The Office of the Australian Information Commissioner (OAIC) is looking into Facebook’s most recent security breach to determine how many Australians were affected by the hack.
Over the weekend Facebook disclosed hackers had exploited a vulnerability that allowed them to access 50 million Facebook accounts.
In a statement published on September 29th, the OAIC said Facebook had advised the privacy watchdog about “an incident involving the security of Facebook accounts.”
“The OAIC is making inquiries with Facebook about the facts, including the number of Australians who may have been impacted by the incident. The OAIC is also in contact with the Australian Cyber Security Centre about the incident,” the statement reads.
In April the OAIC opened a formal investigation into Facebook following the revelation that more than 300,000 Australians information may have been shared with Cambridge Analytica, the data analytics company behind the Donald Trump’s election campaign. That investigation is ongoing.
Unlike the Cambridge Analytica scandal, which scraped user data, this breach allowed someone to use an account as though it was their own. During a call with reporters Guy Rosen, Facebook’s VP of product management said that hackers could have accessed other third-party apps that were using the Facebook login.
[Update 3/9/2018: Facebook says it has found no evidence that hackers were able to access any of the third party apps using Facebook Login.]
With the bugs now fixed, Facebook says it doesn’t know if any of the vulnerable accounts were misused by hackers or who is behind the attack.
The social media giant says attackers exploited a vulnerability in Facebook’s code that impacted the “view as” feature, which lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens – the keys which keep users logged in on various devices – which they could then use to take over people’s accounts.
Facebook reset the access tokens of the 50 million affected accounts, as well as another 40 million accounts as a precautionary measure. That meant 90 million people needed to log back into their Facebook accounts.
“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘view as.’ The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens,” Rosen wrote in a blog post.
Facebook said it had notified law enforcement and is working with the FBI to determine the identity of the hackers.
According to an analysis by the Wall Street Journal, Facebook could be fined as much as US$1.63 billion under GDPR. Ireland’s Data Protection Commission, which has jurisdiction over Facebook in Europe, has requested Facebook provide more information about the breach.