When Facebook announced last Friday that tens of millions of user accounts had been compromised in a data breach, many of us wondered: Is this the end of the social network giant as we know it?
It's not exactly the first major PR crisis involving user privacy to happen -- not even the first in a while.
Over the past two years alone, Facebook has been repeatedly weaponized by foreign actors in coordinated misinformation campaigns. The personal data of 87 million of its users was improperly harvested by an app developer. And now, thanks to hackers taking advantage of three separate site bugs, at least 50 million Facebook users have had their accounts compromised.
The hack was complicated. It was technical, and involved several layers of vulnerabilities that are tricky to understand -- which is why we broke it all down here.
And as few additional details about the full impact of the breach have been revealed since the news first broke nearly a week ago, we wanted to measure the public understanding of what happened -- as well as the impact on Facebook use.
So, we ran a few surveys -- and here's what we found.
Do People Understand What Happened?
We wanted to measure three things:
- How many people believe their accounts were affected by Facebook's latest data breach.
- To what degree people understand exactly what happened.
- If people are taking action (for example, deleting their Facebook accounts) in response.
Over half of respondents don't believe their accounts were compromised by the breach, with 58% responding "No."
Facebook hasn't revealed any details about the composition of the accounts affected, including a geographical distribution, but here's a breakdown of the responses by region.
Then, we asked another 782 internet users across the same three countries: Last week, Facebook experienced a security breach affecting tens of millions of accounts. How well do you understand what happened?
Despite the complex nature of the breach, the smallest percentage of respondents indicated that they don't understand what happened at all -- while the second-highest, 26.2%, said they completely understand it.
Behind the Numbers
It may be true that over a quarter of respondents fully comprehend the nature of one of Facebook's largest data breaches to date. But the results might also reflect a general lack of clarity and detailed information around its full extent.
For example, how well do most Facebook users understand the potential impact of the breach on third-party apps that they might use, like Tinder and Spotify?
The stolen credentials of the aforementioned 50 million accounts directly compromised by the hack could extend beyond their logins to Facebook alone. "Those stolen credentials could have been used to gain access to so many other sites," reads a New York Times article published on October 2 titled, "Facebook Hack Puts Thousands of Other Sites at Risk."
"Companies that allow customers to log in with Facebook Connect are scrambling," the story continues, "to figure out whether their own user accounts have been compromised."
Jason Polakis, an assistant professor of computer science at the University of Illinois at Chicago, was one of the first experts to bring up this potential added risk.
More importantly, once attackers gain access to those 3rd parties, they can maintain access to user accounts in those websites using the cookies set by those sites. No matter what FB does, they can’t do anything to prevent attackers’ from accessing those accounts. (9/n)— jason polakis (@jpolakis) September 29, 2018
On the evening of October 2, Facebook released a statement indicating that its "investigation has so far found no evidence that the attackers accessed any apps using Facebook Login."
And while Polakis called those findings "good news," he also emphasized that the overarching issue is far from resolved.
"Attackers accessing private FB user data is a major concern and privacy risk in and of itself," he tweeted. "This attack is a clear warning of ... the need for better remediation options across all 3rd parties that rely on identity providers," like Facebook.
The (Non) Impact on Usership
To reiterate: This most recent Facebook security breach is a somewhat technically complex one -- parts of which even those of us who have been poring over the story since it broke are still trying to figure out.
And Facebook has released little information about who was impacted or how far back the potential account compromise goes. Independent investigations into the breach have been launched, including one from Ireland's Data Protection Commission (DPC).
That general lack of clarity could help explain the results we found next, when we asked 732 internet users across the U.S., UK, and Canada: Have you stopped using Facebook or deleted your account as a result of this security breach?
More than half of respondents (60%) said that the breach has not caused them to stop using Facebook, or delete their accounts.
The results raise another question: Are people still using Facebook because they don't completely understand the full extent, impact, and nature of its security breach? Or is it because they simply don't care?
I asked two of HubSpot's VPs of marketing, Jon Dick and Meghan Keaney Anderson, to weigh in. The verdict: At this point, people no longer expect their data or privacy to be protected -- and they're not willing to exchange what they get out of using Facebook for that protection.
"People just assume that their data is constantly breached," Dick told me a few days after news of the breach first broke. That's why it's possible that "the Facebook news didn't even alarm people."
It's also hard for many social media users to feel the effects of an online security issue unless their lives are tangibly compromised -- especially when its cause is a social network that they might use day-to-day.
Facebook "is a primary connection point to family members, to news, to society at large," Keaney Anderson said. "And for now, there is no viable replacement to that."
We'll continue to cover the issue as more details come forward.