Profile picture
Paul-Olivier Dehaye @podehaye
, 12 tweets, 2 min read Read on Twitter
The FB press release on the data breach discloses enough to conclude it was way more devastating than reported. It makes two partial disclosures: one on quality of the hack (how well did hackers control a hacked account), one on quantity (how many accounts hacked at that level).
The quality of the hack is extremely high: if you fully own an account, you could (through "View As") fully control the account of any of their friends as well (by pretending to be them). One could use this to hop towards high value targets, from friend to friend.
Quality of hack is so high one could also use this full control to log into any place where Facebook Login would have been used (Tinder, Spotify, etc), and access to all the user data there as well. If you read carefully the press release it is implied, but could be clearer.
So, quantitatively, how many users would have been affected in this way? Direct answer: 50 M, a large number but a small percentage of the FB population.
BUT BUT BUT BUT BUT that is not the end of the story. Many more people (basically all the friends of those 50M fully-powned accounts), could have been hit as well. For instance, their profiles would have been scrape-able, their pictures, their private messages, etc
So there the hack has the potential to hit all of those 50M users' friends. Even when estimated conservatively, that must include entire countries, and almost certainly the entire US.
To be clear: I don't know that the hackers did this, scraped, etc. But given what is in the press release it is a foregone conclusion they would have had the technical capacity to do so (a full pownage gives you full view of the friends)
Also, it would have been v hard to detect, since the pownage was so thorough that from FB's viewpoint the credentials were indistinguishable from the real thing. They were the real thing.
Now there is an interesting tidbit in there: the hack was tied to the option to upload a video on one's birthday. Given the mechanics of the buggy tool, I think this means the hackers could only use as a starting point accounts on their actual birthday engadget.com/2016/07/28/fac…
Converse of this is that if your account has been fully owned through the breach, with credentials revoked (one of the 50M), it probably happened because your friend w/ a recent birthday was hacked right before you (Sept? Aug?)
(one note: they could use any account they fully owned as a starting point to fully own more, but only provided it was that profile's birthday that day. So of course they could actively change the birthday of a profile they controlled, but they would run the risk of detection)
(note: that link is not relevant, but I can't find documentation for the correct Video Uploader)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Paul-Olivier Dehaye
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related threads

Profile picture
The Justice Department is about to announce charges against Chinese government (APT10) hackers for a long-running economic espionage campaign against U.S. and other Western businesses.

Watch live: justice.gov/live
Deputy AG Rod Rosenstein: "Today, the Department of Justice is announcing a criminal indictment of two hackers associated with the Chinese government" for attacks on "dozens of companies in the United States and around the world."
Rosenstein: The charges are for attacks on "managed service providers" that provide IT services to other companies.
Read 34 tweets
Profile picture
At 10AM today, CBP Commissioner Kevin McAleenan (@CBP_McAleenan) will be appearing in front of the Senate Judiciary Committee for an important oversight hearing. I'll be livetweeting the hearing and pulling out any important parts of the testimony. judiciary.senate.gov/meetings/overs…
McAleenan has already made his written testimony available. While I haven't had the chance to read it carefully, one very important thing to note is that he doesn't mention family separation or metering once. judiciary.senate.gov/imo/media/doc/…
The hearing begins with Chairman Grassley praising the "important work" of CBP, describing it as a law enforcement agency. Grassley says he was impressed on private meeting with McAleenan about all the work he's done protecting migrants, which is... debatable at best.
Read 106 tweets
Profile picture
Last week I spoke about how we build ultra-reliable AWS services. It's my favourite talk that I've given. Everyone I've asked has told me that they learned something new and interesting 😃 Here I'm going to tweet some highlights to tempt you to watch ...
Like most systems architects, we divide our services into data planes ... the pieces that do the work customers are most interested in, like a running an instance, serving content, or storing bits durably ... and control planes, which manage everything behind the scenes.
Control Planes are all about taking intent and translate it into real world action in the universe. Just like your TV remote. You tell it what you want, and it's job is to make that happen. But it's harder than it seems!
Read 52 tweets
Profile picture
For the past several years, I've been looking at - and dealing with - people complaining about how dependencies work in JavaScript. The problem is... almost all of these complaints are misguided. So, let's look at exactly *why* those claims are false.

Thread.
Preface: Dependencies in JS work *very* different from almost any other language. If you haven't worked with JS very much, you're probably making assumptions about the tradeoffs that are valid in other ecosystems, but not in JS. This is the source of a lot of these complaints.
Let's start with one of the most common ones: "developers have forgotten how to program, they just glue together dependencies now".

This one is built on a fundamental misunderstanding of what programming *is*. Programming isn't about writing code. It's about solving problems.
Read 51 tweets
Profile picture
1/3 Was trying to remember when the ES&S hack was - when @VotingVillageDC reminded me last night. It was Aug 2017 - In the massive 1.8 mill #voter ES&S #data breach part of the download was...encrypted versions of passwords for ES&S employee accounts. usatoday.com/story/tech/201…
2/3 @UpGuard is the company who found the breach. “The worse-case scenario is that they could be completely infiltrated right now,” said Upguard's director of strategy Jon Hendren.
3/3 ES&S is the largest provider of voting equipment in the country. Let me just repeat that for emphasis. “The worse-case scenario is that they could be completely infiltrated right now.” And hackers could have had a full year to do what they need to do. apnews.com/f6876669cb6b4e…
Read 4 tweets
Profile picture
UCC had opportunity to comment on the #Data.Protection & Privacy Bill. The enactment of this law is long overdue. A comprehensive law on the collection & processing personal information gives effect to the right to Privacy envisaged under Article 27(2) of the Constitution
UCC welcome the protections offered by the Bill in terms of export of data, breach notification requirements, data subjects access rights, automated decision making, compensation and the right to be forgotten and provision for financial and penal sanctions for breach of the law.
Distinction between Data collectors & data controllers.
The Bill should however clarify & distinguish Data Collectors, from Data Processors & Data Controllers. Clause 2 is inconsistent with international good practice which provides for two broad categories of Data Controllers
Read 17 tweets

Trending hashtags

#helpeachother #AltGovDaily #Trump #MalFeasance #JohnPodesta #LoveYourselfTearIsComing #quantity #voterregistration #CRAMS #hackers #opportunity #shellcompanies #whatsthepoint #LaurusLabs #HerbertSandler #IndivisibleTimes #CIA #scifi #WeAreData #BigBankBailOut #election #InfoSec #3Blokes #MiddleClass #WHPDaily

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!