WEATHER AUTHORITY : Flash Flood Warning View Alerts

Facebook hack exposed 50 million users' info -- and accounts on other sites

An attack on Facebook exposed information on nearly 50 million of the social network's users, the ...

Posted: Sep 28, 2018 10:04 PM
Updated: Sep 28, 2018 10:04 PM

An attack on Facebook exposed information on nearly 50 million of the social network's users, the company announced Friday -- and gave the attackers access to those users' accounts with other sites and apps that they logged into using Facebook.

The attackers exploited a bug in a feature called "View as" that lets users see their Facebook page the way someone else would. The attackers were able to take over the accounts and use them exactly as if they were the account holders. That would include posting or viewing information shared by any of that account's friends. Facebook says no credit card information stored with the company was accessed.

Facebook said it does not know who the attackers were or where they were based. It also said it has already fixed the issue and informed the FBI and other law enforcement, as well as lawmakers and regulators. It has also informed the Irish Data Protection Commission about the breach, a step required by Europe's GDPR regulations. The commission said it received the notification, but expressed concern with its timing and lack of detail.

More than 90 million users were forcibly logged out of their accounts by Facebook and had to log back in on Friday for security reasons. The accounts of Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg were among the 90 million accounts forcibly logged out by Facebook.

Users do not need to take any additional security precautions or reset their passwords, said Facebook. All logged out users will receive a notification about the issue from Facebook, but it won't tell them if they were in the group of 50 million impacted or 40 million included as a precaution.

The attackers would have also been able to access third-party services or sites accessed with a Facebook login, Facebook's Guy Rosen said in a follow-up call with reporters on Friday, though it is not yet clear if they did so. It could have also impacted Instagram accounts that use the same login as Facebook, but Rosen said WhatsApp, which is also owned by Facebook, was not impacted. The company declined to confirm if this was the largest hack it has experienced to date.

The company says it does not know if the affected accounts were misused in any way or if any user information was actually accessed. It has not determined if any specific locations or accounts were targeted. It has turned off the "View As" feature that the attackers exploited while it investigates.

"From experience, breach notifications like this always tend to get worse as time goes on and information from investigations is shared with the public," said Jessy Irwin, the head of security at cybersecurity firm Tendermint. "There's not much that is public about how those [linked] accounts are impacted, but this seems to go much deeper into Facebook's entire ecosystem than Cambridge Analytica did."

Facebook says the vulnerability is the result of three distinct bugs, and originally appeared in July 2017 when the company made a change to a video uploading feature. The company first detected some unusual activity -- a spike in user access to the site -- on September 16, 2018. It launched an investigation and uncovered this attack on Tuesday, September 25. On Wednesday it notified law enforcement and on Thursday evening it fixed the vulnerability and began resetting login tokens, according to Facebook.

The attackers stole Facebook "access tokens" which keep a person logged into their Facebook account over long periods of time so they don't have to keep signing in. Facebook reset all 50 million tokens, as well as tokens for an additional 40 million people who had used the "View as" feature in the past year as a "precautionary step." The reset also unlinked accounts like Instagram and Oculus, both of which are owned by Facebook, which users will need to relink.

"The reality here is we face constant attacks from people who want to take over accounts or steal information.... we need to do more to prevent this from happening in the first place," CEO Mark Zuckerberg said during a call with reporters shortly after the announcement.

The announcement is the latest issue for the company, which has struggled with security breaches, privacy issues and misinformation in recent years. Facebook says it is investing heavily in security going forward, and increasing the number of people working on security from 10,000 to 20,000.

"Security is an arms race and we're continuing to improve our defenses," said Zuckerberg.

-- CNN's Donie O'Sullivan and Sara O'Brien contributed reporting.

Mississippi Coronavirus Cases

Data is updated nightly.

Confirmed Cases: 29684

Reported Deaths: 1103
CountyConfirmedDeaths
Hinds238239
DeSoto148616
Madison126734
Jones110449
Neshoba98171
Lauderdale90079
Rankin88812
Forrest85142
Harrison84210
Scott76215
Copiah59216
Jackson58416
Leake57019
Holmes54441
Wayne53513
Lee53218
Oktibbeha53226
Washington5319
Warren49618
Yazoo4936
Leflore48049
Lowndes47212
Lincoln44334
Lamar4407
Grenada4325
Pike40712
Monroe38830
Lafayette3774
Attala35823
Sunflower3467
Newton3389
Covington3345
Panola3256
Bolivar32114
Adams29318
Simpson2833
Pontotoc2736
Marion27011
Tate2709
Chickasaw26918
Claiborne25610
Jasper2566
Winston2546
Noxubee2538
Pearl River24832
Clay24710
Marshall2173
Smith21611
Clarke20524
Coahoma1916
Union1919
Walthall1804
Kemper17714
Lawrence1701
Yalobusha1677
Carroll16411
Itawamba1348
Humphreys1329
Calhoun1284
Tippah12811
Hancock12613
Webster12610
Montgomery1242
Tallahatchie1224
Jefferson Davis1094
Prentiss1023
Greene1018
Jefferson993
Tunica933
Wilkinson929
Amite892
George783
Tishomingo741
Quitman730
Choctaw724
Perry654
Alcorn631
Stone571
Franklin412
Sharkey340
Benton300
Issaquena91
Unassigned00

Alabama Coronavirus Cases

Confirmed Cases: 41362

Reported Deaths: 983
CountyConfirmedDeaths
Jefferson4802152
Montgomery3947103
Mobile3904134
Tuscaloosa218842
Marshall168010
Lee130237
Madison12717
Shelby117623
Morgan10475
Walker90524
Franklin87814
Dallas8689
Elmore86414
Baldwin8289
Etowah70713
DeKalb6945
Butler62328
Chambers61227
Tallapoosa58369
Autauga56012
Russell5190
Unassigned50323
Lauderdale4736
Limestone4660
Lowndes46321
Houston4614
Cullman4354
Pike4175
Colbert3836
Coffee3702
Bullock3679
St. Clair3472
Barbour3452
Covington3437
Escambia3326
Calhoun3225
Hale30621
Marengo30011
Talladega3007
Wilcox2898
Sumter28412
Clarke2726
Dale2680
Jackson2632
Winston2463
Monroe2312
Chilton2282
Blount2261
Pickens2226
Marion21413
Randolph2019
Conecuh1977
Choctaw19512
Bibb1861
Greene1838
Macon1819
Perry1621
Henry1313
Crenshaw1253
Lawrence1050
Washington1047
Cherokee857
Geneva780
Lamar751
Fayette671
Clay622
Coosa581
Cleburne361
Out of AL00
Tupelo
Clear
86° wxIcon
Hi: 92° Lo: 73°
Feels Like: 94°
Columbus
Clear
81° wxIcon
Hi: 88° Lo: 72°
Feels Like: 87°
Oxford
Clear
75° wxIcon
Hi: 89° Lo: 70°
Feels Like: 75°
Starkville
Broken Clouds
75° wxIcon
Hi: 89° Lo: 69°
Feels Like: 75°
WTVA Radar
WTVA Temperatures
WTVA Severe Weather