FACEBOOK reported a major security breach in which 50 million user accounts were accessed by unknown attackers.
The attackers gained the ability to “seize control” of those user accounts, Facebook said, by stealing digital keys the company uses to keep users logged in.
Facebook has logged out the 50 million breached users — plus another 40 million who were vulnerable to the attack. Users don’t need to change their Facebook passwords, it said.
Facebook said it doesn’t know who was behind the attacks or where they’re based. In a call with reporters on Friday, CEO Mark Zuckerberg said that attackers would have had the ability to view private messages or post on someone’s account, but there’s no sign that they did.
“We do not yet know if any of the accounts were actually misused,” Zuckerberg said before he conceded it was a “serious issue”.
The hack is the latest setback for Facebook during a tumultuous year of security problems and privacy issues . So far, though, none have significantly shaken the confidence of the company’s two billion global users.
This latest hack involved a bug in Facebook’s “View As” feature, the company said in a blog post. That feature lets people see how their profiles appear to others. The attackers used that vulnerability to steal those digital keys, known as “access tokens.” Possession of those tokens would allow attackers to control those accounts.
“We haven’t yet been able to determine if there was specific targeting” of particular accounts, Guy Rosen, Facebook’s vice president of product management, said in a call with reporters. “It does seem broad. And we don’t yet know who was behind these attacks and where they might be based.” Neither passwords nor credit card data was stolen, Rosen said. He said the company has alerted the FBI and regulators in the United States and Europe. Jake Williams, a security expert at Rendition Infosec, said he is concerned about whether third party applications were affected.
Williams noted that the company’s “Facebook Login” feature lets users log into other apps and websites with their Facebook credentials. “These access tokens that were stolen show when a user is logged into Facebook and that may be enough to access a user’s account on a third party site,” he said.
Facebook didn’t immediately respond to follow-up questions about whether third party apps were affected.
As a precaution, Facebook is temporarily taking down the “view as” feature — described as a privacy tool to let users see how their own profiles would look to other people.
“We face constant attacks from people who want to take over accounts or steal information around the world,” Zuckerberg said on his Facebook page.
“While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place.”
Facebook said it took an additional “precautionary step” of resetting access tokens for another 40 million accounts where the vulnerable feature was used. This will require those users to log back in to Facebook.
News broke early this year that a data analytics firm once employed by the Trump campaign, Cambridge Analytica, had improperly gained access to personal data from millions of user profiles. Then a congressional investigation found that agents from Russia and other countries have been posting fake political ads since at least 2016. Zuckerberg appeared at a congressional hearing focused on Facebook’s privacy practices in April.
The Facebook bug is reminiscent of a much larger attack on Yahoo in which attackers compromised 3 billion accounts – enough for half of the world’s entire population. In the case of Yahoo, information stolen included names, email addresses, phone numbers, birthdates and security questions and answers. It was among a series of Yahoo hacks over several years.
U.S. prosecutors later blamed Russian agents for using the information they stole from Yahoo to spy on Russian journalists, U.S. and Russian government officials and employees of financial services and other private businesses. In Facebook’s case, it may be too early to know how sophisticated the attackers were and if they were connected to a nation state, said Thomas Rid, a professor at the Johns Hopkins University. Rid said it could also be spammers or criminals.
“Nothing we’ve seen here is so sophisticated that it requires a state actor,” Rid said. “Fifty million random Facebook accounts are not interesting for any intelligence agency.”
Ed Mierzwinski, the senior director of consumer advocacy group U.S. PIRG, said the breach was “very troubling.” “It’s yet another warning that Congress must not enact any national data security or data breach legislation that weakens current state privacy laws, pre-empts the rights of states to pass new laws that protect their consumers better, or denies their attorneys general rights to investigate violations of or enforce those laws,” he said in a statement.
Wedbush analyst Michael Pachter said “the most important point is that we found out from them,” meaning Facebook, as opposed to a third party. “As a user, I want Facebook to proactively protect my data and let me know when it’s compromised,” he said.
Wall Street ended flat on Friday as gains by Intel, real estate companies and utilities offset a drop in Facebook after the social media network disclosed the fresh security breach.
The S&P 500 lost 0.5 per cent for the week, but for the third quarter it was up 7.2 per cent, its best quarterly performance since the fourth quarter of 2013. Facebook slumped 2.6 per cent for the session after it said it discovered a security issue affecting about 50 million accounts. Its loss weighed more than any other stock on the S&P 500.
Intel jumped three per cent and was the biggest boost on the three major indexes after the chipmaker said it was optimistic it would meet its full-year revenue target.
Evil coffee geek. Unapologetic entrepreneur. Hipster-friendly internet evangelist. Communicator.