Facebook security breach: Up to 50m accounts attacked

stapp · Sep 28, 2018

Facebook has said “almost 50 million” of its users were left exposed by a security flaw.

The company said attackers were able to exploit a vulnerability in a feature known as “View As” to gain control of people's accounts.

The breach was discovered on Tuesday, Facebook said, and it has informed police.

Users that had potentially been affected were prompted to re-log-in on Friday.
Click to expand...

https://www.bbc.co.uk/news/technology-45686890

hawki · Sep 28, 2018

Facebook Statement:

"September 28, 2018
Security Update..."

https://newsroom.fb.com/news/2018/09/security-update/

guest · Sep 28, 2018

Facebook hack could hasten regulation as Sen. Warner says Congress must “step up”
September 28, 2018
https://techcrunch.com/2018/09/28/facebook-breach-warner/

Senator Mark Warner (D-VA) has issued a stern reprimand to Facebook over today’s revelation that 50 million users had their access token stolen by a hacker. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users” Warner writes. As I’ve said before – the era of the Wild West in social media is over.”

[Update: FTC Commisioner Rohit Chopra has now tweeted that “I want answers” regarding the Facebook hack, further strengthening the possibility that today’s problem will trigger more calls for regulation.]

The Senator Mark Warner’s full statement can be found below: [...]
Click to expand...

mirimir · Sep 28, 2018

Damn, that's the prototypic fail for key holders.

davews · Sep 29, 2018

This seems to be all about access tokens, a term I was not familiar with. Are these effectively cookies? If I only visit Facebook occasionally and regularly clear all cookies such that I have to log in every time I assume I am not affected. There again there is deliberately nothing on my Facebook account to hack anyway..

Minimalist · Sep 29, 2018

davews said: ↑

This seems to be all about access tokens, a term I was not familiar with. Are these effectively cookies? If I only visit Facebook occasionally and regularly clear all cookies such that I have to log in every time I assume I am not affected. There again there is deliberately nothing on my Facebook account to hack anyway..
Click to expand...

It seems that this was server side problem. So instead of just deleting local cookies it would be IMO more important to log-off Facebook when not using it (so the session on server's side is closed).

Minimalist · Sep 29, 2018

Facebook shares more details about its massive security breach -- after blocking people from sharing news about it

The Guardian was among many outlets to write about the huge Facebook vulnerability and attack reported yesterday, and people were understandably keen to share the story on the social network. However, many people found that they were unable to do.

Large numbers of Facebook users who tried to share the Guardian's story -- as well as one published by the Associated Press -- were greeted by a message informing them that the messages was spam and could not be posted. The matter has been addressed, but it led to complaints that Facebook was trying to hush up the story, and renewed calls to #DeleteFacebook. On its blog, Facebook's security team has also given more details about the "security issue" that happened earlier this week,
Click to expand...

https://betanews.com/2018/09/29/facebook-blocks-vulnerability-shares/

Rasheed187 · Sep 29, 2018

Minimalist said: ↑

Facebook shares more details about its massive security breach -- after blocking people from sharing news about it

https://betanews.com/2018/09/29/facebook-blocks-vulnerability-shares/
Click to expand...

Seems like a shocking bug to me, this shouldn't have been possible! But at least they are open about it.

142395 · Sep 29, 2018

This reminded me of websites which failed to assign "secure" attribute to cookies. Noscript had (may still have? It's long since I moved to uMatrix and to uBO) a function to manually add it. This kind of damn things are too prevalent, but ppl're willing to share everything about their real life on the internet, and shop, bank, then even ctrl home electronics via it.

Minimalist · Sep 30, 2018

Zuckerberg’s own Facebook account got hacked in breach

Red-faced Facebook founder Mark Zuckerberg and two of his top execs were among the 50 million users of the social media site whose accounts have been hacked.

“This is a really serious security issue, and we’re taking it seriously,’’ Zuckerberg [pictured] said on Friday. “We need to be more proactive.’’
Click to expand...

https://nypost.com/2018/09/29/zuckerbergs-own-facebook-account-got-hacked-in-breach/

ronjor · Sep 30, 2018

Facebook Faces Potential $1.63 Billion Fine in Europe Over Data Breach

By Sam Schechner Sept. 30, 2018
Privacy watchdog looks into whether social network violated European’s Union new privacy law
Click to expand...

ronjor · Oct 1, 2018

Industry Reactions to Facebook Hack

By Eduard Kovacs on October 01, 2018
Industry professionals have commented on various aspects of the incident, including GDPR implications, the impact on Facebook and its users, the vulnerabilities exploited by the attackers, and the company’s response.
Click to expand...

guest · Oct 2, 2018

The Facebook Hack Exposes an Internet-Wide Failure
October 2, 2018
https://www.wired.com/story/facebook-hack-single-sign-on-data-exposed/

Some of the web’s most popular sites have not implemented basic security precautions that would have limited the fallout of the Facebook hack [...]
If they had taken more care with their implementation of Facebook's Single Sign-On feature [...] the impact could have largely been limited to Facebook.
Master Key
There are valid reasons third-party sites and services let users log in with Facebook. For starters, it’s easy, and saves users the hassle of creating yet another password. And, in theory at least, it makes logging in more secure.

[...] once an attacker has control of someone's Facebook account, their access to third parties would be largely the same.
Limited Protections
But in a manual audit of 95 of the most popular web and mobile sites that offer Facebook Single Sign-On [...] only two required people to enter their Facebook passwords each time they logged in.
Polakis describes it as a classic case of companies choosing usability over security.
Click to expand...

guest · Oct 12, 2018

Facebook hackers stole locations and other private data for millions of users
The bad news: Private data was stolen. The good: Fewer accounts were affected
October 12, 2018
https://arstechnica.com/information...and-other-private-data-for-millions-of-users/

The attackers who carried out the mass hack that Facebook disclosed two weeks ago obtained user account data belonging to as many as 30 million users, the social network said on Friday. Some of that data—including phone numbers, email addresses, birth dates, searches, location check-ins, and the types of devices used to access the site—came from private accounts or was supposed to be restricted only to friends.

Readers can check this link to see what, if any, data was obtained by the attackers.
The ability to know the search queries, location check-ins, phone numbers, email addresses, and other personal details of so many people gives the attackers the ability to send highly customized emails [...]

New York Times reporter Mike Isaac summed up the feeling of many affected Facebook users when he tweeted a screenshot of his stolen personal information.

Rosen declined to say how the attackers went undetected for almost two weeks as they accessed 30 million accounts. [...] Rosen said the 30 million affected accounts were broadly distributed around the world, but he declined to give a breakdown.
Click to expand...

Reality · Oct 12, 2018

The sooner people realize FB is one giant huge scam, the better off they'll be.

Minimalist · Oct 12, 2018

Here’s how to see if you’re among the 30 million compromised Facebook users

The attackers who carried out the mass hack that Facebook disclosed two weeks ago obtained user account data belonging to as many as 30 million users, the social network said on Friday. Some of that data—including phone numbers, email addresses, birth dates, searches, location check-ins, and the types of devices used to access the site—came from private accounts or was supposed to be restricted only to friends.
Click to expand...

https://arstechnica.com/information...and-other-private-data-for-millions-of-users/

Minimalist · Oct 17, 2018

Facebook breach hit 3 million in EU, putting new privacy law to test

Facebook may have a run-in with Europe's new privacy law.

The Irish Data Protection Commission said Tuesday that roughly 3 million Facebook users living in Europe were affected by a data breach at the social network in September, according to CNBC.
Click to expand...

https://www.cnet.com/news/facebook-breach-hit-3-million-in-eu-putting-new-privacy-law-to-test/

ronjor · Oct 17, 2018

Facebook tentatively concludes that spammers were behind recent data breach: WSJ

October 17, 2018
(Reuters) - Facebook Inc has tentatively concluded that a recent hack that affected millions of accounts was perpetrated by spammers, and not a nation-state, the Wall Street Journal reported on Wednesday, citing sources.
Click to expand...

ronjor · Oct 22, 2018

Japan tells Facebook to improve data protection

October 21, 2018 by Makiko Yamazaki; additional reporting by Sam Nussey
The government asked the world’s largest social media network to fully communicate security issues to users, increase surveillance of providers of applications on its platform, and inform regulators of any change in security measures.
Click to expand...

Minimalist · Nov 2, 2018

Private messages from 81,000 Facebook accounts advertised for sale by Russian hackers

Russian hackers are selling private messages from 81,000 Facebook accounts online, an investigation has found.

The messages were posted on a forum by hackers claiming to have access to the personal data of 120 million accounts, offering to sell them at 8p per profile, according to the BBC.
Click to expand...

https://www.telegraph.co.uk/technol...00-facebook-accounts-advertised-sale-russian/

guest · Mar 27, 2019

More than 110,000 Australians caught up in September's Facebook cyber-attack
Hackers were able to access users’ movements, hometown, search history, email and phone number
March 27, 2019
https://www.theguardian.com/technol...caught-up-in-septembers-facebook-cyber-attack

The detailed personal information of more than 60,000 Australians was exposed in a massive cyber-attack on Facebook last year, giving hackers the ability to access their movements, hometown, search history, email and phone number.

The revelations are contained in confidential correspondence between Facebook and Australia’s privacy watchdog, the Office of the Australian Information Commissioner. The documents were released under freedom of information laws on Tuesday.

The correspondence shows Facebook took almost two weeks to discover the cyber-attack, which began on 14 September last year. It discovered the breach on 25 September, and did not notify the OAIC for another four days, at the same time it told other international agencies. When it did tell Australian authorities, it asked them to keep early estimates of the number of affected Australians confidential.
Click to expand...

guest · May 16, 2019

Facebook restores disabled ‘View As’ feature used in 2018 breach
May 16, 2019
https://nakedsecurity.sophos.com/20...disabled-view-as-feature-used-in-2018-breach/

Facebook is reviving a version of a privacy feature that it disabled last year after hackers exploited it to steal users’ access tokens – the keys that allow users to stay logged into Facebook without having to re-enter their password every time they use the app.

On Tuesday, Facebook updated its initial blog post about the breach to say that it’s completed a security review and is re-enabling a version of the “View As” feature that hadn’t been affected by the security incident.

Today, we're making it easier for people to manage their publicly visible information on Facebook with two updates:… twitter.com/i/web/status/1…
Facebook (@facebook) May 14, 2019
The “View As Public” feature lets people see what their profile looks like to people they aren’t friends with on Facebook. Not only was the restored version unaffected by the breach, but this version was also “significantly more popular” than Facebook’s “View as Specific Person” feature, Facebook says.
Click to expand...

https://newsroom.fb.com/news/2018/09/security-update/
(Update on May 14, 2019 at 9AM PT: We have completed our security review and are re-enabling the version of the “View As” feature that lets people see what their profile looks like to people they aren’t friends with on Facebook. This version was unaffected by the security incident and was significantly more popular than “View as Specific Person.”)
Click to expand...

guest · Nov 27, 2019

Hacking Victims Seek Independent Audits of Facebook Data Security
November 27, 2019
https://www.courthousenews.com/hacking-victims-seek-independent-audits-of-facebook-data-security/

Four million Facebook users who had personal data exposed in a September 2018 data breach can team up in a fight to make the social media giant submit to independent audits of its data security measures, a federal judge ruled Tuesday night.

U.S. District Judge William Alsup granted a hacking victim’s motion for class certification to seek an injunction that would force the company to reform its data security system. One potential remedy could involve placing an independent monitor in Facebook’s headquarters to scrutinize the company’s data security protocols.
However, the judge refused to allow the class to seek monetary damages from Facebook for credit monitoring services and loss of control over private information.

Facebook and its lawyers did not immediately respond to email requests for comment Wednesday, but the company said in a 2018 blog post about the hack that “people’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened.”
Click to expand...

guest · Feb 8, 2020

Facebook says it will tighten account security following 2018 hack
That is, if its proposed settlement sticks
February 8, 2020
https://www.engadget.com/2020/02/08/facebook-settlement-tightens-account-security/

Facebook is promising to bolster its security processes in the wake of a 2018 hack that exposed data for 29 million users. The social network has proposed a settlement in a lawsuit over the breach that would see the company check more often for suspicious activity around the digital access tokens that let people use their accounts. There are other measures as part of the lawsuit, Bloomberg said.

The settlement comes a few months after Judge William Alsup barred the plaintiffs from looking for financial compensation after the main plaintiff couldn't show that he'd had to pay expenses as a result of the breach.
There's no guarantee the settlement will go forward as-is. That will depend on Judge Alsup's approval.
Click to expand...

guest · Feb 11, 2020

Facebook was warned in advance about the security issue that led to the 2018 data breach
Employees think it could have been prevented
February 10, 2020
https://www.techspot.com/news/83949-facebook-warned-advance-about-security-issue-led-2018.html

In brief: Facebook engineers have revealed in court that the company ignored warnings about a potential security issue for nine months, only to have cybercriminals prove them right in 2018. And while they feel this could have been prevented, the company insists it was taken by surprise.

According to a report from The Telegraph, Facebook was made aware about the potential security risk nine months in advance, which should have been ample time to prevent a hack that affected more than 50 million accounts and inconvenienced more than 90 million, who were signed out on all of their devices.
The Telegraph cites court documents that indicate employees had developed "guilt" and "hurt" after repeated warnings led to no action being coordinated by upper management.
Click to expand...

Log in or Sign up

Facebook security breach: Up to 50m accounts attacked

stapp Global Moderator

hawki Registered Member

guest Guest

mirimir Registered Member

davews Registered Member

Minimalist Registered Member

Minimalist Registered Member

Rasheed187 Registered Member

142395 Guest

Minimalist Registered Member

ronjor Global Moderator

ronjor Global Moderator

guest Guest

guest Guest

Reality Registered Member

Minimalist Registered Member

Minimalist Registered Member

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Facebook security breach: Up to 50m accounts attacked

stapp Global Moderator

hawki Registered Member

guest Guest

mirimir Registered Member

davews Registered Member

Minimalist Registered Member

Minimalist Registered Member

Rasheed187 Registered Member

142395 Guest

Minimalist Registered Member

ronjor Global Moderator

ronjor Global Moderator

guest Guest

guest Guest

Reality Registered Member

Minimalist Registered Member

Minimalist Registered Member

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches