Facebook hack exposed 50 million users' info -- and accounts on other sites

An attack on Facebook exposed information on nearly 50 million of the social network's users, the ...

Posted: Sep 28, 2018 10:04 PM
Updated: Sep 28, 2018 10:04 PM

An attack on Facebook exposed information on nearly 50 million of the social network's users, the company announced Friday -- and gave the attackers access to those users' accounts with other sites and apps that they logged into using Facebook.

The attackers exploited a bug in a feature called "View as" that lets users see their Facebook page the way someone else would. The attackers were able to take over the accounts and use them exactly as if they were the account holders. That would include posting or viewing information shared by any of that account's friends. Facebook says no credit card information stored with the company was accessed.

Facebook said it does not know who the attackers were or where they were based. It also said it has already fixed the issue and informed the FBI and other law enforcement, as well as lawmakers and regulators. It has also informed the Irish Data Protection Commission about the breach, a step required by Europe's GDPR regulations. The commission said it received the notification, but expressed concern with its timing and lack of detail.

More than 90 million users were forcibly logged out of their accounts by Facebook and had to log back in on Friday for security reasons. The accounts of Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg were among the 90 million accounts forcibly logged out by Facebook.

Users do not need to take any additional security precautions or reset their passwords, said Facebook. All logged out users will receive a notification about the issue from Facebook, but it won't tell them if they were in the group of 50 million impacted or 40 million included as a precaution.

The attackers would have also been able to access third-party services or sites accessed with a Facebook login, Facebook's Guy Rosen said in a follow-up call with reporters on Friday, though it is not yet clear if they did so. It could have also impacted Instagram accounts that use the same login as Facebook, but Rosen said WhatsApp, which is also owned by Facebook, was not impacted. The company declined to confirm if this was the largest hack it has experienced to date.

The company says it does not know if the affected accounts were misused in any way or if any user information was actually accessed. It has not determined if any specific locations or accounts were targeted. It has turned off the "View As" feature that the attackers exploited while it investigates.

"From experience, breach notifications like this always tend to get worse as time goes on and information from investigations is shared with the public," said Jessy Irwin, the head of security at cybersecurity firm Tendermint. "There's not much that is public about how those [linked] accounts are impacted, but this seems to go much deeper into Facebook's entire ecosystem than Cambridge Analytica did."

Facebook says the vulnerability is the result of three distinct bugs, and originally appeared in July 2017 when the company made a change to a video uploading feature. The company first detected some unusual activity -- a spike in user access to the site -- on September 16, 2018. It launched an investigation and uncovered this attack on Tuesday, September 25. On Wednesday it notified law enforcement and on Thursday evening it fixed the vulnerability and began resetting login tokens, according to Facebook.

The attackers stole Facebook "access tokens" which keep a person logged into their Facebook account over long periods of time so they don't have to keep signing in. Facebook reset all 50 million tokens, as well as tokens for an additional 40 million people who had used the "View as" feature in the past year as a "precautionary step." The reset also unlinked accounts like Instagram and Oculus, both of which are owned by Facebook, which users will need to relink.

"The reality here is we face constant attacks from people who want to take over accounts or steal information.... we need to do more to prevent this from happening in the first place," CEO Mark Zuckerberg said during a call with reporters shortly after the announcement.

The announcement is the latest issue for the company, which has struggled with security breaches, privacy issues and misinformation in recent years. Facebook says it is investing heavily in security going forward, and increasing the number of people working on security from 10,000 to 20,000.

"Security is an arms race and we're continuing to improve our defenses," said Zuckerberg.

-- CNN's Donie O'Sullivan and Sara O'Brien contributed reporting.

Mississippi Coronavirus Cases

Data is updated nightly.

Cases: 319948

Reported Deaths: 7371
CountyCasesDeaths
DeSoto22285267
Hinds20719421
Harrison18431317
Rankin13901282
Jackson13718248
Madison10263224
Lee10059176
Jones8467167
Forrest7832153
Lauderdale7261242
Lowndes6517150
Lamar635188
Lafayette6313121
Washington5425137
Bolivar4841133
Panola4670110
Oktibbeha466198
Pearl River4605147
Marshall4574105
Warren4440121
Pontotoc425873
Monroe4157135
Union415777
Neshoba4063179
Lincoln4008112
Hancock386987
Leflore3515125
Tate342486
Sunflower339491
Pike3371111
Alcorn327272
Scott320374
Yazoo314171
Adams308086
Itawamba305178
Copiah299966
Coahoma298784
Simpson298589
Tippah291968
Prentiss284161
Leake272074
Marion271280
Covington267283
Wayne264642
Grenada264087
George252251
Newton248663
Tishomingo231868
Winston230181
Jasper222148
Attala215073
Chickasaw210559
Holmes190474
Stone188433
Clay187954
Tallahatchie180041
Clarke178980
Calhoun174132
Yalobusha167840
Smith164134
Walthall135347
Greene131834
Lawrence131124
Montgomery128643
Noxubee128034
Perry127238
Amite126242
Carroll122330
Webster115032
Jefferson Davis108234
Tunica108127
Claiborne103130
Benton102325
Humphreys97533
Kemper96629
Franklin85023
Quitman82216
Choctaw79118
Wilkinson69632
Jefferson66228
Sharkey50917
Issaquena1696
Unassigned00

Alabama Coronavirus Cases

Cases: 548657

Reported Deaths: 11306
CountyCasesDeaths
Jefferson810031566
Mobile42105831
Madison35690525
Tuscaloosa26173458
Shelby25607254
Montgomery25081614
Baldwin21868314
Lee16278176
Calhoun14719327
Morgan14629285
Etowah14175364
Marshall12453230
Houston10781287
Elmore10293214
Limestone10179157
St. Clair10162251
Cullman9952201
Lauderdale9603250
DeKalb8972190
Talladega8460184
Walker7338280
Autauga7241113
Blount6945139
Jackson6932113
Colbert6413140
Coffee5635127
Dale4928116
Russell454841
Chilton4476116
Franklin431382
Covington4275122
Tallapoosa4138155
Escambia401680
Chambers3728124
Dallas3607158
Clarke353061
Marion3240107
Pike314378
Lawrence3133100
Winston283472
Bibb268564
Geneva257981
Marengo250565
Pickens236962
Barbour234559
Hale227278
Butler224271
Fayette218862
Henry194543
Randolph187544
Cherokee187345
Monroe180041
Washington170539
Macon163051
Clay160059
Crenshaw155957
Cleburne153444
Lamar146837
Lowndes142254
Wilcox126930
Bullock124342
Conecuh113630
Coosa111729
Perry108626
Sumter105732
Greene93634
Choctaw62125
Out of AL00
Unassigned00
Tupelo
Clear
82° wxIcon
Hi: 93° Lo: 70°
Feels Like: 87°
Columbus
Clear
78° wxIcon
Hi: 91° Lo: 69°
Feels Like: 81°
Oxford
Clear
81° wxIcon
Hi: 90° Lo: 65°
Feels Like: 85°
Starkville
Clear
77° wxIcon
Hi: 91° Lo: 67°
Feels Like: 78°
Tropical Depression Claudette has now moved into Alabama and Georgia, leaving with some cloud cover but dry conditions. Most of us will stay dry through this Father's Day but some spotty showers will likely through the late afternoon.
WTVA Radar
WTVA Temperatures
WTVA Severe Weather