Facebook hack exposed 50 million users' info -- and accounts on other sites

An attack on Facebook exposed information on nearly 50 million of the social network's users, the ...

Posted: Sep 28, 2018 10:04 PM
Updated: Sep 28, 2018 10:04 PM

An attack on Facebook exposed information on nearly 50 million of the social network's users, the company announced Friday -- and gave the attackers access to those users' accounts with other sites and apps that they logged into using Facebook.

The attackers exploited a bug in a feature called "View as" that lets users see their Facebook page the way someone else would. The attackers were able to take over the accounts and use them exactly as if they were the account holders. That would include posting or viewing information shared by any of that account's friends. Facebook says no credit card information stored with the company was accessed.

Facebook said it does not know who the attackers were or where they were based. It also said it has already fixed the issue and informed the FBI and other law enforcement, as well as lawmakers and regulators. It has also informed the Irish Data Protection Commission about the breach, a step required by Europe's GDPR regulations. The commission said it received the notification, but expressed concern with its timing and lack of detail.

More than 90 million users were forcibly logged out of their accounts by Facebook and had to log back in on Friday for security reasons. The accounts of Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg were among the 90 million accounts forcibly logged out by Facebook.

Users do not need to take any additional security precautions or reset their passwords, said Facebook. All logged out users will receive a notification about the issue from Facebook, but it won't tell them if they were in the group of 50 million impacted or 40 million included as a precaution.

The attackers would have also been able to access third-party services or sites accessed with a Facebook login, Facebook's Guy Rosen said in a follow-up call with reporters on Friday, though it is not yet clear if they did so. It could have also impacted Instagram accounts that use the same login as Facebook, but Rosen said WhatsApp, which is also owned by Facebook, was not impacted. The company declined to confirm if this was the largest hack it has experienced to date.

The company says it does not know if the affected accounts were misused in any way or if any user information was actually accessed. It has not determined if any specific locations or accounts were targeted. It has turned off the "View As" feature that the attackers exploited while it investigates.

"From experience, breach notifications like this always tend to get worse as time goes on and information from investigations is shared with the public," said Jessy Irwin, the head of security at cybersecurity firm Tendermint. "There's not much that is public about how those [linked] accounts are impacted, but this seems to go much deeper into Facebook's entire ecosystem than Cambridge Analytica did."

Facebook says the vulnerability is the result of three distinct bugs, and originally appeared in July 2017 when the company made a change to a video uploading feature. The company first detected some unusual activity -- a spike in user access to the site -- on September 16, 2018. It launched an investigation and uncovered this attack on Tuesday, September 25. On Wednesday it notified law enforcement and on Thursday evening it fixed the vulnerability and began resetting login tokens, according to Facebook.

The attackers stole Facebook "access tokens" which keep a person logged into their Facebook account over long periods of time so they don't have to keep signing in. Facebook reset all 50 million tokens, as well as tokens for an additional 40 million people who had used the "View as" feature in the past year as a "precautionary step." The reset also unlinked accounts like Instagram and Oculus, both of which are owned by Facebook, which users will need to relink.

"The reality here is we face constant attacks from people who want to take over accounts or steal information.... we need to do more to prevent this from happening in the first place," CEO Mark Zuckerberg said during a call with reporters shortly after the announcement.

The announcement is the latest issue for the company, which has struggled with security breaches, privacy issues and misinformation in recent years. Facebook says it is investing heavily in security going forward, and increasing the number of people working on security from 10,000 to 20,000.

"Security is an arms race and we're continuing to improve our defenses," said Zuckerberg.

-- CNN's Donie O'Sullivan and Sara O'Brien contributed reporting.

Mississippi Coronavirus Cases

Data is updated nightly.

Confirmed Cases: 96032

Reported Deaths: 2894
CountyConfirmedDeaths
Hinds7110159
DeSoto556559
Harrison385374
Jackson348670
Madison329788
Rankin329377
Lee271468
Forrest247872
Jones247579
Washington223872
Lafayette217339
Lauderdale2049125
Bolivar184066
Oktibbeha177850
Lamar170035
Lowndes156958
Neshoba1566104
Panola147129
Sunflower146546
Warren140550
Leflore140481
Pontotoc126616
Pike123451
Monroe122868
Copiah118433
Scott117427
Coahoma115528
Holmes109659
Marshall109517
Lincoln109053
Grenada108336
Yazoo105930
Simpson103346
Union99724
Tate98737
Leake95338
Adams93837
Wayne90021
Pearl River88353
Marion85935
Prentiss85517
Covington82022
Itawamba81521
Alcorn80311
George77113
Newton77024
Tallahatchie77021
Winston73819
Tishomingo68238
Chickasaw67924
Tippah66917
Attala65925
Walthall60026
Clay59218
Clarke58746
Hancock58222
Jasper57315
Noxubee54816
Smith53215
Calhoun51512
Tunica48615
Claiborne46316
Montgomery46120
Lawrence43313
Yalobusha43314
Perry42319
Humphreys37715
Greene37517
Quitman3735
Stone37112
Jefferson Davis34111
Webster33813
Amite32910
Carroll31612
Wilkinson30518
Kemper28915
Sharkey26613
Jefferson2439
Benton2263
Franklin1923
Choctaw1856
Issaquena1043
Unassigned00

Alabama Coronavirus Cases

Confirmed Cases: 134231

Reported Deaths: 2357
CountyConfirmedDeaths
Jefferson19572348
Mobile13320292
Montgomery8811183
Tuscaloosa8586117
Madison782078
Shelby592349
Lee588759
Baldwin545650
Marshall393343
Calhoun349942
Etowah343945
Morgan327328
Houston280221
Elmore265947
DeKalb240620
St. Clair230835
Walker230683
Talladega214628
Limestone208820
Cullman189020
Dallas178326
Franklin176729
Autauga175725
Russell17573
Lauderdale169833
Colbert164126
Blount160815
Escambia160324
Chilton156431
Jackson156011
Covington138527
Dale135844
Coffee13206
Pike119410
Chambers116142
Tallapoosa115685
Clarke108916
Marion95729
Butler91639
Barbour8737
Winston73812
Marengo71620
Pickens65614
Lowndes65327
Bibb65210
Randolph64213
Hale63428
Lawrence61623
Geneva6074
Cherokee60313
Bullock59914
Monroe5848
Clay5797
Washington55613
Perry5416
Crenshaw53632
Conecuh53511
Wilcox53111
Henry4935
Macon48119
Fayette4508
Sumter43519
Lamar3662
Cleburne3646
Choctaw34912
Greene30315
Coosa1683
Out of AL00
Unassigned00
Tupelo
Broken Clouds
67° wxIcon
Hi: 78° Lo: 64°
Feels Like: 67°
Columbus
Clear
68° wxIcon
Hi: 80° Lo: 65°
Feels Like: 68°
Oxford
Clear
63° wxIcon
Hi: 76° Lo: 61°
Feels Like: 63°
Starkville
Overcast
64° wxIcon
Hi: 79° Lo: 62°
Feels Like: 64°
WTVA Radar
WTVA Temperatures
WTVA Severe Weather