Facebook hack exposed 50 million users' info -- and accounts on other sites

An attack on Facebook exposed information on nearly 50 million of the social network's users, the ...

Posted: Sep 28, 2018 10:04 PM
Updated: Sep 28, 2018 10:04 PM

An attack on Facebook exposed information on nearly 50 million of the social network's users, the company announced Friday -- and gave the attackers access to those users' accounts with other sites and apps that they logged into using Facebook.

The attackers exploited a bug in a feature called "View as" that lets users see their Facebook page the way someone else would. The attackers were able to take over the accounts and use them exactly as if they were the account holders. That would include posting or viewing information shared by any of that account's friends. Facebook says no credit card information stored with the company was accessed.

Facebook said it does not know who the attackers were or where they were based. It also said it has already fixed the issue and informed the FBI and other law enforcement, as well as lawmakers and regulators. It has also informed the Irish Data Protection Commission about the breach, a step required by Europe's GDPR regulations. The commission said it received the notification, but expressed concern with its timing and lack of detail.

More than 90 million users were forcibly logged out of their accounts by Facebook and had to log back in on Friday for security reasons. The accounts of Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg were among the 90 million accounts forcibly logged out by Facebook.

Users do not need to take any additional security precautions or reset their passwords, said Facebook. All logged out users will receive a notification about the issue from Facebook, but it won't tell them if they were in the group of 50 million impacted or 40 million included as a precaution.

The attackers would have also been able to access third-party services or sites accessed with a Facebook login, Facebook's Guy Rosen said in a follow-up call with reporters on Friday, though it is not yet clear if they did so. It could have also impacted Instagram accounts that use the same login as Facebook, but Rosen said WhatsApp, which is also owned by Facebook, was not impacted. The company declined to confirm if this was the largest hack it has experienced to date.

The company says it does not know if the affected accounts were misused in any way or if any user information was actually accessed. It has not determined if any specific locations or accounts were targeted. It has turned off the "View As" feature that the attackers exploited while it investigates.

"From experience, breach notifications like this always tend to get worse as time goes on and information from investigations is shared with the public," said Jessy Irwin, the head of security at cybersecurity firm Tendermint. "There's not much that is public about how those [linked] accounts are impacted, but this seems to go much deeper into Facebook's entire ecosystem than Cambridge Analytica did."

Facebook says the vulnerability is the result of three distinct bugs, and originally appeared in July 2017 when the company made a change to a video uploading feature. The company first detected some unusual activity -- a spike in user access to the site -- on September 16, 2018. It launched an investigation and uncovered this attack on Tuesday, September 25. On Wednesday it notified law enforcement and on Thursday evening it fixed the vulnerability and began resetting login tokens, according to Facebook.

The attackers stole Facebook "access tokens" which keep a person logged into their Facebook account over long periods of time so they don't have to keep signing in. Facebook reset all 50 million tokens, as well as tokens for an additional 40 million people who had used the "View as" feature in the past year as a "precautionary step." The reset also unlinked accounts like Instagram and Oculus, both of which are owned by Facebook, which users will need to relink.

"The reality here is we face constant attacks from people who want to take over accounts or steal information.... we need to do more to prevent this from happening in the first place," CEO Mark Zuckerberg said during a call with reporters shortly after the announcement.

The announcement is the latest issue for the company, which has struggled with security breaches, privacy issues and misinformation in recent years. Facebook says it is investing heavily in security going forward, and increasing the number of people working on security from 10,000 to 20,000.

"Security is an arms race and we're continuing to improve our defenses," said Zuckerberg.

-- CNN's Donie O'Sullivan and Sara O'Brien contributed reporting.

Minnesota Coronavirus Cases

Data is updated nightly.

Confirmed Cases: 39589

Reported Deaths: 1523
CountyConfirmedDeaths
Hennepin12703789
Ramsey5013230
Dakota247993
Stearns242919
Anoka2293110
Nobles16726
Olmsted116817
Washington116340
Mower9652
Rice8598
Scott7834
Clay59538
Kandiyohi5821
Blue Earth5102
Wright4925
Carver4171
Todd4022
Lyon3272
Sherburne3275
Freeborn2980
Watonwan2400
Steele2391
Benton2213
St. Louis19816
Nicollet17612
Martin1715
Cottonwood1370
Goodhue1328
Winona13115
Le Sueur1101
Pine1100
Crow Wing10912
Chisago1021
Otter Tail1001
McLeod940
Dodge920
Carlton880
Unassigned8738
Polk842
Chippewa791
Isanti760
Waseca710
Douglas660
Murray660
Itasca6512
Pipestone632
Meeker611
Morrison611
Faribault600
Becker570
Jackson550
Sibley552
Pennington520
Brown372
Renville362
Beltrami350
Wabasha350
Mille Lacs342
Rock310
Fillmore300
Yellow Medicine300
Houston280
Swift231
Norman210
Wilkin213
Redwood200
Cass192
Big Stone170
Grant170
Koochiching171
Roseau170
Aitkin150
Kanabec151
Wadena150
Marshall120
Pope120
Lincoln110
Mahnomen101
Clearwater90
Hubbard80
Lake60
Stevens60
Traverse60
Lac qui Parle40
Red Lake40
Kittson20
Cook10
Lake of the Woods00

Iowa Coronavirus Cases

Data is updated nightly.

Confirmed Cases: 32533

Reported Deaths: 735
CountyConfirmedDeaths
Polk6827181
Woodbury326444
Black Hawk235558
Buena Vista172411
Johnson13638
Linn132382
Dallas129829
Marshall106319
Scott88310
Story8194
Dubuque77122
Pottawattamie75812
Wapello71231
Crawford6793
Muscatine67544
Sioux4880
Tama47329
Wright3881
Louisa36313
Jasper32917
Plymouth3275
Warren2971
Dickinson2823
Webster2524
Washington2479
Cerro Gordo2011
Hamilton1921
Boone1571
Clay1421
Allamakee1354
Clarke1343
Mahaska11817
Shelby1170
Clinton1151
Poweshiek1078
Carroll1041
Pocahontas1011
Bremer987
Franklin980
Des Moines942
Emmet910
Henry883
Cedar851
Hardin830
Taylor810
Cherokee791
Monona770
Floyd742
Marion740
Benton691
Guthrie694
Jones650
Osceola640
Sac640
Jefferson620
Iowa611
Buchanan601
Butler602
Humboldt571
Calhoun552
Hancock541
Harrison540
Lee542
Delaware531
Fayette520
Monroe517
Madison492
Lyon470
Clayton463
Mills430
Winneshiek430
Davis421
Palo Alto420
Mitchell410
Grundy400
Howard370
Jackson370
Kossuth370
Union360
Lucas314
Winnebago300
Chickasaw290
Greene290
Cass240
Ida230
Appanoose213
Van Buren210
Keokuk201
Page200
Unassigned200
Worth200
Adair170
Audubon161
Ringgold150
Decatur120
Montgomery102
Wayne100
Adams80
Fremont80
Rochester
Clear
66° wxIcon
Hi: 70° Lo: 62°
Feels Like: 66°
Mason City
Clear
65° wxIcon
Hi: 71° Lo: 63°
Feels Like: 65°
Albert Lea
Clear
68° wxIcon
Hi: 77° Lo: 62°
Feels Like: 68°
Austin
Clear
70° wxIcon
Hi: 76° Lo: 63°
Feels Like: 70°
Charles City
Few Clouds
66° wxIcon
Hi: 70° Lo: 64°
Feels Like: 66°
Storm chance die down as cooler temps move in
KIMT Radar
KIMT Eye in the sky

Latest Video

Image

Advice for safely starting school in the fall

Image

Racial Disparities Regarding Food Security

Image

George Floyd's Family Visits Rochester Mural

Image

Sean's 6pm Weather 7/9

Image

Differences between Covid-19 and other illness

Image

Virtual Thursdays Downtown

Image

Tutors needed in Rochester

Image

Discussing evictions with US Sen. Tina Smith

Image

Mask mandate at Mason City city buildings

Image

Preventing Glasses From Fogging Up

Community Events