In 2019 Facebook identified a vulnerability in their application that allowed attackers to scrape a tremendous amount of personal information about their users. Facebook announced in April that more than 500 million personal records were likely scraped before they patched the vulnerability. Moreover, Facebook did not notify the security community or its users about the flaw in 2019. Nor did they admit that they did not disclose this vulnerability in 2019, but sort-of-kind-of conflated it with an Instagram vulnerability from the same time period.

Organizations that rely on Facebook to be transparent about security issues (say, organizations that use Facebook’s login API for their consumer-facing applications) should be worried. Facebook has shrugged off consumer concerns about privacy and disinformation campaigns for years when the data shows the risks involved. But consider this … if 500-million-plus user records are in the wild, are these useful questions to ask to verify a user at login?

“What is your mother’s maiden name?”
“What is your pet’s name?”
“Where did you go to elementary school?”
“What is your favorite band name?”

This is what the public generally knows:

  • Facebook had hundreds of millions of personal records scraped from their application two years ago and didn’t tell anyone.
  • Facebook says that they were transparent about security vulnerabilities, but cannot show evidence of disclosure.
  • Personal information in Facebook is commonly used to verify consumers’ identities.

This is what you should not be focused on:

  • Do not dismiss this as a problem for Facebook users alone.
  • Do not think of this as an exposure of information that individuals already share. It’s the collection of information that can be manipulated in ways you may not have already considered. But authentication through personal secrets or Facebook’s Login API are good places to start risk analysis.

This is what you should be focused on:

  • If your systems rely on Facebook for anything, including their login API, evaluate the risk of continuing to use the service when the company has not been transparent about security vulnerabilities.
  • Find out which employees use their corporate email addresses as their Facebook logins. Increase your employee’s awareness – especially those employees – of social engineering and phishing attacks and ask them to be especially vigilant for unusual email requests for access, financial transactions, or sensitive information.
  • Consider email protection services (such as Proofpoint, Mimecast, Barracuda, Sophos, etc.)