TO CLOSE

Facebook discovered a security vulnerability that allowed hackers to access information on 50 million user accounts. The company announced the new Friday.
Buzz60

Facebook Home Page(Photo: Wilfredo Lee / AP)

SAN FRANCISCO – According to Facebook, the accounts of nearly 50 million users have been violated in the biggest security incident ever on the giant social network, which has dealt a new blow to public confidence in society. difficulty.

The magnitude of massive hacking – how much personal information Facebook users have been compromised – is not yet known. Unidentified attackers had access to basic demographic information such as gender, city of residence, name, or birthday that people included in their Facebook profile.

Facebook says attackers exploited a feature in its code that allowed them to requisition user accounts. Among these accounts were Facebook CEO Mark Zuckerberg and his second, Sheryl Sandberg.

A spike in traffic triggered an internal investigation on September 16th. The breach was discovered Tuesday afternoon and the vulnerability was corrected on Thursday night, the company said.

The disclosure of another in a series of security failures has already brought political heat. Commissioner of the Federal Trade Commission, Rohit Chopra, said Friday night that he was alarmed by Facebook's violation. The FTC and other agencies are already investigating Facebook after revealing that Cambridge Analytica's policy targeting company had accessed accounts from 87 million users without their consent.

"These companies have an impressive amount of information about Americans – violations not only violate our privacy, they create enormous risks for our economy and our national security," Chopra said in the US. "The cost of inaction is increasing and we need answers."

Facebook claims to have failed to identify the attackers or know the cause of the September attack. The Silicon Valley company informed the FBI on Wednesday.

"We are still at the very beginning of the investigation," said Friday Mark Zuckerberg, CEO of Facebook. "We do not know yet if any of the accounts were misused."

Zuckerberg says Facebook has invested heavily in security measures but will step up efforts to lock Facebook user accounts.

"The reality is that we are facing constant attacks," he said. "We need to do more to prevent this from happening in the first place."

More than 90 million Facebook users have been forced to log off Friday morning as a security measure. They will be warned why they are at the top of their news story, said the CEO of Facebook.

How the attack worked

Attackers exploited a Facebook code vulnerability that affected "View As", a feature that allows users to see what their own profile looks like. The feature has been designed to allow users to better control their privacy. Three software bugs in the Facebook code connected to this feature allowed attackers to steal Facebook access tokens that they could then use to retrieve people accounts.

These access tokens are like digital keys that allow users to stay connected to Facebook. They do not need to re-enter their password each time they use Facebook.

How it worked: once the attackers had access to a token for an account, call it Jane's, then they could use "See Like" to see what another account, for example Tom, could see on Jane's account. This vulnerability also allowed attackers to obtain an access token on behalf of Tom, and the attack spread from there. Facebook has reportedly disabled the "View as" feature for security.

Attackers could also gain access to Facebook user accounts on other apps and websites they access with Facebook Login, the feature that allows you to connect to other online services with your Facebook credentials. .

Facebook has reset the chips of nearly 50 million accounts assigned and, as a precaution, it has also reset the tokens for another 40 million accounts that have used "View As" in the past year. The reset of the tokens kept the affected Facebook users out of service and also disconnected those users from the third-party applications and websites they accessed through Facebook Login.

"Until now, our initial investigation did not show that these tokens were used to access private messages or messages or to publish anything on these accounts." But that could of course change as we learn more ".

When these 90 million people reconnect to Facebook or any application using the Facebook connection, they will be notified at the top of their news feed, said Guy Rosen, vice president of product management.

Facebook says that it is not necessary for users to reset their passwords. But security experts recommend doing it anyway.

Calls for investigation

The breach marks the latest privacy failure for Facebook, which has been hammered for the Cambridge Analytica scandal and the uncontrolled spread of Russian propaganda during and after the 2016 presidential election.

Confidence in the giant social network used by more than 2 billion people around the world has been shaken by troubling revelations. Another two billion people use Facebook's Facebook-owned WhatsApp and Instagram email application.

"It's clearly an abuse of trust and we take it very seriously.We are working with lawmakers and regulators to let them know what happened," Rosen told reporters.

Even before Friday's release, Facebook has been involved in several investigations, including an investigation by the Securities and Exchange Commission into the company's statements regarding the leakage of millions of people's data to Cambridge Analytica.

Such a massive violation is likely to trigger more calls for surveillance from Facebook and other tech giants. The Irish Data Protection Commission complained on Friday about the lack of details of Facebook's initial report. The Office of the Information Commissioner of the United Kingdom has stated that it plans to investigate.

Democrat Senator Mark Warner, vice chairman of the Senate Intelligence Committee, called for a quick and public investigation into the violation.

"Today's disclosure is reminiscent of the dangers posed by the fact that a small number of companies such as Facebook or the Equifax Credit Bureau are able to accumulate as much personal data about Americans without adequate security measures," he said. declared Warner. An indicator that suggests that Congress must take steps to protect the privacy and security of social media users. "

On Friday, the FTC did not comment on whether it was investigating Facebook for the latest violation.

Jeff Pollard, an analyst at Forrester, said Facebook's violation illustrates the dangers of moving so much sensitive data to a single company. Facebook will limit access to user data, he said.

"The fact that a violation in a company can have consequences for tens of millions of users is worrying, the attackers go where the data is, which made Facebook an obvious target," he said. in a statement. "The main concern is that a feature of the platform has allowed hackers to collect data from tens of millions of users."

Read or share this story: https://usat.ly/2zDlQCE