ATTACK SEIZES 50M FACEBOOK USER ACCOUNTS
Hackers, motive sought after ‘very bad breach’
An unknown attacker stole information that would allow them to take control of 50 million Facebook accounts, the social media company said yesterday.
“Given how much information people share in Facebook, that’s disturbing,” said Susan Landau, a cybersecurity professor at Tufts University. “This is a very bad breach.”
Facebook reported a major security breach in which 50 million user accounts were accessed by unknown attackers.
The stolen data allowed the attackers to “seize control” of those user accounts, Facebook said. Facebook has logged out the 50 million breached users — plus another 40 million who were vulnerable to the attack. Users don’t need to change their Facebook passwords, it said.
Facebook says it doesn’t know who is behind the attacks or where they’re based.
In a call with reporters yesterday, CEO Mark Zuckerberg said the company doesn’t know yet if any of the accounts that were hacked were misused.
The hack is the latest setback for Facebook during a tumultuous year of security problems and privacy issues. So far, though, none has significantly shaken the confidence of the company’s 2 billion global users.
This latest hack involved a bug in Facebook’s “View As” feature, the company said in a blog post. That feature lets people see how their profiles appear to others. The attackers used that vulnerability to steal “access tokens,” which are digital keys that Facebook uses to keep people logged in. Possession of those tokens would allow attackers to control those accounts.
“We haven’t yet been able to determine if there was specific targeting” of particular accounts, Guy Rosen, Facebook’s vice president of product management, said in a call with reporters. “It does seem broad. And we don’t yet know who was behind these attacks and where they might be based.”
Facebook says it has alerted law enforcement. Massachusetts Attorney General Maura Healey’s office said it has been in contact with Facebook but has not yet received a formal notice of the breach. Earlier this week, Healey’s office announced a $150 million settlement with Uber after the company hid a breach in 2016.
Ross Rustici, senior director of intelligence services for Bostonbased Cybereason, said the motives behind the attack are unclear but said taking control of accounts could be used by attackers hoping to influence elections through social media.
“Hijacking legitimate accounts and using those for nefarious purposes is the obvious next step for people trying to influence people and spread messages,” Rustici said. Still, he said a sophisticated influence campaign likely would not have targeted so many accounts in an effort to evade detection.