Facebook Finds Security Flaw Affecting Almost 50 Million Accounts (#GotBitcoin?)
Security flaw allowed outsiders to take over users’ accounts. Facebook Finds Security Flaw Affecting Almost 50 Million Accounts
Facebook Inc. said hackers gained access to nearly 50 million accounts, in what amounts to the largest-ever security breach at the social network at a time when it is trying to regain the trust of its more than 2 billion monthly users.
The breach dates to a flaw introduced on the company’s website last summer, the company said Friday. Chief Executive Mark Zuckerberg said Facebook didn’t have evidence the attackers had accessed people’s private messages and posts, or posted as those users.
“The investigation is still very early so we do not yet know if any of the accounts were actually misused,” Mr. Zuckerberg said on a call with reporters. “This, of course, may change.”
Hackers gained access to the accounts by exploiting a vulnerability in the code for Facebook’s “view as” feature, which lets people see how their profiles appear to others. Three bugs in Facebook’s code connected to this feature let outsiders steal access tokens—digital keys that keep people logged into Facebook.
A spokesman said Facebook has never had a security breach as large. The company said it doesn’t know who was behind the attack, which was discovered earlier this week. The company said it alerted law enforcement.
Facebook reset the access tokens for the nearly 50 million affected accounts, as well as another 40 million subject to a “view as” lookup in the past year. Those 90 million users will have to log back into Facebook and will see a note regarding the security flaw, the company said.
Facebook said it is turning off the “view as” feature as it conducts a security review.
The breach disclosed Friday comes months after Facebook said the data of about 87 million people may have been improperly shared with Cambridge Analytica, the now-defunct analytics firm that had ties to President Trump’s 2016 campaign. While technically not a breach, the Cambridge episode raised questions about Facebook’s oversight of the data of its users.
Around the same time, Facebook said most people using the social network could have had information scraped by marketers who used a feature that distributed profile data connected to email addresses and phone numbers.
After Massive Facebook Hack, Taiwanese Hacker Cancels Plan To Delete Zuckerberg Profile
Facebook user data for over 50 million users has been compromised according to Facebook.
Facebook reported a massive hack on Friday Sept. 28, only a day after a Taiwanese hacker claimed he was preparing to live stream the hacking and deletion of Facebook founder Mark Zuckerberg’s personal account on the platform.
After Facebook announced the hack, which has reportedly compromised the data of some 50 million users, the somewhat prominent Taiwanese hacker, Chang Chi-yuan, has since reportedly canceled his plans to target Mark Zuckerberg.
According to Business Insider, Facebook representatives have stated that they do not believe the breach of user data is related to Chang.
Originally Chang stated he would live stream the hack of Zuckerberg’s Facebook page on his own account in a FB event scheduled for 6:00 p.m. Sunday evening.
The Verge posted a quote from Chang on the planned live stream of the hack in the early morning Sept. 29 (Taiwan time). “I am canceling my live feed, I have reported the bug to Facebook and I will show proof when I get bounty from Facebook.”
The bug that Chang claims to have reported may be linked to the cyber attack and breach of user data. Business Insider says the attack appears to be one of the most significant in Facebook’s history.
After news of the attack shares dropped 3 percent for the company by midday Friday. News of the compromised user data was reportedly discovered on Tuesday, and Facebook is looking into whether or not, and how, the attackers abused the compromised accounts’ data.
Business Insider reports that the security flaw which the hackers were able to exploit was related to the “View As” feature on the platform, which allows users to view their own accounts as another person would see them.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” said Facebook’s VP of Product Management Guy Rosen. The access tokens are what allow people to remain logged in on computers without reentering login and password info for each visit to the site.
Chang may have discovered information on the security flaw through online hacking forums after the cyber attack on Facebook had already occurred, and sought to draw public attention by demonstrating the flaw to Facebook.
The company’s announcement of the cyber attack on Friday made that unnecessary.
How to Check If Your Facebook Account Was Breached
Even if you were not affected, there are steps you can take to possibly prevent future hacks.
It’s time to check up on your Facebook settings again but this time, it’s more about security than privacy: The company announced Friday the discovery of a security vulnerability that may have affected nearly 50 million accounts.
Attackers were able to steal the digital keys—also known as access tokens—that keep people logged in because of an issue with Facebook’s “view as” feature. This tool, now disabled, let people see what their profile page looks like to others.
Facebook Inc. said it has yet to determine whether anyone’s information was misused or accessed, but the company reset the access tokens for the 50 million people affected—plus an additional 40 million people who were “subject to a ‘view as’ lookup in the past year.”
If you’re one of those people, you can expect to be logged out of your account and any apps you log into with Facebook. Next time you go back, you’ll get a password prompt.
When you log back in, you might see a notification at the top of your news feed explaining what happened.
The company also suggested “precautionary steps” users can take, namely logging out everywhere they’re currently logged in. You should log off from any computers or devices you don’t actively use, because there is an access token associated with each one. Here’s how:
In the app, click on the three horizontal lines at the bottom right corner, then click Settings & Privacy, then Settings, then Security and Login. (If you’re on the website, click on the downward arrow in the top right-hand corner and select Settings then Security and Login.)
Next you’ll see a section that says “Where you’re logged in” and you can click “See more” to view the list of all the places you’re logged in. There’s a one-tap option at the bottom of that list that can log you out of all sessions at once.
There’s also the option to go through each login individually. Tap the three vertical dots then select “Log out” or—if you suspect something fishy—“Not you?”
If you select “Not you?” Facebook will take you through an account review and tell you if there has been any unusual activity.
Facebook Faces Potential $1.63 Billion Fine in Europe Over Data Breach
Privacy watchdog looks into whether social network violated European’s Union new privacy law.
A European Union privacy watchdog could fine Facebook Inc. FB -1.23% as much as $1.63 billion for a data breach announced Friday in which hackers compromised the accounts of more than 50 million users, if regulators find the company violated the bloc’s strict new privacy law.
Ireland’s Data Protection Commission, which is Facebook’s lead privacy regulator in Europe, said Saturday that it has demanded more information from the company about the nature and scale of the breach, including which EU residents might be affected.
In an emailed statement, the regulator said it is “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”
A spokeswoman for Facebook said Sunday that the company will respond to follow-up questions from Ireland’s DPC and keep regulators apprised of further developments. Facebook Chief Executive Mark Zuckerberg said Friday that the social network was taking the breach very seriously, and that it is still trying to determine many details around the scope and impact of the incident.
For Facebook, the breach is a significant blow to its efforts to regain trust after a series of privacy and security snafus that have riled users and lawmakers alike.
It marks one of the first significant tests of how regulators will apply the breach-notification and data-security provisions of the new European law, dubbed the General Data Protection Regulation, that went into effect earlier this year. It might also be a sign that the law’s threat of massive fines are already changing how firms handle big breaches—forcing them to disclose them faster and more publicly than before.
The European Union’s General Data Protection Regulation on data privacy will come into force on May 25, 2018. This video explains how it could affect you, even if you don’t live in the EU.
While there have been other recent breaches under GDPR—such as British Airways’ disclosure in early September that hackers had for more than two weeks intercepted financial details of clients who made bookings—few if any have been on the scale of Facebook’s breach, privacy lawyers say. The main question regulators will face is whether Facebook invested enough in security to avert a breach.
“When you talk about a business like Facebook that has huge resources and a large user base, that is inevitably going to be seen as a higher bar. The expectation should be that they are going to be deploying a very significant amount of resources” on security, said Andrew Dyson, a partner at DLA Piper.
Under GDPR, companies that don’t do enough to safeguard their users’ data risk a maximum fine of €20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Facebook’s maximum fine would be $1.63 billion using the larger calculation.
The law also requires companies to notify regulators of breaches within 72 hours, under threat of a maximum fine of 2% of world-wide revenue.
“The 72 hours is focusing everyone’s mind,” said a European privacy lawyer who works with big tech firms, but doesn’t represent Facebook.
The occurrence of a breach alone isn’t enough to merit a fine. While the new privacy law’s fines have yet to be tested, EU regulators often decline to issue the maximum possible fine in cases where a company has cooperated or been in at least partial compliance.
The Irish DPC said Facebook notified it of the breach on Thursday evening, which appears to fall within the law’s 72-hour time limit. The regulator complained that the notification “lacked detail,” but privacy lawyers said that it is common for a company to give an initial notification and then update regulators as they learn more about a breach. A spokesman for the DPC declined to elaborate on his statement until Facebook had replied to the regulator’s questions.
Any EU investigation into the breach will likely center on whether Facebook took appropriate steps to safeguard its users’ data before the hack. But given the newness of the GDPR, what counts as appropriate has yet to be defined by courts.
Facebook, for example, can argue that it invests heavily in security staff and technology and has boosted those expenditures recently. But the EU law recommends companies reduce the risk of breaches by minimizing the amount of user data they collect and keep. That could make any business that, like Facebook, relies heavily on data collection face tougher scrutiny, lawyers say.
“If you are a company that is processing personal data on a large scale, the level of risk is going to be seen as higher, so the level of security will have to be higher,” said Sarah Pearce, who heads the European data-privacy and cybersecurity practice at law firm Paul Hastings, adding that her comments don’t specifically relate to Facebook.
The breach probe in Ireland is the latest legal threat Facebook is facing from U.S. and European officials over its handling of user data.
In September, Facebook Chief Operating Officer Sheryl Sandberg appeared in front of U.S. lawmakers to respond to questions about the company’s business and privacy practices.
Last week, the European Commission, the bloc’s executive arm, demanded Facebook better spell out to consumers how their data is being used or face consumer-protection sanctions in several countries.
Separately, the company also has come under fire from privacy activists who have lodged complaints under the GDPR in several countries, arguing in part that Facebook requires users to agree to its terms of service—including the collection of their personal data—in order to use the social network.
Privacy activists argue that users aren’t freely giving their consent to the terms. Facebook counters that data it collects is necessary to fulfill its contract with users to provide “a personalized experience”—and contractual necessity is also a permitted justification under GDPR. Ireland’s data-protection regulator says it is investigating the issue.
In Germany, the national antitrust regulator last December issued a preliminary finding that Facebook abuses its position as the dominant social network in Germany to strong-arm users into allowing it to collect data about them from third-party sources, such as websites with “like” buttons.
A final decision on that case could come in coming months.