NEW YORK, NY – On Friday, September 28, 2018 Facebook said that an attack on its computer network had affected the personal information of nearly 50 million users.
The attackers exploited the “View As” feature that allows users to see their Facebook page the way someone else would. This could allow the attackers to take over Facebook accounts. Facebook has fixed this issue and informed law enforcement. They also do not know if the affected accounts were misused or if user information was actually accessed.
Facebook is expected to double the number of employees who are working to improve security from 10,000 to 20,000 by the end of the year.
I asked Facebook how sophisticated the hackers were and whether this could be nation-state activity. Rosen says attack was “complex” and leveraged three multiple bugs that interacted together. “We may never know” the identity of the hackers, Rosen adds.
— Dustin Volz (@dnvolz) September 28, 2018
UPDATE: 10/04/2018: Facebook has fixed this issue and informed law enforcement, and although it is not known when cyber criminals first discovered it, the vulnerability had been live for fourteen months. Facebook does not know if the affected accounts were misused or if user information was actually accessed. Updated information has come out since the breach was first announced. A spokesperson stated that Facebook Login, which allows users to access other popular sites with their Facebook profile, was also affected by this vulnerability. This means the attackers potentially had access to affected user’s accounts on sites that use the Facebook Login feature.