Have you logged out of Facebook lately? Have you changed your Facebook password? What about Instagram, Spotify or any other app you log into with your private Facebook information?
The New York Times reported that last week 90 million Facebook subscribers were forced to log out of their accounts due to an unprecedented security breach.
Facebook announced on Sept. 28 that hackers had accessed and exposed personal information of 50 million users, its largest security breach ever reported.
Hackers gained access “as if they were … the account holder themselves,” Guy Rosen, Facebook’s vice president of product management, said in a conference call related to the announcement.
The attackers accessed Facebook accounts through a bug in one of Facebook’s video-uploading programs that had been introduced in June 2017, allowing them to create “access tokens,” or digital keys that allow access to a user’s account without the necessity of entering their name and password at each login.
As if Facebook were not enough, The Sun revealed the hackers also gained access to third-party services such as Instagram, Messenger, Tinder, Spotify and other apps that allow subscribers to use their personal Facebook credentials to access their sites, causing a potential for a chain reaction breach of personal information affecting hundreds of millions of accounts.
Even with the hackers’ broad access to many sites, a Spotify spokesperson stated that none of its systems were compromised.
Facebook’s integration with so many apps and websites creates a playground for hackers seeking to exploit weaknesses and vulnerabilities in social media technology, wreaking havoc on the personal information of consumers and businesses alike.
Facebook reportedly knew of a potential problem 10 days prior to its announcement of the breach. On Sept. 18, Facebook discovered what it considered unusual activity that appeared in the form of a large spike in users and launched its own investigation, but it was not until Sept. 25 that Facebook actually discovered the source of the attack and the resulting vulnerability.
The following day, Facebook notified law enforcement, but it did not complete an actual fix of the problem until Sept. 27. Facebook finally disclosed and notified its users of the attack on Sept. 28, a full 10 days after its initial discovery of the suspicious activity.
Facebook said ¨it had fixed the vulnerabilities and notified law enforcement officials,” according to The Times. “Company officials do not know the identity or the origin of the attackers, nor have they fully assessed the scope of the attack or if particular users were targeted. The investigation is still in its beginning stages.¨
Facebook said it was not aware that any foreign entity was involved in the breach, as was the case during the 2016 elections.
CEO Mark Zuckerberg told reporters in a conference call, “I’m glad we found this, but it definitely is an issue that this happened in the first place.”
“The big fear is that hackers will have used automatic tools to harvest information from all 50 million accounts that were compromised,” The Sun reported. “This means it’s possible that hackers are currently sitting on photos, videos and private messages for tens of millions of people around the world. This data pool grows significantly when you add services like Tinder or Instagram into the mix.”
On the day of the announcement, a news release from Democratic Sen. Mark Warner of Virginia wasted no time calling for federal intervention:
“The news that at least 50 million Facebook users had their accounts compromised is deeply concerning. A full investigation should be swiftly conducted and made public so that we can understand more about what happened.
“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.
“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before – the era of the Wild West in social media is over.”
Meanwhile, Facebook took action that made it look as though it were trying to hide reports of the break from its users, claiming that media reports of its internal security problems “look(ed) like spam to us.”
Facebook is deleting and blocking posts warning people about their recent security breach. 😒 pic.twitter.com/OYiayagGCd
— 😼🐆Doomspotter (@Vigilant1000) September 28, 2018
“There’s no need for anyone to change their passwords,” Rosen said in a statement on Facebook. “But people who are having trouble logging back into Facebook — for example because they’ve forgotten their password — should visit our Help Center.”
Truth and Accuracy
We are committed to truth and accuracy in all of our journalism. Read our editorial standards.