We always say, it’s not if, but when. Even Facebook, as we woke up this morning to hear, has fallen prey to a security breach, one so huge that the SingHealth data breach is minuscule.
Attackers didn’t get away with NRIC numbers, but that should not offer any relief. They did get away with something far more valuable. According to Facebook, attackers exploited a vulnerability that allowed them to steal account access tokens. With the possession of these access tokens, attackers can essentially take over the accounts of affected people.
Access tokens are digital keys which grant access to their associated accounts, permitting anyone in possession of them to act as if they are the account owners. It is not the same as the password, but equivalent (and maybe even better).
This flaw affected 50 million users, and potentially another 40 million users. Facebook has reset the access tokens for all these 90 million users.
If you found yourself needing to login to Facebook again this morning, when you normally don’t as you leave your web browser or mobile app logged in, then you’re probably among these 90 million users.
Social media accounts is a treasure trove of an abundant amount of personal information. It’s potentially far worse than the kind of data stolen in the SingHealth data breach.
I don’t want to sound like a broken record, but the truth is that such data breaches can happen anywhere. We should expect that even organisations with the best security practices will ultimately fall to an attack. Hence, as individuals, we should think about what happens when the data we entrust to organisations get stolen and fall into the hands of adversaries.
That’s like asking what happens if the money you put in your bank gets stolen, and the bank can’t honour your deposit anymore because its broke. I know that’s something hard to imagine in Singapore, since deposits are guaranteed (to a certain limit), and large scale physical robberies that are enough to shutdown a bank is quite unlikely.
As with the SingHealth data breach, there’s not much you need to do even if you are affected, except to be vigilant. You don’t have to change your password, at least not because of this incident per se.
Information security, and data breaches, are now just part of life.