Advertisement
Facebook recently pledged to improve its security following a lawsuit that resulted from a 2018 data breach. The breach, which was left open for more than 20 months, resulted in the theft of 30 million authentication tokens and almost as much personally identifiable information. A “View As” feature that enabled developers to render user pages also let attackers obtain the user’s access token.
The theft of access token represents a major API security risk moving forward, but also highlights how API risks can remain undetected for so long. Of course, Facebook is not unique in this risk. As Microsoft CEO Satya Nadella quipped, “all companies are software companies.”