Profile picture
Paul-Olivier Dehaye @podehaye
, 12 tweets, 2 min read Read on Twitter
The FB press release on the data breach discloses enough to conclude it was way more devastating than reported. It makes two partial disclosures: one on quality of the hack (how well did hackers control a hacked account), one on quantity (how many accounts hacked at that level).
The quality of the hack is extremely high: if you fully own an account, you could (through "View As") fully control the account of any of their friends as well (by pretending to be them). One could use this to hop towards high value targets, from friend to friend.
Quality of hack is so high one could also use this full control to log into any place where Facebook Login would have been used (Tinder, Spotify, etc), and access to all the user data there as well. If you read carefully the press release it is implied, but could be clearer.
So, quantitatively, how many users would have been affected in this way? Direct answer: 50 M, a large number but a small percentage of the FB population.
BUT BUT BUT BUT BUT that is not the end of the story. Many more people (basically all the friends of those 50M fully-powned accounts), could have been hit as well. For instance, their profiles would have been scrape-able, their pictures, their private messages, etc
So there the hack has the potential to hit all of those 50M users' friends. Even when estimated conservatively, that must include entire countries, and almost certainly the entire US.
To be clear: I don't know that the hackers did this, scraped, etc. But given what is in the press release it is a foregone conclusion they would have had the technical capacity to do so (a full pownage gives you full view of the friends)
Also, it would have been v hard to detect, since the pownage was so thorough that from FB's viewpoint the credentials were indistinguishable from the real thing. They were the real thing.
Now there is an interesting tidbit in there: the hack was tied to the option to upload a video on one's birthday. Given the mechanics of the buggy tool, I think this means the hackers could only use as a starting point accounts on their actual birthday engadget.com/2016/07/28/fac…
Converse of this is that if your account has been fully owned through the breach, with credentials revoked (one of the 50M), it probably happened because your friend w/ a recent birthday was hacked right before you (Sept? Aug?)
(one note: they could use any account they fully owned as a starting point to fully own more, but only provided it was that profile's birthday that day. So of course they could actively change the birthday of a profile they controlled, but they would run the risk of detection)
(note: that link is not relevant, but I can't find documentation for the correct Video Uploader)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Paul-Olivier Dehaye
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!