50M Facebook acc’ts hijacked
Origin of attack is mystery
Facebook reported a major security breach in which 50 million user accounts were accessed by unknown attackers.
The attackers gained the ability to "seize control" of those user accounts, Facebook said, by stealing digital keys the company uses to keep users logged in. Facebook has logged out the 50 million breached users — plus another 40 million who were vulnerable to the attack. Users don't need to change their Facebook passwords, it said.
Facebook said it doesn't know who was behind the attacks or where they're based. CEO Mark Zuckerberg said Friday that attackers would have had the ability to view private messages or post on someone's account, but there's no sign that they did.
"We do not yet know if any of the accounts were actually misused," Zuckerberg said.
The hack is the latest setback for Facebook during a tumultuous year of security problems and privacy issues . So far, though, none have significantly shaken the confidence of the company's 2 billion global users.
This latest hack involved a bug in Facebook's "View As" feature, the company said in a blog post. That feature lets people see how their profiles appear to others. The attackers used that vulnerability to steal those digital keys, known as "access tokens." Possession of those tokens would allow attackers to control those accounts.
"We haven't yet been able to determine if there was specific targeting" of particular accounts, Guy Rosen, Facebook's vice president of product management, said in a call with reporters. "It does seem broad. And we don't yet know who was behind these attacks and where they might be based."
Neither passwords nor credit card data was stolen, Rosen said.
He said the company has alerted the FBI and regulators in the United States and Europe.
News broke early this year that a data analytics firm once employed by the Trump campaign, Cambridge Analytica, had improperly gained access to personal data from millions of user profiles.
Then a congressional investigation found that agents from Russia and other countries have been posting fake political ads since at least 2016. Zuckerberg appeared at a congressional hearing focused on Facebook's privacy practices in April.