Menu
50M Facebook accounts breached, how did it happen?

50M Facebook accounts breached, how did it happen?

Social media giant yet to determine whether the attacker misused any accounts or stole private information

Credit: Dreamstime

Facebook said that hackers stole digital login codes allowing them to take over nearly 50 million user accounts in its worst security breach ever given the unprecedented level of potential access, adding to what has been a difficult year for the company's reputation.

Facebook, which has more than 2.2 billion monthly users, said it has yet to determine whether the attacker misused any accounts or stole private information.

It also has not identified the attacker’s location or whether specific victims were targeted. Its initial review suggests the attack was broad in nature.

Facebook CEO Mark Zuckerberg described the incident as “really serious" in a conference call with reporters. His account was affected along with that of COO Sheryl Sandberg, a spokeswoman said.

Shares in Facebook fell 2.6 per cent on Friday, weighing on major Wall Street stock indexes.

Facebook made headlines earlier this year after profile details from 87 million users was improperly accessed by political data firm Cambridge Analytica. The disclosure has prompted government inquiries into the company's privacy practices across the world, and fuelled a "#deleteFacebook" social movement among consumers.

U.S. lawmakers said on Friday that the hack may boost calls for data privacy legislation.

“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users," Democratic U.S. Senator Mark Warner said in a statement.

Federal Trade Commission Commissioner Rohit Chopra on Twitter said "I want answers" with a link to a Reuters story on the breach.

‘Complex’ flaw

Facebook's latest vulnerability had existed since July 2017, but the company first identified it on Tuesday after spotting a "fairly large" increase in use of its "view as" privacy feature on 16 September, executives said.

"View as" allows users to verify their privacy settings by seeing what their own profile looks like to someone else.

The flaw inadvertently gave the devices of "view as" users the wrong digital code, which, like a browser cookie, keeps users signed in to a service across multiple visits.

That code could allow the person using "view as" to post and browse from someone else's Facebook account, potentially exposing private messages, photos and posts.

The attacker also could have gained full access to victims' accounts on any third-party app or website where they had logged in with Facebook credentials.

“The implications of this are huge," Justin Fier, director of cyber intelligence at security company Darktrace, told Reuters.

Guy Rosen, the Facebook vice president overseeing security, said the flaw was "complex" in that it resulted from three failings.

A video upload feature should not have displayed on a user’s profile page when accessed through “view as," Rosen told reporters on a conference call.

That alone would not have been problematic except that the video feature wrongly triggered the placement of the powerful login code. And it placed the code not for the "view as" user, but for who they were pretending to be.

Facebook fixed the issue on Thursday. It also notified the U.S. Federal Bureau of Investigation, Department of Homeland Security, Congressional aides and the Data Protection Commission in Ireland, where the company has European headquarters.

The Irish authority expressed concern in a statement that Facebook has been "unable to clarify the nature of the breach and risk to users" and said it was pressing Facebook for answers.

Facebook reset the digital keys of the 50 million affected accounts, and as a precaution temporarily disabled "view as" and reset those keys for another 40 million that have been looked up through "view as" over the last year.

About 90 million people will have to log back into Facebook or any of their apps that use a Facebook login, the company said.

Two Facebook users sued the company over the breach in federal court in California on Friday. More than 6,000 users complained about the breach on Zuckerberg’s Facebook page.

“I’m so scared now. All my activities are on Facebook,” Mohammad ZR Zia, a 25-year-old college student in Kuala Lumpur, Malaysia, who has been using the social media platform since 2009, told Reuters. His account was logged out earlier on Friday.

The level of concern expressed on Facebook was enough that the company's automated system temporarily blocked sharing of some articles about the breach.

“Our security systems have detected that a lot of people are posting the same content, which could mean that it's spam," a message told users. Facebook later apologised for the misfire.

Facebook has suffered narrower breaches before.

In 2013, Facebook disclosed a software flaw that exposed six million users' phone numbers and email addresses to unauthorised viewers for a year, while a technical glitch in 2008 revealed confidential birth-dates on 80 million Facebook users' profiles.

(Reporting by Munsif Vengattil and Arjun Panchadar in Bengaluru and Paresh Dave in San Francisco; Additional reporting by Christopher Bing, Jim Finkle and David Shepardson in Washington, D.C., Joseph Menn in San Francisco and Angela Moon in New York; Editing by Clive McKeef)


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Facebook

Featured

Slideshows

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Reseller News has honoured the leading female front runners of the New Zealand ICT industry at the 2019 Women in ICT Awards (WIICTA) in Auckland. The awards recognised standout individuals across six categories, spanning Entrepreneur, Rising Star, Shining Star, Community, Technical and Achievement. Photos by Gino Demeer.

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA
Reseller News kicks off awards season in 2019 with Judges' Lunch

Reseller News kicks off awards season in 2019 with Judges' Lunch

The 2019 Reseller News Innovation Awards has kicked off with the Judges Lunch in Auckland with 70 judges in the voting panel. The awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors. Photos by Christine Wong.

Reseller News kicks off awards season in 2019 with Judges' Lunch
Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomed 2018 inductees - Chris Simpson, Kendra Ross and Phill Patton - to the third running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing landscape of the technology industry in New Zealand, while outlining ways to attract a new breed of players to the ecosystem. Photos by Gino Demeer.

Reseller News welcomes industry figures for 2019 Hall of Fame lunch
Show Comments