Facebook's security is so bad it's surprising Zuckerberg hasn't deleted his account

Facebook missed serious holes in their security system. Their incompetence warrants outrage

‘Sophisticated hackers executed the breach, but it was a lack of sophistication by Facebook that allowed it.’ Photograph: Dado Ruvic/Reuters

Less than a year after the Cambridge Analytica scandal launched a privacy reckoning, Facebook is back in the news over yet another data breach, this one a security breach affecting almost 50 million accounts, leaving many wondering, again, how safe their personal info really is.

The blunder – in which a security flaw in the code for the “View As” feature was exploited by hackers to steal access tokens, allowing them to log in to people’s accounts without a password – is wholly Facebook’s fault. As much as Facebook has emphasized the sophistication of the three-part hack, the vulnerabilities were created by Facebook, when developers updated a birthday video feature in July 2017, and were left wide open by Facebook, for more than a year. Sophisticated hackers executed the breach, but it was a lack of sophistication by Facebook that allowed it.

In many ways, it’s more disturbing than the Cambridge Analytica scandal, even though the number of users affected is smaller and the effects of the breach less cataclysmic (so far, it hasn’t been blamed for electing any despots). While the March scandal gave researchers – and the various campaigns they sold it to – complex psychographic profiles of users based on their posts, this breach gave hackers access to take over people’s Facebook accounts. And while in the earlier scandal, people had to grapple with the fact that they (or their friends) were at least at some fault, for being stupid enough to give the “This is Your Digital Life” app permission to harvest their data, the users compromised this time did nothing wrong.

This latest blunder also builds on our picture of Facebook as unreliable and undependable, but this time it’s because they can’t protect us, not because they won’t. The Cambridge Analytica story was shocking but unsurprising: it revealed that Facebook didn’t care about our data, except insofar as it could sell it off, packaging it up for the consumption and use of the highest bidder. While it was scandalous that data-hungry, advertiser-friendly Facebook had even allowed such a feature as the one that allowed people to click away their friends’ data, it was in line with their data-hungry, advertiser-friendly MO. The truth about the social network, only vaguely obscured, became clear –Facebook was happy for advertisers to leach our data, to look the other way, as long as it kept advertisers’ happy – but we kept on using it, taking more personal care. Being on Facebook, for those of us who remained, hasn’t felt the same since.

But in this case, it’s not just Facebook’s callousness and carelessness that’s been revealed: it’s their incompetence. Facebook missed serious holes in their security system. People didn’t (or no longer) expect Facebook to look out for them, but they thought Facebook was smarter than this. The company stood to profit from giving researchers access to our data, but stood to gain nothing from letting hackers access our accounts, other than a PR disaster. While Cambridge Analytica taught us that we can’t trust Facebook to take care with our data, this scandal shows that’s we can’t trust them to take care of our data.

Our data, especially in Facebook profile form, will always be an appealing target to hackers, marketers and cartoonishly evil research firms. This case – so far nameless and perpetrator-less – illustrates that we just can’t rely on Facebook to protect it. We can’t rely on Facebook’s care or their competence to shield us.

Zuckerberg likes to describe security battles as an “arms race”, and did so again during a press call on Friday, as Slate’s Will Oremus recounted. But it’s an arms race Facebook is losing. The social network is in over its head.

Mark Zuckerberg’s personal data was compromised in the Cambridge Analytica leak, and his page was apparently breached this time too. (What luck. Honestly, if he weren’t the CEO, he’d surely have deactivated his Facebook by now.) It’s pretty obvious at this point to anyone paying attention that the young Facebook founder can’t protect any of us – not even himself.