50 million Facebook users breached

In yet another blow on Facebook's worst year to date, the company admitted late last Friday that it had suffered a data breach, with approximately 50 million users potentially affected.

This breach is particularly bad, because it allowed attackers to take control of a Facebook account, and even log in to third-party services it might be authenticated to, like Airbnb and any other service that uses Facebook login.

The New York Times wrote that the attack was serious in both scale and breadth, using multiple bugs to create the exploit:

Three software flaws in Facebook’s systems allowed hackers to break into user accounts, including those of the top executives Mark Zuckerberg and Sheryl Sandberg, according to two people familiar with the investigation but not allowed to discuss it publicly. 

Here's how it went down: a tool Facebook formerly offered allowed you to view your own profile through the eyes of a friend to check privacy settings, and be sure that they aren't able to see information you want hidden. 

By stealing an access token from Facebook's 'birthday' video uploader, the attacker could use the access token to gain access to the other user's account, presumably by using it to turn the 'view as' session into a fully-fledged account takeover.

It's a wild revelation because it's difficult to know the extent of the breach. Facebook logged out affected users, but hasn't admitted what activity might have occurred on the accounts or how to rectify any of the third-party logins being affected.

Facebook hasn't said when the attack happened, nor any further information about where to from here, and the government is watching. Under new GDPR laws in Europe, the company could face billion-dollar fines as a remedy for the breach, which will be the first test of the new privacy-focused law -- but it may have dodged this by reporting it swiftly.

It's doubtful this is the top-end of the breach, and I expect Facebook to admit in time that many more were compromised. It's hard to believe out of a few billion active users, such a small number of accounts (proportionally speaking) were affected. 

Much of Facebook's code-base, at this point, is a liability: the core product is over a decade old, and I'll bet we'll see more of these types of issues crop up as it continues to age. Code rots in strange ways, and Facebook has been lucky to avoid a breach like this to date.

Tab Dump

Amazon actually raises the minimum wage for its workers
The company faced immense public pressure for paying its warehouse workers a barely-livable hourly rate, around $10 an hour, and rarely reviewing it for workers. It's finally raising it to at least $15 an hour, which might even have an impact on its quarterly results -- but people will actually be able to afford to eat now.

Waymo denied a slew of patents thanks to one engineer
This is wild: Waymo applied for more than 50 patents relating to self-driving cars, but was denied almost all of them after a random dude with no interest in the space at all objected to them.

Google's testing a wild new game streaming service
It's only a matter of time until internet connections and cloud services are powerful enough to stream games to any device out there, and Google's testing just that from October 5. You'll be able to play the latest Assassin's Creed, in a browser, no hardcore PC required -- and I bet everything will go this way eventually.

California just signed a net neutrality bill into law
US lawmakers killed Obama's net neutrality laws just a few months ago, but California isn't having it. Unfortunately, the US justice department is now suing California for what it thinks is a violation of federal law by implementing this. Duuurp.