1. Type of Breach: The breach involved unauthorized access to user accounts, allowing attackers to potentially view private information, including profile details and posts, as well as private groups and events for which the affected users were members.
2. Cause of Breach: The security issue arose from a vulnerability in the Facebook code that allowed attackers to exploit the "View As" feature, designed for users to preview how their profile appears to others. By abusing this feature, attackers could obtain access tokens, the digital keys used to verify users' identities, without the users' knowledge.
3. Number of Affected Users: Facebook initially estimated the number of affected accounts to be around 50 million. However, subsequent investigations revealed the scale of the incident to be wider, with approximately 90 million user accounts potentially affected.
4. Compromised Data: While unauthorized access to user accounts occurred, Facebook clarified that no sensitive data, such as passwords, credit card information, or Social Security numbers, was compromised during this specific incident.
5. Initial Response: Upon discovering the breach, Facebook launched an investigation and took steps to mitigate the issue. The affected accounts were secured and users were logged out of their accounts as a precaution.
6. Notification to Users: Facebook notified the affected users through on-screen messages and email alerts, informing them about the breach and advising them to take necessary security precautions.
7. Impact on Users: Besides potentially exposing private information, the breach may have implications for users' privacy, as attackers could use the obtained data for phishing, personalized spam campaigns, or other malicious purposes.
8. External Scrutiny: The incident came under intense scrutiny from lawmakers, privacy advocates, and users, raising questions about Facebook's ability to protect user data and address vulnerabilities in its systems.
9. Regulatory Investigations: The incident attracted attention from regulators globally, leading to investigations into Facebook's handling of user data and whether any data protection regulations were violated.
10. Changes in Security Measures: Following the breach, Facebook implemented additional security measures, including a new tool called "Login Alerts" to inform users about suspicious login attempts, stricter third-party app permissions, and enhanced account recovery processes.
11. Legal Settlement: In July 2019, Facebook reached a $5 billion settlement with the Federal Trade Commission (FTC) over privacy concerns, including allegations that the company failed to adequately protect user data in light of the 2018 security breach.
12. Ongoing Security Efforts: Facebook continues to invest in security improvements, implementing various initiatives to detect and prevent unauthorized access, strengthen user authentication, and respond swiftly to security incidents.
It's important to note that Facebook has made significant changes in their security practices since the 2018 incident. These changes have helped to improve the security of user data, and Facebook continues to work to protect user privacy.
