Face­book says mil­lions of its users had in­for­ma­tion stolen in re­cent hack

Com­pany was al­ready fac­ing scru­tiny for its ap­proach to pri­vacy

The Washington Post - - ECONOMY & BUSINESS - BY BRIAN FUNG

An on­line at­tack that forced Face­book to log out 90 mil­lion users last month di­rectly af­fected 29 mil­lion peo­ple on the so­cial net­work, the com­pany said Fri­day, as it re­leased new de­tails about the scope of an in­ci­dent that has reg­u­la­tors and law en­force­ment on high alert.

Through a se­ries of in­ter­re­lated bugs in Face­book’s pro­gram­ming, un­named at­tack­ers stole the names and con­tact in­for­ma­tion of 15 mil­lion users, Face­book said. The con­tact in­for­ma­tion in­cluded a mix of phone num­bers and email ad­dresses.

An ad­di­tional 14 mil­lion users were af­fected more deeply, hav­ing ad­di­tional de­tails taken re­lated to their pro­files, such as their re­cent search his­tory, gen­der, ed­u­ca­tional back­ground, ge­olo­ca­tion data, birth dates, and lists of peo­ple and pages they fol­low.

Face­book said last month that it de­tected the at­tack when it no­ticed an uptick in user ac­tiv­ity. An in­ves­ti­ga­tion soon found that the ac­tiv­ity was linked to the theft of se­cu­rity codes that, un­der nor­mal cir­cum­stances, al­low Face­book users to nav­i­gate away from the site while re­main­ing logged in.

The bugs that al­lowed the at­tack to oc­cur gave hack­ers the abil­ity to ef­fec­tively take over Face­book ac­counts on a wide­spread ba­sis, Face­book said when it dis­closed the breach. The at­tack­ers be­gan with a rel­a­tively small num­ber of ac­counts that they di­rectly con­trolled, ex­ploit­ing flaws in the plat­form’s “View As” fea­ture to gain ac­cess to other users’ pro­files. (The “View As” fea­ture is de­signed to al­low users to view their own pro­files as though they were some­body else.)

Face­book said it is co­op­er­at­ing with fed­eral and other author­i­ties on its in­ves­ti­ga­tion but said the FBI had ad­vised the com­pany not to dis­cuss who may be be­hind the at­tack.

What may have mo­ti­vated the at­tack­ers is un­clear; de­spite mount­ing con­cerns about elec­tion se­cu­rity as U.S. of­fi­cials count down to the highly con­tested midterm elec­tions, Face­book said there was no in­di­ca­tion that the hack was specif­i­cally re­lated to the U.S. elec­toral process.

“We don’t have a spe­cific in­di­ca­tion as to the in­ten­tion of the hack­ers,” said Guy Rosen, Face­book’s vice pres­i­dent of prod­uct man­age­ment.

Al­though the hack­ers could have used the flaw to steal in­for­ma­tion be­long­ing to other, third­party apps that use Face­book as a log-in method, Face­book said Fri­day that no out­side apps ap­pear to have been af­fected. Nei­ther In­sta­gram nor What­sApp ap­pears to have been com­pro­mised, the com­pany added. Face­book Mes­sen­ger was also un­af­fected.

The 29 mil­lion af­fected users, along with 1 mil­lion whose se­cu­rity to­kens were taken but did not ap­pear to have their data stolen, will be re­ceiv­ing cus­tom­ized mes­sages from Face­book iden­ti­fy­ing specif­i­cally which types of in­for­ma­tion from their pro­files, if any, were in­volved in the breach. Face­book ex­ec­u­tives told re­porters Fri­day that the com­pany will also try to reach af­fected users who have since deleted their Face­book pro­files.

Face­book has also es­tab­lished a Web page that will in­form users who are logged in whether their ac­counts were af­fected.

User mes­sages could have been ex­posed in one spe­cific use case, of­fi­cials said. If an af­fected user had been the ad­min­is­tra­tor of a Face­book page, and the page had re­ceived a mes­sage from an­other user, that mes­sage may have been com­pro­mised, Face­book said.

Face­book’s dis­clo­sure puts the com­pany un­der even greater pres­sure as pol­i­cy­mak­ers have taken it to task over its ap­proach to user pri­vacy and data.

“The up­date from Face­book to­day is sig­nif­i­cant now that Face­book has con­firmed that the per­sonal data of mil­lions of users was taken by the per­pe­tra­tors of the at­tack,” said Ire­land’s Data Pro­tec­tion Com­mis­sion — the watch­dog agency charged with mon­i­tor­ing com­pli­ance with the Euro­pean Union’s new data pri­vacy law. It said it was con­tin­u­ing an in­ves­ti­ga­tion into the breach.

The Fed­eral Trade Com­mis­sion — which Face­book said it is co­op­er­at­ing with — didn’t im­me­di­ately re­spond to a re­quest for com­ment.

The spot­light on tech com­pa­nies in­ten­si­fied fur­ther this week as Google said half a mil­lion ac­counts on its Google+ so­cial net­work­ing ser­vice could have had in­for­ma­tion leaked as a re­sult of a soft­ware bug. The ad­mis­sion prompted law­mak­ers to de­mand an­swers from the com­pany and call for an FTC in­ves­ti­ga­tion.

The in­ci­dents could add mo­men­tum to a con­gres­sional push for a com­pre­hen­sive U.S. pri­vacy law cov­er­ing tech com­pa­nies, In­ter­net providers and oth­ers in the on­line ecosys­tem. More at wash­ing­ton­post.com/ news/tech­nol­ogy

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.