[German]On October 4, 2021, there was a worldwide, six-hour IT outage at the U.S. company Facebook. What many users didn't have on their radar: The outage showed the dependencies many users and businesses have on Facebook identity management. Here's some information about it.
The Facebook outage of October 2021
On 10/4/2021, Facebook experienced a six-hour service outage around 17:30, which included Instagram and WhatsApp services. The outage on 10/4/2021 was already massive, with all Facebook services completely gone from the Internet and browsers only returning a blank page with an error message.
I had reported in the article Facebook, Instagram and WhatsApp worldwide down. However, the cause was probably that the routing information for the Facebook domains had simply disappeared from the Border Gateway Protocol (BGP). Facebook explained that configuration changes to the backbone routers that coordinate network traffic between Facebook data centers caused the problems. These changes disrupted communications between the data centers and subsequently removed the entries from BGP. I reported on this in the blog post Facebook explains the causes of the big outage.
Identity management dependencies
Security provider Semperis already pointed this out to me at the beginning of October 2021. According to Semperis, the outage at Facebook (and several related services) brings this important aspect into focus. It is about the importance of digital identities and the possible consequences if they cannot be used for a while.
Where this may still leave some people cold in the context of social media, this is a much more serious issue when digital identities fail that are essential for using applications in the professional environment (Windows, Microsoft365, Azure, …). Guido Grillenmeier, Chief Technologist at Semperis, explains the often underestimated importance of protecting and managing digital identities:
The fact that Facebook was unavailable, and with it the Facebook Messenger app as well as WhatsApp and Instagram, was felt worldwide – by users of all ages.
However, because Facebook also acts as an identity provider for other apps, the outage had far-reaching consequences beyond its own services: every other app, typically web apps, that use the "Sign in with Facebook" option was affected, and so were the companies that rely on these digital identities.
Not all businesses were directly affected by this outage. But, many companies already use WhatsApp and Instagram to interact with their customers, for example, to provide technical support. Other companies rely heavily on their users authenticating with their Facebook accounts, which means they use Facebook as an identity provider. As soon as facebook.com was no longer accessible, no new connections could be established.
It is currently unclear to me how all the authenticator apps for two-factor authentication are affected by such an outage. But I assume that if the authenticator service fails, the app will also fail and no longer work. That's a horror scenario for any digital identity provider. Just imagine if Azure AD was no longer available on the web – in that case, only Microsoft could fix the problem, not the users or administrators. On a smaller scale, any on-premises Active Directory is just as dependent on a properly configured DNS.
Whether it's a DNS misconfiguration or a direct cyberattack: When an identity system goes down, it has a significant impact on individual organizations. Ideally, therefore, companies should have their backups validated and their incident response plan ready.
Cookies helps to fund this blog: Cookie settings