Facebook now says data breach affected 29 million users,
details impact
Send a link to a friend
 [October 13, 2018]
By Munsif Vengattil and Paresh Dave
(Reuters) - Cyber attackers stole data from
29 million Facebook accounts using an automated program that moved from
one friend to the next, Facebook Inc <FB.O> announced on Friday, as the
social media company said its largest-ever data theft hit fewer than the
50 million profiles it initially reported.
The company said it would message affected users over the coming days to
tell them what type of information had been accessed in the attack.
The breach has left users more vulnerable to targeted phishing attacks
and could deepen unease about posting to a service whose privacy,
moderation and security practices have been called into question by a
series of scandals, cybersecurity experts and financial analysts said.
The attackers took profile details such as birth dates, employers,
education history, religious preference, types of devices used, pages
followed and recent searches and location check-ins from 14 million
users.
For the other 15 million users, the breach was restricted to name and
contact details. In addition, attackers could see the posts and lists of
friends and groups of about 400,000 users.
Lawmakers and investors have grown more concerned that Facebook is not
doing enough to safeguard data.
The company's shares rose 0.25 percent on Friday as Wall Street
rebounded after a six-day losing streak. The Nasdaq composite index
gained 2.29 percent.
Facebook cut the number of affected users from its original estimate
after investigators reviewed activity on accounts that may have been
affected. Still, cyber security experts warned that attackers could use
stolen information in targeted phishing scams.
“The bottom line is that all this data is still out there,” said Corey
Milligan, a senior researcher with cyber-security firm Armor Inc.
Facebook Vice President Guy Rosen told reporters that the U.S. Federal
Bureau of Investigation has asked the company to limit descriptions of
the attackers due to an ongoing inquiry.
Rosen revealed that while the attackers' intent has not been determined,
they did not appear to be motivated by the upcoming U.S. mid-term
Congressional election on Nov. 6.
He said the attack affected a "broad" spectrum of users, but declined to
break down the number affected by country.
Facebook said it was continuing to investigate whether the attackers
took actions beyond stealing data, such as posting from accounts, but
had not found additional misuse.
Hackers did not steal personal messages or financial data and did not
use their access to accounts to access users' accounts on other
websites, Facebook said.
[to top of second column] |
Figurines are seen in front of the Facebook logo in this
illustration taken March 20, 2018. REUTERS/Dado Ruvic
A FOCUS ON TRUST
Rosen said the company would "do everything we can to earn users' trust."
The company previously warned that profits would suffer because of
breach-related expenses.
The vulnerability the hackers exploited existed from July 2017 through late last
month, when Facebook noticed an unusual increase in the use of its "view as"
feature.
That feature allows users to check privacy settings by glimpsing what their
profile looks like to others. But three errors in Facebook's software enabled
someone accessing "view as" to post and browse from the Facebook account of the
other user.
The attackers used the "view as" flaw with "a small handful" of accounts they
controlled to capture data of their Facebook friends, then used a tool they
developed to breach friends of friends and beyond, Rosen said.
Facebook patched the issue last month and asked 90 million users to log back
into their accounts, many just as a precaution.
Security experts have said Facebook's initial breach disclosure arrived earlier
than it likely would have prior to the enactment in May of the European Union's
General Data Protection Regulation, which mandates notification within 72 hours
of learning of a compromise.
Facebook's lead EU data regulator, the Irish data protection commissioner, last
week opened an investigation into the breach. Authorities in other jurisdictions
including the U.S. states of Connecticut and New York are also looking into the
attack.
Regulators around the world have ongoing inquiries into another matter that came
to light in March: How profile details from 87 million Facebook users were
improperly accessed by political data firm Cambridge Analytica.
Japan's Personal Information Protection Commission (JPPC) has launched an
investigation into the social media company, the Nikkei newspaper reported on
Friday.
"We are working with local regulators including JPPC about data breach," the
company said in an emailed statement. Facebook has about 28 million people
active in a month in Japan.
(Reporting by Munsif Vengattil in Bengaluru and Paresh Dave in San Francisco;
additional reporting by Akanksha Rana and Vibhuti Sharma in Bengaluru, Jim
Finkle in New York and Joseph Menn in San Francisco; editing by Jim Finkle,
David Gregorio and Leslie Adler)
[© 2018 Thomson Reuters. All rights
reserved.] Copyright 2018 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
