Skip to main content

Facebook says big breach exposed 50 million accounts to full takeover

Facebook
Facebook Inc said Friday hackers stole digital login codes allowing them to take over nearly 50 million user accounts in its worst security breach ever given the unprecedented level of potential access, adding to what has been a difficult year for the company’s reputation.

Facebook, which has more than 2.2 billion monthly users, said it has yet to determine whether the attacker misused any accounts or stole private information. It also has not identified the attacker’s location or whether specific victims were targeted. Its initial review suggests the attack was broad in nature.

Chief Executive Mark Zuckerberg described the incident as “really serious” in a conference call with reporters. His account was affected along with that of Chief Operating Officer Sheryl Sandberg, a spokeswoman said.

Shares in Facebook fell 2.6 percent on Friday, weighing on major Wall Street stock indexes.

Facebook made headlines earlier this year after profile details from 87 million users were improperly accessed by political data firm Cambridge Analytica. The disclosure has prompted government inquiries into the company’s privacy practices across the world and fueled a “#deleteFacebook” social movement among consumers.

US lawmakers said on Friday that the hack may boost calls for data privacy legislation.

“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users,” Democratic US Senator Mark Warner said in a statement.

Federal Trade Commission Commissioner Rohit Chopra on Twitter said “I want answers” with a link to a Reuters story on the breach.

‘Complex’ flaw

Facebook’s latest vulnerability had existed since July 2017, but the company first identified it on Tuesday after spotting a “fairly large” increase in the use of its “view as” privacy feature on September 16, executives said.

“View as” allows users to verify their privacy settings by seeing what their own profile looks like to someone else. The flaw inadvertently gave the devices of “view as” users the wrong digital code, which, like a browser cookie, keeps users signed in to a service across multiple visits.

That code could allow the person using “view as” to post and browse from someone else’s Facebook account, potentially exposing private messages, photos and posts. The attacker also could have gained full access to victims’ accounts on any third-party app or website where they had logged in with Facebook credentials.

“The implications of this are huge,” Justin Fier, director of cyber intelligence at security company Darktrace, told Reuters.

Guy Rosen, the Facebook vice president overseeing security, said the flaw was “complex” in that it resulted from three failings.

A video upload feature should not have displayed on a user’s profile page when accessed through “view as,” Rosen told reporters on a conference call. That alone would not have been problematic except that the video feature wrongly triggered the placement of the powerful login code. And it placed the code not for the “view as” user, but for who they were pretending to be.

Facebook fixed the issue on Thursday. It also notified the US Federal Bureau of Investigation (FBI), Department of Homeland Security, Congressional aides, and the Data Protection Commission in Ireland, where the company has European headquarters.

The Irish authority expressed concern in a statement that Facebook has been “unable to clarify the nature of the breach and risk to users” and said it was pressing Facebook for answers.

Facebook reset the digital keys of the 50 million affected accounts and as a precaution temporarily disabled “view as” and reset those keys for another 40 million that have been looked up through “view as” over the last year.

About 90 million people will have to log back into Facebook or any of their apps that use a Facebook login, the company said.

Two Facebook users sued the company over the breach in federal court in California on Friday.

More than 6,000 users complained about the breach on Zuckerberg’s Facebook page.

“I’m so scared now. All my activities are on Facebook,” Mohammad ZR Zia, a 25-year-old college student in Kuala Lumpur, Malaysia, who has been using the social media platform since 2009, told Reuters. His account was logged out earlier on Friday.

The level of concern expressed on Facebook was enough that the company’s automated system temporarily blocked sharing of some articles about the breach.

“Our security systems have detected that a lot of people are posting the same content, which could mean that it’s spam,” a message told users. Facebook later apologized for the misfire.

Facebook has suffered narrower breaches before.

In 2013, Facebook disclosed a software flaw that exposed 6 million users’ phone numbers and email addresses to unauthorized viewers for a year, while a technical glitch in 2008 revealed confidential birth-dates on 80 million Facebook users’ profiles.



Labels:

Comments

Post a Comment

Popular posts from this blog

PTI workers' protest in Bani Gala over award of tickets continues on third day

Irate activists of Pakistan Tehreek-i-Insaf (PTI) continued to protest the distribution of party tickets outside chairman Imran Khan’s Banigala residence for third day (Wednesday). Dozens of workers from various constituencies have gathered outside Khan’s residence, demanding party tickets for their groups. Activists from Multan’s NA-154 constituency are demanding not to allot the ticket to Sikander Bosin. Workers from NA-51 FATA are also speaking against the award of tickets. The protesters have urged Khan to review the distribution of tickets to the candidates. They have asked to provide them to ideological workers instead of para-shooters. Earlier, the party delayed the announcement of candidates for remaining constituencies for 72 hours. A meeting of the party’s parliamentary board was also held on Tuesday. The members are scheduled to announce the new candidates after three days. The scrutiny process of candidates is also likely to continue for the next two days in the contro
Post a Comment
Read more

How US Birthright Citizenship Emerged, Endured

President Donald Trump said Tuesday he wants to end a constitutional right that automatically grants citizenship to any baby born in the United States. Trump, in an interview with "Axios on HBO,'' said his goal is halting guaranteed citizenship for babies of noncitizens and unauthorized immigrants. U.S. citizenship through birth comes via the 14th Amendment , which was ratified after the Civil War to secure U.S. citizenship for newly freed black slaves. It later was used to guarantee citizenship to all babies born on U.S. soil after court challenges. Here is a look at the Citizenship Clause and how citizens worked to be included in it throughout U.S. history: The 14th Amendment In the aftermath of the Civil War, radical Republicans in Congress sought to push through a series of constitutional protections for newly emancipated black slaves. The 13th Amendment, which was ratified in December 1865, outlawed slavery. The 14th Amendment, ratified in July 1868, assured cit
Post a Comment
Read more

Pakistan look to avoid whitewash in final ODI against Australia

Australia will look to end the five-match ODI series with a clean sweep whereas Pakistan will aim to salvage some pride when the two sides face off in the fifth and final fixture at Dubai today. After a thrashing in the first three matches, Pakistan showed some improvement in the fourth ODI on Friday but became the first team in ODI history to lose while chasing a target below 280 despite two centuries. Needing 278 to win, Pakistan were brought close to their target by debutant Abid Ali's 112 and Mohammad Rizwan's 104, but in the end the twin hundreds were in vain as they failed to score a required 17 off Marcus Stoinis' last over. Glenn Maxwell missed a second career hundred by just two runs, Usman Khawaja scored 62 and Alex Carey 55 as Australia posted 277-7 in their 50 overs. Abid Ali, only drafted into the side two hours before the start after Imam-ul-Haq went down with fever, became the 15th batsman to score a hundred on ODI debut. Salim Elahi (102 not out v Sri
Post a Comment
Read more