means cybersecurity professionals have to make Facebook awareness training a top priority.

Facebook has found ways to insinuate itself into our digital lives in various ways, from tracking cookies, embedding itself into smart phone and tablet operating systems, to the ‘token access’ we give to our profiles when we sign into other apps and web sites using Facebook. The platform and its technology partners regularly hoover up user data well beyond capturing the likes we give to posts in our newsfeeds.

Should we just advise people to delete it?

Well, yes.  But that ship has probably sailed.

We’ve all grown too accustomed to using the social network in our personal and professional lives. People use it ubiquitously in the office, working remotely, on public wifi networks or relaxing at home. Its growing popularity as a messaging platform is making it another vector for phishing scams.

Securing Facebook and locking down user privacy is therefore pretty complex – something reflected in its myriad of desktop and mobile privacy and security settings (though they have simplified this recently).

Making Facebook safe for work

While there may be no sure-fire way to make Facebook breach proof, raising awareness of its vulnerabilities and ongoing issues with data loss is an excellent place to start.

There are top tips we can share and behaviours we can promote that will make Facebook use less risky, such as:

  • Switching off adverts based on data from partners
  • Blocking users you don’t recognise
  • Moving to strong passwords, potentially making this a condition of Facebook use in the office
  • Learning how to stop third party apps from accessing your data – even after the app has been deleted
  • Knowing how to recognise phishing attempts in Facebook Messenger

All of this can be achieved as part of your security awareness training programme, either as a standalone course, or as a regular content stream based on the fact that Facebook-borne cyber risks are likely to be with us for a long time to come.

Want to learn more about empowering your employees’ security defences?  Why not sign up for a free demo and find out how we’re already helping organisations just like yours.

Help your employees out a little

A great place to start, is by sharing our useful article on how to make your Facebook secure. At the very least, if they must use it, it’ll help them be just a little bit more secure: https://thedefenceworks.com/blog/how-to-secure-my-facebook-account/ 

Share this: