The Media Today

Are we all suffering from data breach fatigue?

October 3, 2018

Personal information from tens of millions of Facebook accounts is exposed and used for unknown purposes, due to a series of complicated events involving the social network’s data policies, the details of which remain unclear. Sound familiar? That’s because it could describe a number of similar events in recent memory, including the Cambridge Analytica debacle earlier this year, as well as the latest data breach, in which about 90 million users had their accounts compromised. Facebook announced the latest breach on September 28, saying attackers “exploited a vulnerability in Facebook’s code that impacted ‘View As,’ a feature that lets people see what their own profile looks like to someone else.”

The breach was reported by the usual technology publications like Wired and TechCrunch, but it didn’t make a big splash outside of that narrow range of outlets. Could it be that we are all suffering from data breach fatigue—and not just users, but journalists too? Facebook seems to go through these kinds of data-related accidents routinely: Ink is spilled, the company apologizes, changes some policies, and everyone moves on. Some users threaten to delete their accounts, and it’s possible that some do, but the vast majority don’t seem to care. (It probably didn’t help that the news about the breach arrived late on a Friday).

It could also be, as New York Times reporter Mike Isaac noted on Twitter, that the constant barrage of news about Supreme Court nominee Brett Kavanaugh and the never-ending outrage about whatever Donald Trump just tweeted tends to use up the oxygen in the media; there is little left for things like a garden variety Facebook data leak. But as Isaac and others have also pointed out, this wasn’t just a routine breach—in this case, hackers got access to the full accounts of certain users, which means they also got access to whatever other services those users had logged into using their Facebook credentials. That significantly expands the potential damage of the hack, since many people sign into other services such as Tinder and Spotify with their Facebook login (on Tuesday, Facebook said in an update that it hadn’t detected any evidence of compromised third-party logins, although its investigation is still ongoing).

Facebook isn’t the only company to suffer from hacks and data breaches, of course. In just the last few months, Reddit and Instagram have both been hit by attacks, and Dropbox, Spotify, Netflix, and LinkedIn have been affected in the past (you can use a website called Have I Been Pwned to check and see if your email address and password appear in any of these major hacks). Data breach fatigue and the avalanche of Trump-related news aren’t the only factors that make incidents like the Facebook hack difficult to report on. These kinds of hacks are also complex in a technological sense, and that makes them hard to understand—for both journalists and their readers. Explaining in an easy to understand way how one-time software “access tokens” are used for single sign-on (SSO) services is not for the faint of heart. In this case, the hijacking of accounts appears to have involved at least three bugs in three separate but interrelated Facebook functions.

On top of everything, Facebook hasn’t provided a lot of detail yet about who was affected in the latest breach, or how. It announced the hack promptly, in part because it is required to do so under the EU’s new General Data Protection Regulation or GDPR (and could be fined as much as $1.6 billion for the breach under the new rules). But it has been less forthcoming about the details, which leaves not just users but technology reporters in the dark, until Facebook decides to open up a bit more about what happened, or until the FTC or Congress force it to do so.

Here’s more about Facebook and data breaches:

  • A thread: If you want to understand the implications of the Facebook data vulnerability, computer science professor Jason Polakis wrote a thread on Twitter explaining research that he and a colleague did about the potential impact of a Facebook breach and the misuse of SSO tokens.
  • Delete Facebook: Brian Acton, one of the co-founders of WhatsApp, which Facebook acquired in 2014 for $22 billion, says he regrets selling the company because of the potential impact on user privacy, and earlier this year he advised his Twitter followers to delete the service. Acton also left almost $1 billion in Facebook stock options on the table by quitting the company early.
  • Warnings ignored: In an interview on Frontline after the Cambridge Analytica scandal broke, a former Facebook platform operations manager said that he warned the company for years about potential dangers involving the inappropriate use of personal data, but that his warnings went unheeded.
  • Even the cows: Programmer Ian Bogost explained in a post for The Atlantic that almost anyone could get access to the same kind of user data that Cambridge Analytica got—he did so using a goofy game he designed called Cow Clicker, a parody of a then-popular Facebook game called Farmville.
Sign up for CJR's daily email


Other notable stories:

  • A freelance journalist has been arrested and deported from Nicaragua after a Twitter doxxing campaign and an article on a left-wing British website called The Canary accused him of working with the country’s opposition and possibly with the CIA in an attempt to destabilize the country’s political regime.
  • In an in-depth investigation into the business empire of Donald Trump’s father Fred that took almost a year, The New York Times reveals that the president got what amounts to almost half a billion dollars from his father’s real estate empire, “much of it through tax dodges in the 1990s,” including what the Times said were instances of “outright fraud.”
  • Anne Helen Petersen writes for CJR about the challenge of covering the mid-term elections in Montana, especially when the conglomerate that owns three of the state’s largest newspapers has been through several rounds of layoffs and closed an alternative weekly in Missoula. Hers is the first in a series of midterm coverage reports by CJR.
  • The Philadelphia Inquirer and The Pittsburgh Post-Gazette have joined up with a watchdog news outlet called The Caucus to collaborate on coverage of the state capital. Called Spotlight PA, the project will include more than a dozen journalists “who will scour public documents and build sources across the political spectrum.”
  • The New York Times admitted that it shouldn’t have asked Times Magazine writer and occasional op-ed author Emily Bazelon to help write a story on Brett Kavanaugh, given that she had posted critical comments about him on Twitter.
  • Splinter News got hold of some leaked audio from a recent BuzzFeed all-hands meeting, in which staff criticized the way the company handled the shutdown of several podcasts, many of which involved people of color. “Can you speak to what it means in 2018 we let go of a Muslim-American podcast?” one reporter asked.
  • Hannah Storm, a British journalist and director of the International News Safety Institute, writes for Poynter about being sexually assaulted as a young journalist, and how it almost caused her to give up on journalism as a career.
Mathew Ingram is CJR’s chief digital writer. Previously, he was a senior writer with Fortune magazine. He has written about the intersection between media and technology since the earliest days of the commercial internet. His writing has been published in the Washington Post and the Financial Times as well as by Reuters and Bloomberg.