Another Day, Another Facebook Problem

Facebook has identified, and fixed, an exploit that allowed attackers to gain control of user accounts. These failures are so common and so widespread, it’s becoming hard to even notice them.

Ian Bogost / The Atlantic

Updated on September 28 at 5:33 p.m. ET

More bad news: Facebook has announced that a security exploit allowed attackers to gain control of at least 50 million user accounts.

According to the company, the exploit impacted a feature that lets users see what their profile looks like to another user. In this case, the breach doesn’t appear to involve extracting data from servers. Instead, the defect—introduced by a change to the way videos get uploaded—allowed users to gain control of a user’s account directly, without a password. Facebook says they have fixed the vulnerability and taken steps to protect other users who could have been impacted. “We’re taking this incredibly seriously,” Guy Rosen, Facebook’s vice president of product management, wrote on the company’s behalf.

This is not great. Someone who gains access to your Facebook account can see all your posts, your friends, your contact info, your messages, and more. They can also take actions on your behalf—and access other services you have logged into via Facebook. A determined attacker could make creative use of selectively targeted Facebook users. Just think of the worst thing someone might find on your own Facebook account. Now imagine the same thing for your spouse, your children, your boss, or your friends. That’s not all, though: As the New York Times’s Gabriel Dance showed, these tokens can also be used to scrape data from an account’s friends.

But here’s the strange thing: In light of all the bad things that have happened on and around Facebook in recent years, this kind of betrayal feels low-key. That’s how bad things have gotten with online security in general, and with Facebook in particular. Compared to facilitating the large-scale extraction of user data, running illegal and discriminatory advertising, sharing user information with Chinese electronics manufacturers, expediting election interference, exposing content moderators to gruesome imagery, sowing dissent to the point of violence, and even just building an estranging record of human lives, letting someone scurry around your account for a while seems maybe not so bad.

Don’t misread me: It is bad. But it feels less bad than it once would have. Hacks and breaches have become so commonplace that the public is beginning to acclimate to them. When the Sony Pictures data breach took place in 2014, it was widely covered as a major industrial and political event. Journalists even trawled through the data released by it, perhaps somewhat improperly, because it seemed newsworthy to cover the goings-on of wealthy, powerful Hollywood executives. The Target and Home Depot hacks of 2013 and 2014 felt more personal, but also easier to manage: Just get a new credit or debit card. After the Ashley Madison hack in 2015, everyone realized that they were as vulnerable as the power players, and they started to worry. Last September, after the Equifax breach exposed more than half of Americans’ most sensitive personal information, I compared the feeling of being impacted by a data breach to a malaise of everyday life, like traffic or errands.

Then the Cambridge Analytica revelations arose, and the ongoing foreign meddling in global politics appeared to have a real, measurable impact on the outcome of elections, including the 2016 U.S. presidential election. In the grand scheme of things, someone looking at your hidden photos or private messages or group postings feels lower-stakes.

It’s not, of course. All of this is part of a bigger tide that washes heaps of data ashore, then deposits it like silt for anyone to find, pocket, and exploit. Defects are to be expected from time to time, but users should nevertheless expect that Facebook does everything it can to safeguard the information people share with it.

The problem is, eventually it becomes impossible to keep up. Facebook is a huge company that manages data for billions of people all around the globe. It is an appealing target for attack and is therefore under constant bombardment. Security becomes an arms race, and every remedy introduces a new potential weakness. Mark Zuckerberg’s appeals to artificial-intelligence solutions to hacking, abuse, disinformation, and other vexations amount to magical thinking. The same computational facility that makes it possible to scale an online business to billions of users across the globe, the thinking goes, should make it possible to automate its management.

But the opposite is more likely true. Facebook and its kindred companies have not grown like trees, branching higher and wider to deliver the shade of their services, but like tubers: in every direction, sending roots and shoots wherever they might find soil and moisture to prosper. If it were a plant, Facebook would be an invasive species, like ground ivy or bamboo, lashing itself to any surface and suffocating out other life. Every moment of every day introduces a new expanse of its influence, and thereby a new source of exploitation. None of this is likely to slow down or stop.

And so there will be more bad news, and ever more bad news, over and over again. So much of it that eventually the least bad of the bad news will fall out of circulation, ceasing to raise enough hackles to generate outrage, or even attention. Today is just one more along that passage. Another day on Facebook’s blue Earth, a little worse than the one before.