Facebook Got Hacked and This Is What Hackers May Know About You

From now on, heist films will be increasingly less thrilling. Identity is the new gold. And who wants to see George Clooney break into data servers?

Last week, hackers stole the access to 50 million Facebook accounts. But, as you’ll see during this article, the hack is not constrained to Facebook and may be more far reaching than initially thought. What can the hackers know about you? And even if you weren’t directly affected, is there a reason to be worried?

A few years ago, Facebook decided to solve a problem. When you on-boarded a website or application you had to register every single time. You had to create a unique set of credentials (“login details”) for every website you registered in. That constituted a terrible user experience.

In the “offline world”, a passport is an official document issued by a government, attesting the holder’s identity and authorising them to travel to and from foreign countries. One authority grants you one credential that allows you entry in multiple places. In the internet world Facebook decided to be that authority and create the passport you use online.

Do you wish to login using Facebook?

That passport is called Facebook Connect. Facebook Connect is a set of API’s that allows users to login to third-party websites and applications using their Facebook account. Several hundreds (thousands?) of services, from small to large, such as Expedia or Tinder, outsourced their registration processes over to Facebook. It made registrations much quicker and easy. You wouldn’t need to input your name, e-mail, age or upload photos, for example, in each new service. Less clicks, less passwords to memorize, less friction for users.

Those publishers accepted Facebook as an authority validating those users identity. The users trusted Facebook as an authority certifying their identity before those services.

Identity is the key word here.

According to Darrell O’Donnell, a digital identity expert, Facebook and Google “are the organisations with both scale and financial reasons for hosting that expensive database”.

They are in the data business. The more they know about you, the better they can serve you ads, the happier paying advertisers will be.

The Honey Pot

Hackers exploited three bugs — a vulnerability that has been reported as existing since 2017 — to steal 50 million users’ “access tokens”. The entry keys to an account on Facebook. By that point, hackers could already have control over a person’s Facebook account. But the breach does not stop there because, due to Facebook Connect, hackers could also access all the websites that person uses Facebook to log in to.

In a study by The University of Illinois, researchers found, in controlled experiments, that hackers, exploiting those vulnerabilities, could read a person’s messages on Tinder (without them appearing as “read”), could see a person’s passport number and payments on Expedia and access real time-tracking on the Uber app and even tip the driver. (Source)

That is one problem of granting “control of digital identities to centralised authorities of the online world” (Christopher Allen).

Dr. Strangelove or: How I Stopped Worrying About Hacks on Identity Hoarders and Love Self-Sovereign Identity

Putting it simply: Self-Sovereign Identity is an identity you own. It’s yours. You hold it and you decide who gets to “see” it and what of it they get to “see”.

Example: you have a credential in a digital form. A passport, let’s say. You will hold this credential in a wallet on your device (a mobile phone, perhaps). This credential has a Credential ID attached to it. The same Credential ID is stored on a blockchain alongside a signature from the authority who gave you your passport. A signature that proves that passport is credible.

Important: only this Credential ID is on the blockchain, not your actual passport data.

Once on the blockchain it becomes immutable. No one can alter that Credential ID.

When I travel and show my digital passport to the airport security they check the Credential ID on my passport and verify if it’s the same Credential ID that is registered on the blockchain. They also check the signature attached to the ID which shows, for example, that the Government signed off on it. If there’s a match in the ID’s my identity is verified. Hooray!

But let’s bring this use case down to our Facebook problem: If the context is one of an app, say Tinder, the app would check the Credentials in my wallet (name, D.O.B, etc) but never store them itself. Avoiding the honey pot problem. There is no centralised storage of identity that may be subject to breaches. Meaning that for hackers to steal 50 million accounts they would have to hack those 50 million accounts individually.

This wallet/credential would be interoperable also solving the problem of having to re-register to every new service with new credentials. I could use the same credentials in my wallet to all services/apps.

According to Darrell O’Donnell, companies are realising the major liability that is storing personal data of customers (or employees). Every breach, loss or theft of personal data may turn into significant lawsuits and fines. Which may mean that, in the near future, companies will also start working their way into Self-Sovereign Identity solutions.

Facebook released a statement staying that “has so far found no evidence that the attackers accessed any apps using Facebook Login.” Although that is quite different from saying that they found evidence that no attackers accessed any apps.

Learn more about Tykn’s Digital Identity platform here.


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.