Face­book breach worse than first be­lieved

At­tack ex­posed gen­der, search his­tory, phone num­bers, lo­ca­tion data

Toronto Star - - WORLD - MIKE ISAAC

SAN FRAN­CISCO— Face­book said late Fri­day that an at­tack on its com­puter sys­tems that was an­nounced two weeks ago had af­fected 30 mil­lion users, about 20 mil­lion fewer than it es­ti­mated ear­lier.

But the per­sonal in­for­ma­tion that was ex­posed was far more in­ti­mate than orig­i­nally thought, adding to Face­book’s chal­lenges as it in­ves­ti­gates what was prob­a­bly the most sub­stan­tial breach of its net­work in the com­pany’s his­tory.

De­tailed in­for­ma­tion was stolen from the Face­book pro­files of about 14 mil­lion of the 30 mil­lion users. The data was as spe­cific as the last 15 peo­ple or things they had searched for on Face­book and the last 10 phys­i­cal lo­ca­tions they had “checked into.”

Other per­sonal de­tails were also ex­posed, like gen­der, re­li­gious af­fil­i­a­tion, tele­phone num­ber, email ad­dresses and the types of com­put­ing de­vices used to reach Face­book.

Users’ names and con­tact in­for­ma­tion like tele­phone num­bers were stolen from an ad­di­tional 15 mil­lion pro­files, Face­book said. The se­cu­rity to­kens of about 1 mil­lion other peo­ple were stolen, but hack­ers did not get their pro­file in­for­ma­tion, the com­pany said.

The hack­ers did not gain ac­cess to ac­count pass­words or credit card in­for­ma­tion, Face­book said. “We have been work­ing around the clock to in­ves­ti­gate the se­cu­rity is­sue we dis­cov­ered and fixed two weeks ago so we can help peo­ple un­der­stand what in­for­ma­tion the at­tack­ers may have ac­cessed,” Guy Rosen, vice pres­i­dent of prod­uct man­age­ment, wrote in a blog post Fri­day. While Face­book has cau­tioned that the at­tack was not as large as it had orig­i­nally an­tic­i­pated — it forced 90 mil­lion users to log out so the se­cu­rity of their pro­files would re­set — the de­tails of what was stolen wor­ried se­cu­rity ex­perts. The data can be used for all sorts of schemes by so­phis­ti­cated hack­ers.

“Hack­ers have some sort of a goal,” said Oren J. Falkowitz, chief ex­ec­u­tive of the cy­ber­se­cu­rity com­pany Area 1 Se­cu­rity and a former Na­tional Se­cu­rity Agency of­fi­cial. “It’s not that their mo­ti­va­tion is to at­tack Face­book, but to use Face­book as a lily pad to con­duct other at­tacks.

“Once you’ve be­come a tar­get, it never ends,” he added.

The breach was dis­closed at the worst pos­si­ble time for Face­book, which is grap­pling with a se­ries of crises that have shaken user trust in the world’s largest so­cial net­work.

Over the last year, Face­book has faced re­peated crit­i­cism that it hasn’t been do­ing enough to pro­tect the per­sonal in­for­ma­tion of its more than 2 bil­lion reg­u­lar users.

Face­book first found hints of sus­pi­cious ac­tiv­ity across its net­work in early Septem­ber when se­cu­rity en­gi­neers no­ticed ac­tiv­ity around the “View As” fea­ture, a way for users to check on what in­for­ma­tion other peo­ple can see about them. It was built to give users move con­trol over their pri­vacy.

More than a week later, Face­book de­ter­mined that the ac­tiv­ity was an at­tack on its sys­tems, fo­cused on three in­ter­con­nected vul­ner­a­bil­i­ties in the com­pany’s soft­ware.

Those flaws were com­pounded by a bug in Face­book’s video-up­load­ing pro­gram for birth­day cel­e­bra­tions, a soft­ware fea­ture that was in­tro­duced in 2017. The flaw al­lowed the at­tack­ers to steal so-called ac­cess to­kens — dig­i­tal keys that al­low ac­cess to an ac­count.

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.