Face­book: Hack­ers hacked 29 mil­lion peo­ple

The Detroit News - - Business - Associated Press

Face­book says hack­ers ac­cessed a wide swath of in­for­ma­tion — rang­ing from emails and phone num­bers to more per­sonal de­tails like sites vis­ited and places checked into — from mil­lions of ac­counts as part of a se­cu­rity breach the com­pany dis­closed two weeks ago.

Twenty-nine mil­lion ac­counts had some form of in­for­ma­tion stolen. Orig­i­nally Face­book said 50 mil­lion ac­counts were af­fected, but that it didn’t know if they had been mis­used.

The news comes at a jit­tery time ahead of the midterm elec­tions when Face­book is fight­ing off mis­use of its site on a num­ber of fronts . The com­pany said Fri­day there’s no ev­i­dence this is re­lated to the midterms.

On Fri­day Face­book said hack­ers ac­cessed names, email ad­dresses or phone num­bers from these ac­counts. For 14 mil­lion of them, hack­ers got even more data, such as home­town, birth­date, the last 10 places they checked into or the 15 most re­cent searches.

An ad­di­tional 1 mil­lion ac­counts were af­fected, but hack­ers didn’t get any in­for­ma­tion from them.

Face­book isn’t giv­ing a break­down of where these users are, but says the breach was “fairly broad.” It plans to send mes­sages to peo­ple whose ac­counts were hacked.

Face­book said third-party apps that use a Face­book lo­gin and Face­book apps like What­sApp and In­sta­gram were un­af­fected by the breach.

Face­book said the FBI is in­ves­ti­gat­ing, but asked the com­pany not to dis­cuss who may be be­hind the at­tack. The com­pany said it hasn’t ruled out the pos­si­bil­ity of smaller-scale at­tacks that used the same vul­ner­a­bil­ity.

Face­book has said the at­tack­ers gained the abil­ity to “seize con­trol” of those user ac­counts by steal­ing dig­i­tal keys the com­pany uses to keep users logged in. They could do so by ex­ploit­ing three dis­tinct bugs in Face­book’s code.

The hack­ers be­gan with a set of ac­counts they con­trolled, then used an au­to­mated process to ac­cess the dig­i­tal keys for ac­counts that were “friends” with the ac­counts they had al­ready com­pro­mised.

That ex­panded to “friends of friends,” ex­tend­ing their ac­cess to about 400,000 ac­counts, and went on from there to reach 30 mil­lion ac­counts. There is no ev­i­dence that the hack­ers made any posts or took any other ac­tiv­ity us­ing the hacked ac­counts.

The com­pany said it has fixed the bugs and logged out af­fected users to re­set those dig­i­tal keys.

At the time, CEO Mark Zucker­berg — whose own ac­count was com­pro­mised — said at­tack­ers would have had the abil­ity to view pri­vate mes­sages or post on some­one’s ac­count, but there’s no sign that they did.

Face­book Vice Pres­i­dent Guy Rosen said in a call with re­porters on Fri­day the com­pany hasn’t ruled out the pos­si­bil­ity of smaller-scale ef­forts to ex­ploit the same vul­ner­a­bil­ity that the hack­ers used be­fore it was dis­abled.

The com­pany has a web­site its 2 bil­lion global users can use to check if their ac­counts have been ac­cessed, and if so, ex­actly what in­for­ma­tion was stolen. It will also pro­vide guid­ance on how to spot and deal with sus­pi­cious emails or texts. Face­book will also send mes­sages di­rectly to those peo­ple af­fected by the hack.

Pa­trick Moor­head, founder of Moor In­sights & Strat­egy, said the breach ap­peared sim­i­lar to iden­tity theft breaches that have oc­curred at com­pa­nies in­clud­ing Ya­hoo and Tar­get in 2013.

“Those per­sonal de­tails could be very eas­ily be used for iden­tity theft to sign up for credit cards, get a loan, get your bank­ing pass­word, etc.,” he said. “Face­book should pro­vide all those cus­tomers free credit mon­i­tor­ing to make sure the dam­age is min­i­mized.”

Thomas Rid, a pro­fes­sor at the Johns Hop­kins Uni­ver­sity, also said the ev­i­dence, par­tic­u­larly the size of the breach, seems to point to a crim­i­nal mo­tive rather than a so­phis­ti­cated state op­er­a­tion, which usu­ally tar­gets fewer peo­ple.

“This doesn’t sound very tar­geted at all,” he said. “Usu­ally when you’re look­ing at a so­phis­ti­cated gov­ern­ment op­er­a­tion, then a cou­ple of thou­sand peo­ple hacked is a lot, but they usu­ally know who they’re go­ing af­ter.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.