Facebook Says Breach Affected About 50 Million Accounts
The company said it’s investigating the breach, which allowed hackers to take over a person’s account.
(Bloomberg) -- Facebook Inc. said it discovered a security breach earlier this week that affected almost 50 million accounts, the latest in a series of missteps that are undermining confidence in the company’s social network and business model.
The social-media network said in a statement Friday that it has fixed the breach, which allowed hackers to take over people’s accounts. Law enforcement authorities and regulators including the Irish Data Protection Commissioner have been told about the incident.
The Facebook accounts of Chief Executive Officer Mark Zuckerberg and Chief Operating Officer Sheryl Sandberg were among those targeted by the hack. Shares of the company fell 2.6 percent to close at $164.46 in New York, leaving them down 6.8 percent this year.
User data leaks, security breaches and the spread of misinformation have forced Facebook to confront hostile congressional hearings and uproar from users. This week’s breach adds to concerns the company is collecting too much personal information and not looking after it properly. Data is the lifeblood of Facebook’s advertising business, so any limits on its activities that stem from these missteps could crimp the company’s earning power.
U.S. Senator Mark Warner, the top Democrat on the Senate Intelligence Committee, said the breach was “deeply concerning” and called for an investigation. Ireland’s data-protection regulator said Facebook hasn’t shared enough information about the attack.
There was a loophole in Facebook’s code for a feature called "View As" that let people see what their account looks like to someone else. The vulnerability allowed hackers to steal access tokens -- digital keys that keep people logged into Facebook so they don’t need to re-enter passwords. Once logged in, the attackers could take control.
“This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As,’” Facebook said. “The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”
While access codes were taken from 50 million accounts in the recent breach, Facebook said it doesn’t know whether any personal information was gathered or misused from those accounts.
The vulnerability let the attacker use a Facebook account as if they were the account holder, executives said during a conference call. “We need to do more to prevent this from happening in the first place,” Zuckerberg said.
The Cambridge Analytica scandal from earlier this year, which involved a developer handing over Facebook user profile information to a third party, affected as many as 85 million people and led to a congressional hearing. This new vulnerability is potentially worse because it let hackers log in as the holder of the account, giving them access to information that was not otherwise public.
Facebook responded quicker to the latest breach, but had less information to share at this early stage. “We may never know” who was behind this, Facebook executive Guy Rosen said. “We did see this attack being used at a fairly large scale.”
The hack required sophistication, said Rosen. The attackers had the resources to find three different bugs and exploit them in tandem. Facebook is investigating the breach in partnership with the FBI, which didn’t immediately respond to a request for comment on the possibility of nation state involvement.
For more on Facebook’s recent issues, check out the Decrypted podcast:
The news could weigh on growth and hurt profit in the second half of this year, according to Bloomberg Intelligence analyst Jitendra Waral. “Facebook also may lose users who have been asked to reset sign-ins” and face fines under Europe’s General Data Protection Regulation, he wrote Friday in a note to investors.
Everyone whose profile used the “View As” tool in the last year will have to log in to Facebook again, and any apps that used Facebook to log in. From there, they’ll be able to see a statement explaining what happened. The company estimated that about 90 million people will have to log in again. Facebook has more than 2 billion users.
--With assistance from Stephanie Bodoni and Billy House.
To contact the reporter on this story: Sarah Frier in San Francisco at sfrier1@bloomberg.net
To contact the editors responsible for this story: Jillian Ward at jward56@bloomberg.net, Alistair Barr, Andrew Pollack
©2018 Bloomberg L.P.