Facebook hit by unprecedented cyber attack on 50million users
James Titcomb and
Margi Murphy in San Francisco FIFTY million Facebook users have been exposed to identity fraud after the biggest cyber attack on the social media company in its history.
The company revealed last night that hackers were able to access accounts on an unprecedented scale due to a security hole that remained open for more than a year.
Facebook said it had alerted the FBI over the breach and security experts suggested a rogue state may have been responsible.
The attack has put at risk personal data including home addresses, email accounts and bank details.
Among the individuals affected were Facebook’s chief executive Mark Zuckerberg and its chief operating officer, Sheryl Sandberg.
The cyber defence arm of GCHQ said it was investigating the hack, which allowed attackers full access to private Facebook profiles. It advised British users to be on the lookout for fraud.
Last night, Facebook was facing questions about why it had taken almost two weeks to shut the security hole after noticing “unusual traffic” on its systems in mid-september. It was not fixed until two days after the hack was discovered.
Concern was also raised over the fact users were not told about the attack until three days after it was spotted.
Facebook said a change to its systems in July of last year had allowed hackers to steal “tokens” – digital keys that let users access Facebook without entering their password – from 50 million accounts.
Stealing the tokens let the hackers gain full access to accounts, letting
them see photos, messages and other private information.
Facebook’s Guy Rosen said it was unclear who was behind the attack, but that it was “broad”, suggesting it could be the work of an organised group.
David Atkinson, the chief executive of Senseon, a cyber security company, said the details “indicate that this hacker is toward the sophisticated end of the spectrum” and that it had the hallmarks of a nation state attack.
A GCHQ spokesman said: “Users should be particularly vigilant to possible phishing attacks, because if data has been accessed it could be used to make scam messages more credible.”
Under European data laws, Facebook could face a fine of billions if it is found to have been irresponsible with users’ personal information.
The Data Protection Commissioner last night criticised Facebook for being vague about the breach. Mr Zuckerberg said it stemmed from a glitch in a video feature added in July last year.