Face­book says mil­lions had contact info stolen in hack

Houston Chronicle - - BUSINESS - By Brian Fung

An on­line at­tack that forced Face­book to log out 90 mil­lion users last month di­rectly af­fected 29 mil­lion peo­ple on the so­cial net­work, the com­pany said Fri­day as it re­leased new de­tails about the scope of an in­ci­dent that has reg­u­la­tors and law en­force­ment on high alert.

Through a series of in­ter­re­lated bugs in Face­book’s pro­gram­ming, un­named at­tack­ers stole the names and contact in­for­ma­tion of 15 mil­lion users, Face­book said.

The contact in­for­ma­tion in­cluded a mix of phone num­bers and email ad­dresses.

An ad­di­tional 14 mil­lion users were af­fected more deeply, by hav­ing ad­di­tional de­tails taken re­lated to their pro­files such as their re­cent search his­tory, gen­der, ed­u­ca­tional back­ground, ge­olo­ca­tion data, birth dates, and lists of peo­ple and pages they fol­low.

Face­book said last month that it de­tected the at­tack when it no­ticed an uptick in user ac­tiv­ity. An in­ves­ti­ga­tion soon found that the ac­tiv­ity was linked to the theft of se­cu­rity codes that, un­der nor­mal cir­cum­stances, al­low Face­book users to nav­i­gate away from the site while re­main­ing logged in.

The bugs that al­lowed the at­tack to oc­cur gave hack­ers the abil­ity to ef­fec­tively take over Face­book accounts on a wide­spread ba­sis, Face­book said when it dis­closed the breach.

The at­tack­ers be­gan with a rel­a­tively small num­ber of accounts that they di­rectly con­trolled, ex­ploit­ing flaws in the plat­form’s “View As” fea­ture to gain ac­cess to other users’ pro­files. (The “View As” fea­ture is de­signed to al­low users to view their own pro­files as though they are some­body else.)

Face­book said it is co­op­er­at­ing with fed­eral and other au­thor­i­ties on its in­ves­ti­ga­tion, but said the FBI had ad­vised the com­pany not to dis­cuss who may be be­hind the at­tack.

The 29 mil­lion af­fected users, along with 1 mil­lion whose se­cu­rity to­kens were taken but did not ap­pear to have their data stolen, will be re­ceiv­ing cus­tom­ized mes­sages from Face­book iden­ti­fy­ing specif­i­cally which types of in­for­ma­tion on their pro­files, if any, were in­volved in the breach.

Face­book ex­ec­u­tives told re­porters Fri­day that the com­pany will also try to reach af­fected users who have since deleted their Face­book pro­files.

Face­book has also es­tab­lished a web page that will in­form users who are logged in whether their accounts were af­fected.

What may have mo­ti­vated the at­tack­ers is still un­clear. De­spite mount­ing con­cerns about elec­tion se­cu­rity as U.S. of­fi­cials count down to a highly con­tested midterm elec­tion, Face­book said there was no in­di­ca­tion that the hack was specif­i­cally re­lated to the U.S. elec­toral process.

“We don’t have a spe­cific in­di­ca­tion as to the in­ten­tion of the hack­ers,” said Guy Rosen, Face­book’s vice pres­i­dent of prod­uct man­age­ment.

Face­book’s dis­clo­sure puts the com­pany un­der even greater pres­sure as pol­i­cy­mak­ers have taken the com­pany to task over its ap­proach to user pri­vacy and data.

“The up­date from Face­book to­day is sig­nif­i­cant now that Face­book has con­firmed that the per­sonal data of mil­lions of users was taken by the per­pe­tra­tors of the at­tack,” said Ire­land’s Data Pro­tec­tion Com­mis­sion — the watch­dog agency charged with mon­i­tor­ing com­pli­ance with the Euro­pean Union’s new data pri­vacy law. It said it was con­tin­u­ing an in­ves­ti­ga­tion into the breach.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.