Facebook hack exposed 50 million users' info -- and accounts on other sites

An attack on Facebook exposed information on nearly 50 million of the social network's users, the ...

Posted: Sep 28, 2018 10:04 PM
Updated: Sep 28, 2018 10:04 PM

An attack on Facebook exposed information on nearly 50 million of the social network's users, the company announced Friday -- and gave the attackers access to those users' accounts with other sites and apps that they logged into using Facebook.

The attackers exploited a bug in a feature called "View as" that lets users see their Facebook page the way someone else would. The attackers were able to take over the accounts and use them exactly as if they were the account holders. That would include posting or viewing information shared by any of that account's friends. Facebook says no credit card information stored with the company was accessed.

Facebook said it does not know who the attackers were or where they were based. It also said it has already fixed the issue and informed the FBI and other law enforcement, as well as lawmakers and regulators. It has also informed the Irish Data Protection Commission about the breach, a step required by Europe's GDPR regulations. The commission said it received the notification, but expressed concern with its timing and lack of detail.

More than 90 million users were forcibly logged out of their accounts by Facebook and had to log back in on Friday for security reasons. The accounts of Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg were among the 90 million accounts forcibly logged out by Facebook.

Users do not need to take any additional security precautions or reset their passwords, said Facebook. All logged out users will receive a notification about the issue from Facebook, but it won't tell them if they were in the group of 50 million impacted or 40 million included as a precaution.

The attackers would have also been able to access third-party services or sites accessed with a Facebook login, Facebook's Guy Rosen said in a follow-up call with reporters on Friday, though it is not yet clear if they did so. It could have also impacted Instagram accounts that use the same login as Facebook, but Rosen said WhatsApp, which is also owned by Facebook, was not impacted. The company declined to confirm if this was the largest hack it has experienced to date.

The company says it does not know if the affected accounts were misused in any way or if any user information was actually accessed. It has not determined if any specific locations or accounts were targeted. It has turned off the "View As" feature that the attackers exploited while it investigates.

"From experience, breach notifications like this always tend to get worse as time goes on and information from investigations is shared with the public," said Jessy Irwin, the head of security at cybersecurity firm Tendermint. "There's not much that is public about how those [linked] accounts are impacted, but this seems to go much deeper into Facebook's entire ecosystem than Cambridge Analytica did."

Facebook says the vulnerability is the result of three distinct bugs, and originally appeared in July 2017 when the company made a change to a video uploading feature. The company first detected some unusual activity -- a spike in user access to the site -- on September 16, 2018. It launched an investigation and uncovered this attack on Tuesday, September 25. On Wednesday it notified law enforcement and on Thursday evening it fixed the vulnerability and began resetting login tokens, according to Facebook.

The attackers stole Facebook "access tokens" which keep a person logged into their Facebook account over long periods of time so they don't have to keep signing in. Facebook reset all 50 million tokens, as well as tokens for an additional 40 million people who had used the "View as" feature in the past year as a "precautionary step." The reset also unlinked accounts like Instagram and Oculus, both of which are owned by Facebook, which users will need to relink.

"The reality here is we face constant attacks from people who want to take over accounts or steal information.... we need to do more to prevent this from happening in the first place," CEO Mark Zuckerberg said during a call with reporters shortly after the announcement.

The announcement is the latest issue for the company, which has struggled with security breaches, privacy issues and misinformation in recent years. Facebook says it is investing heavily in security going forward, and increasing the number of people working on security from 10,000 to 20,000.

"Security is an arms race and we're continuing to improve our defenses," said Zuckerberg.

-- CNN's Donie O'Sullivan and Sara O'Brien contributed reporting.

Mississippi Coronavirus Cases

Data is updated nightly.

Cases: 268672

Reported Deaths: 5917
CountyCasesDeaths
DeSoto17928195
Hinds17030337
Harrison14510212
Rankin11315223
Jackson11054193
Lee9109147
Madison8663171
Jones6853120
Forrest6260125
Lauderdale6161196
Lowndes5582123
Lafayette5269101
Lamar508765
Washington4965125
Bolivar4164110
Oktibbeha411585
Panola389881
Pontotoc380460
Monroe3727111
Warren3716103
Marshall360172
Union360165
Pearl River3527106
Neshoba3516158
Leflore3132110
Lincoln308389
Hancock300963
Sunflower294277
Tate281862
Alcorn274055
Pike272984
Itawamba271263
Scott264055
Yazoo258456
Prentiss255454
Coahoma252455
Copiah251549
Tippah251551
Simpson244872
Leake238967
Marion228274
Covington224873
Grenada224673
Wayne216336
Adams216271
Winston208271
George206440
Newton201447
Attala197465
Tishomingo196361
Chickasaw190245
Jasper183138
Holmes172568
Clay168637
Tallahatchie158035
Stone153625
Clarke148762
Calhoun142022
Smith131926
Yalobusha124935
Walthall115438
Greene114929
Noxubee114526
Montgomery112936
Lawrence107917
Carroll106922
Perry105931
Amite102727
Webster98024
Claiborne90125
Tunica89621
Jefferson Davis89330
Benton86923
Humphreys85625
Kemper81220
Quitman7169
Franklin71017
Choctaw64013
Wilkinson60125
Jefferson57321
Sharkey45717
Issaquena1616
Unassigned00

Alabama Coronavirus Cases

Cases: 445909

Reported Deaths: 6896
CountyCasesDeaths
Jefferson651891049
Mobile32138590
Madison28596223
Tuscaloosa21703276
Montgomery20220336
Shelby19584138
Baldwin17496216
Lee13378109
Morgan12741145
Etowah12196189
Calhoun11626228
Marshall10513126
Houston9097168
Limestone842481
Cullman8363125
Elmore8283112
Lauderdale7986112
DeKalb7935112
St. Clair7915139
Talladega6552112
Walker6068184
Jackson605649
Colbert560194
Blount551794
Autauga544065
Coffee470569
Dale415186
Franklin378150
Russell362816
Chilton348079
Covington344681
Escambia342244
Tallapoosa3184109
Dallas314197
Chambers308575
Clarke307339
Pike267735
Lawrence256958
Marion255763
Winston235243
Bibb224751
Geneva214747
Marengo212031
Pickens201831
Barbour188240
Hale187444
Fayette181230
Butler175960
Cherokee167433
Henry161325
Monroe153521
Randolph148236
Washington144027
Clay131050
Crenshaw126245
Macon124337
Cleburne123627
Lamar121324
Lowndes117636
Wilcox109422
Bullock105829
Perry100518
Conecuh98222
Sumter90828
Greene78323
Coosa64619
Choctaw52224
Out of AL00
Unassigned00
Tupelo
Cloudy
50° wxIcon
Hi: 51° Lo: 44°
Feels Like: 50°
Columbus
Cloudy
56° wxIcon
Hi: 57° Lo: 49°
Feels Like: 56°
Oxford
Cloudy
45° wxIcon
Hi: 46° Lo: 40°
Feels Like: 38°
Starkville
Cloudy
54° wxIcon
Hi: 54° Lo: 45°
Feels Like: 54°
WTVA Radar
WTVA Temperatures
WTVA Severe Weather