Facebook employees reportedly feel guilty that the company didn’t fix a known security risk fast enough to prevent its biggest data breach ever

Facebook was repeatedly warned about a security risk that was taken advantage of in a hack involving 50 million accounts in 2018, and failed to fix it in time, according to a report by the Telegraph’s Laurence Dodds.

Concerns about the risk posed by “access tokens” – digital keys that allow access to users’ accounts – were raised as early as December 2017, the Telegraph reported, citing legal documents from a class-action lawsuit filed in the US against the company.

The security risk was a contributing factor to the largest data breach in the company’s history, with the access tokens of 50 million people stolen. For 14 million people, hackers obtained the birth date, devices used to log in, locations checked into, recent searches, and more.

According to the report, Facebook employees said concerns about the tokens were largely ignored, and that the hack “could have been prevented.” Facebook engineers warned in December 2017 that access tokens would be “easy” for hackers to exploit, the report said. Employees reportedly expressed “guilt” over the issue.

Facebook said in a statement to Business Insider that the risk was not from access tokens themselves, but “the obscure interaction of several different Facebook features” that allowed hackers to generate access tokens for users.

“Any accusation that Facebook knew or was warned about this vulnerability is simply wrong,” a company spokesperson said.

Hackers were able to generate tokens for other users, gaining access to their accounts, through Facebook’s “View As” feature, leading to 50 million accounts’ access tokens being compromised.

In 2018, Facebook reset the tokens for the 50 million accounts that were hacked, as well as an additional 40 million accounts that had been used for a View As look-up within the previous year, leading to 90 million Facebook users being logged out of their accounts.

Engineers raised concerns that because the tokens used by Facebook at the time were too broad and did not expire, they posed a risk, creating a potential loophole that could easily be exploited, the report said.

Employees said that changes that could have prevented the hack were not completed, and that warnings were “almost all ignored,” the report said.

One engineer said that features involving the non-expiring tokens “shouldn’t be launched to the public,” according to the report. A tip from a software engineer outside the company that the View As feature could be exploited was ignored, according to court documents cited by the report.

A Facebook employee said of the tokens that, “in retrospect, we definitely should have killed this months ago,” the report said.

Facebook said on Friday that it would improve security protocols, including frequent monitoring of suspicious activity involving access tokens, to settle the class action lawsuit, Bloomberg reported.

Source: BusinessInsider