Facebook revealed Friday that it had been subject to a breach it discovered three days prior. An unknown hacker compromised 50 million accounts by stringing together a chain of software bugs that ultimately enabled the culprit to steal people’s so-called app access tokens. These tokens allow users to remain logged in, skipping the hassle of repeated password re-entry. Anyone in possession of another person’s token gains the ability to hijack that person’s profile.
In other words, Facebook faced, by its own estimation, 50 million potential account takeovers. What makes the situation worse is that these tokens can provide access to other linked services: Instagram, news sites, games, etc. Anything to which people have connected via a Facebook login could have been vulnerable. Contagion, networked.
The exploit was ironic. Facebook’s “view as” feature, a tool ostensibly designed for privacy purposes—that is, to let users check how their profile appears to other people—accidentally acted as a data sieve. While viewing one’s profile “as someone else,” an attacker could trigger a buggy video uploader through a mechanism intended to let people wish one another “happy birthday.” Accessed this way, the video uploader—containing flawed code since July 2017—served up a log-in token for that “someone else,” rather than for the true viewer. By impersonating targets through “view as,” an attacker could reap tokens galore.
Here’s a rule I live by: Never—or mostly never—use a social media login to access other online services. (I make a few exceptions for news aggregators connected to Twitter.) At the time of writing this column, only one service had access to my Facebook profile. I have since revoked its permission. (Sorry, Scribd.)
To review which services are connected to your Facebook account, take the following steps. Visit “Settings,” then click “Apps and Websites.” You can manage permissions here. If you’re worried about having to remember myriad passwords, use password management software.
Remember: every linkage is a potential point of vulnerability. Cybersecurity professionals call this concept network segmentation, and it is one of their fundamental principles.
A number of readers alerted me that a link I included in my last essay about credit freezes was broken. I regret the error. Here are the correct links: Equifax (phone number: 1-800-685-1111), Experian (1-888-397-3742), TransUnion (1-888-909-8872). Happy freezing.
Have a great weekend.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
We are family / I got all my sisters with me. Spotify is asking some subscribers to its “premium for family” plan to prove they live in the same household by supplying GPS data. Some people are upset about the aggressive address confirmation tactic, arguing that some family members are frequently separated by travel. Spotify also debuted a feature that curates a playlist based on a listener’s genetic profile. I recommend The Atlantic’s criticism, “Your DNA Is Not Your Culture,” a statement with which I could not agree more.
Pass interference. At a United Nations meeting, President Donald Trump accused China of meddling in the upcoming midterm elections. “They do not want me or us to win because I am the first president to ever challenge China on trade,” he said. China, of course, rejected the claim.
They say it’s your birthday. Cloudflare, a multibillion-dollar private company that boosts the security and performance of websites, celebrated its birthday this week. In honor of the anniversary, the firm teed up a slew of announcements. The company introduced a “gateway” that makes it easier to access content on IPFS (a protocol that enables a more decentralized web). It said it would sync computer clocks with Google in order to improve encryption on the web. It created a “Bandwidth Alliance” with Microsoft and IBM to reduce data transfer fees in the cloud. And it began supporting encrypted Server Name Indication, an Internet protocol upgrade that ups the privacy of web browsing.
Criminal roundup. The British investigative news site Bellingcat reported that it identified one of the suspects who poisoned ex-Russian spy Sergey Skirpal and others earlier this year: Colonel Anatoliy Chepiga, a Russian military intelligence officer. Singaporean courts fined a security engineer at Tencent, the Chinese tech giant, $5,000 for hacking his hotel’s Wi-Fi network and then blogging about it. An ex-NSA employee named Nghia Hoang Pho was sentenced to 66 months in prison for taking home classified materials. Ji Chaoqun, a Chinese national, was charged with spying in Chicago.
For my next trick, I will make Zuck disappear.
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
Secure the vote. With midterm elections fast approaching in the U.S., few changes have been made to shield the nation’s voting infrastructure from hacker threats. The New York Times Magazine warns that our democracy remains distressingly vulnerable to interference or, worse, manipulation by bad actors. One major issue: voting machines are made by private companies that have a history of resisting audits of their software and ballots—meaning even if someone were to meddle, “there’s a good chance we simply won’t know.”
Allstate’s CEO Wants to Change the Way People Give Companies Their Personal Data by Kristen Bellstrom
Qualcomm Says Apple Stole Secret Info to Help Intel by Aaron Pressman
ONE MORE THING
Open your mind. Julian Baggini, a British philosopher, argues in an essay published by The Guardian that the study of philosophy in the western world exhibits a bias, unsurprisingly, toward western philosophy. For instance, the west tends to conceive of time as linear, whereas other cultures may view it as more cyclical. These subtle variations between cultures can “shape the way we think about both our temporal place in history and our relation to the physical places in which we live,” Baggini writes.