Facebook says unknown attackers breached security for 50M accounts
The Associated Press $164.46 on Friday.
The hack is the latest setback for Facebook during a year of security problems and privacy issues. So far, though, none of that has significantly shaken the confidence of the company’s 2 billion global users.
The latest attack involved bugs in Facebook’s “View As” feature, which lets people see how their profiles appear to others. The attackers used that vulnerability to steal the digital keys, known as “access tokens,” from the accounts of people whose profiles were plugged into the “View As” feature — and then moved along from one user’s Facebook friend to another. Possession of those tokens would allow attackers to control those accounts.
One of the bugs was more than a year old and affected how the “View As” feature interacted with Facebook’s video uploading feature for posting “happy birthday” messages, said Guy Rosen, Facebook’s vice president of product management. But it wasn’t until mid-September that Facebook noticed an uptick in unusual activity, and not until this week that it learned of the attack, Mr. Rosen said.
“We haven’t yet been able to determine if there was specific targeting” of particular accounts, Mr. Rosen said in a call with reporters. “It does seem broad. And we don’t yet know who was behind these attacks and where they might be based.”
Neither passwords nor credit card data was stolen, Mr. Rosen said. He said the company has alerted the FBI and regulators in the United States and Europe.
Jake Williams, a security expert at Rendition Infosec, said he is concerned that the hack could have affected third party applications.
Mr. Williams noted that the company’s “Facebook Login” feature lets users log into other apps and websites with their Facebook credentials. “These access tokens that were stolen show when a user is logged into Facebook and that may be enough to access a user’s account on a third party site,” he said.
Facebook confirmed that third party apps, including its own Instagram app, could have been affected.
“The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account-holder themselves,” Mr. Rosen said.
News broke early this year that a data analytics firm once employed by the Trump campaign, Cambridge Analytica, had improperly gained access to personal data from millions of user profiles. Then a congressional investigation found that agents from Russia and other countries have been posting fake political ads since at least 2016. In April, Mr. Zuckerberg appeared at a congressional hearing focused on Facebook’s privacy practices.
The Facebook bug is reminiscent of an attack on Yahoo in which attackers compromised 3 billion accounts — enough for half of the world’s entire population. In the case of Yahoo, information stolen included names, email addresses, phone numbers, birthdates and security questions and answers.