Facebook now says data breach affected 29 million users, details impact
Saturday October 13, 2018
"The bottom line is that all this data is still out there,” said Corey Milligan, a senior researcher with cyber-security firm Armor Inc.
Facebook Vice President Guy Rosen told reporters that the U.S. Federal Bureau of Investigation has asked the company to limit descriptions of the attackers due to an ongoing inquiry.
Rosen revealed that while the attackers' intent has not been determined, they did not appear to be motivated by the upcoming U.S. mid-term Congressional election on Nov. 6.
He said the attack affected a "broad" spectrum of users, but declined to break down the number affected by country.
Facebook said it was continuing to investigate whether the attackers took actions beyond stealing data, such as posting from accounts, but had not found additional misuse.
Hackers did not steal personal messages or financial data and did not use their access to accounts to access users' accounts on other websites, Facebook said.
A FOCUS ON TRUST
The company previously warned that profits would suffer because of breach-related expenses.
The vulnerability the hackers exploited existed from July 2017 through late last month, when Facebook noticed an unusual increase in the use of its "view as" feature.
That feature allows users to check privacy settings by glimpsing what their profile looks like to others. But three errors in Facebook's software enabled someone accessing "view as" to post and browse from the Facebook account of the other user.
The attackers used the "view as" flaw with "a small handful" of accounts they controlled to capture data of their Facebook friends, then used a tool they developed to breach friends of friends and beyond, Rosen said.
Facebook patched the issue last month and asked 90 million users to log back into their accounts, many just as a precaution.
Security experts have said Facebook's initial breach disclosure arrived earlier than it likely would have prior to the enactment in May of the European Union's General Data Protection Regulation, which mandates notification within 72 hours of learning of a compromise.
Facebook's lead EU data regulator, the Irish data protection commissioner, last week opened an investigation into the breach. Authorities in other jurisdictions including the U.S. states of Connecticut and New York are also looking into the attack.
Regulators around the world have ongoing inquiries into another matter that came to light in March: How profile details from 87 million Facebook users were improperly accessed by political data firm Cambridge Analytica.
Japan's Personal Information Protection Commission (JPPC) has launched an investigation into the social media company, the Nikkei newspaper reported on Friday.
"We are working with local regulators including JPPC about data breach," the company said in an emailed statement. Facebook has about 28 million people active in a month in Japan.
Facebook now says data breach affected 29 million users, details impact
Cyber attackers stole data from 29 million Facebook accounts using an automated program that moved from one friend to the next, Facebook Inc (FB.O) announced on Friday, as the social media company said its largest-ever data theft hit fewer than the 5