FYI. From the newsobservor.com site, Facebook reported a major security breach today 9-28-18 in which 50 million user accounts were accessed by unknown attackers.
The attackers gained the ability to "seize control" of those accounts, Facebook said, by stealing digital keys the company uses to keep people logged in. Facebook has logged out owners of the 50 million affected accounts — plus another 40 million who were vulnerable to the attack. Users don't need to change their Facebook passwords, it said.
Facebook said it doesn't know who was behind the attacks or where they're based. In a call with reporters on Friday, CEO Mark Zuckerberg said that attackers would have had the ability to view private messages or post on someone's account, but there's no sign that they did.
"We do not yet know if any of the accounts were actually misused," Zuckerberg said.
Facebook shares fell $4.38, or 2.6 percent, to close at $164.46 on Friday.
The hack is the latest setback for Facebook during a tumultuous year of security problems and privacy issues . So far, though, none of that has significantly shaken the confidence of the company's 2 billion global users.
The latest attack involved bugs in Facebook's "View As" feature, which lets people see how their profiles appear to others. The attackers used that vulnerability to steal the digital keys, known as "access tokens," from the accounts of people whose profiles were plugged into the "View As" feature — and then moved along from one user's Facebook friend to another. Possession of those tokens would allow attackers to control those accounts.
One of the bugs was more than a year old and affected how the "View As" feature interacted with Facebook's video uploading feature for posting "happy birthday" messages, said Guy Rosen, Facebook's vice president of product management. But it wasn't until mid-September that Facebook noticed an uptick in unusual activity, and not until this week that it learned of the attack, Rosen said.
"We haven't yet been able to determine if there was specific targeting" of particular accounts, Rosen said in a call with reporters. "It does seem broad. And we don't yet know who was behind these attacks and where they might be based."
Neither passwords nor credit card data was stolen, Rosen said. He said the company has alerted the FBI and regulators in the United States and Europe.
Jake Williams, a security expert at Rendition Infosec, said he is concerned that the hack could have affected third party applications.
Williams noted that the company's "Facebook Login" feature lets users log into other apps and websites with their Facebook credentials. "These access tokens that were stolen show when a user is logged into Facebook and that may be enough to access a user's account on a third party site," he said.
Facebook confirmed late Friday that third party apps, including its own Instagram app, could have been affected.
"The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account-holder themselves," Rosen said.
News broke early this year that a data analytics firm once employed by the Trump campaign, Cambridge Analytica, had improperly gained access to personal data from millions of user profiles. Then a congressional investigation found that agents from Russia and other countries have been posting fake political ads since at least 2016. In April, Zuckerberg appeared at a congressional hearing focused on Facebook's privacy practices.
The Facebook bug is reminiscent of a much larger attack on Yahoo in which attackers compromised 3 billion accounts — enough for half of the world's entire population. In the case of Yahoo, information stolen included names, email addresses, phone numbers, birthdates and security questions and answers. It was among a series of Yahoo hacks over several years.
U.S. prosecutors later blamed Russian agents for using the information they stole from Yahoo to spy on Russian journalists, U.S. and Russian government officials and employees of financial services and other private businesses.
In Facebook's case, it may be too early to know how sophisticated the attackers were and if they were connected to a nation state, said Thomas Rid, a professor at the Johns Hopkins University. Rid said it could also be spammers or criminals.
"Nothing we've seen here is so sophisticated that it requires a state actor," Rid said. "Fifty million random Facebook accounts are not interesting for any intelligence agency."
Ed Mierzwinski, the senior director of consumer advocacy group U.S. PIRG, said the breach was "very troubling."
"It's yet another warning that Congress must not enact any national data security or data breach legislation that weakens current state privacy laws, pre-empts the rights of states to pass new laws that protect their consumers better, or denies their attorneys general rights to investigate violations of or enforce those laws," he said in a statement.
Wedbush analyst Michael Pachter said "the most important point is that we found out from them," meaning Facebook, as opposed to a third party.
"As a user, I want Facebook to proactively protect my data and let me know when it's compromised," he said.
*** end of article ***
Please note that Facebook is now locking us out of the Fess Parker and Fess Parker Fan Page accounts. We don't yet know if this is related to today's security breach.
Here's another article:
Facebook is cleaning up after a major security incident exposed the account data of millions of users. What’s already been a rocky year after the Cambridge Analytica scandal, the company is scrambling to regain its users trust after another security incident exposed user data.
Here’s everything you need to know so far.
Facebook says at least 50 million users’ data were confirmed at risk after attackers exploited a vulnerability that allowed them access to personal data. The company also preventively secure 40 million additional accounts out of an abundance of caution.
What data were the hackers after?
Facebook CEO Mark Zuckerberg said that the company has not seen any accounts compromised and improperly accessed — although it’s early days and that may change. But Zuckerberg said that the attackers were using Facebook developer APIs to obtain some information, like “name, gender, and hometowns” that’s linked to a user’s profile page.
What data wasn’t taken?
Facebook said that it looks unlikely that private messages were accessed. No credit card information was taken in the breach, Facebook said. Again, that may change as the company’s investigation continues.
What’s an access token? Do I need to change my password?
When you enter your username and password on most sites and apps, including Facebook, your browser or device is set an access tokens. This keeps you logged in, without you having to enter your credentials every time you log in. But the token doesn’t store your password — so there’s no need to change your password.
Is this why Facebook logged me out of my account?
Yes, Facebook says it reset the access tokens of all users affected. That means some 90 million users will have been logged out of their account — either on their phone or computer — in the past day. This also includes users on Facebook Messenger.
When did this attack happen?
The vulnerability was introduced on the site in July 2017, but Facebook didn’t know about it until this month, on September 16, 2018, when it spotted a spike in unusual activity. That means the hackers could have had access to user data for a long time, as Facebook is not sure right now when the attack began.
Who would do this?
Facebook doesn’t know who attacked the site, but the FBI is investigating, it says.
However, Facebook has in the past found evidence of Russia’s attempts to meddle in American democracy and influence our elections — but it’s not to say that Russia is behind this new attack. Attribution is incredibly difficult and takes a lot of time and effort. It recently took the FBI more than two years to confirm that North Korea was behind the Sony hack in 2016 — so we might be in for a long wait.
How did the attackers get in?
Not one, but three bugs led to the data exposure.
In July 2017, Facebook inadvertently introduced three vulnerabilities in its video uploader, said Guy Rosen, Facebook’s vice president of product management, in a call with reporters. When using the “View As” feature to view your profile as someone else, the video uploader would occasionally appear when it shouldn’t display at all. When it appeared, it generated an access token using the person who the profile page was being viewed as. If that token was obtained, an attacker could log into the account of the other person.
Is the problem fixed?
Facebook says it fixed the vulnerability on September 27, and then began resetting the access tokens of people to protect the security of their accounts.
Did this affect WhatsApp and Instagram accounts?
Facebook said that it’s not yet sure if Instagram accounts are affected, but were automatically secured once Facebook access tokens were revoked. Affected Instagram users will have to unlink and relink their Facebook accounts in Instagram in order to cross post to Facebook.
On a call with reporters, Facebook said there is no impact on WhatsApp users at all.
Will Facebook be fined or punished?
If Facebook is found to have breached European data protection rules — the newly implemented General Data Protection Regulation (GDPR) — the company can face fines of up to four percent of its global revenue.
However, that fine can’t be levied until Facebook knows more about the nature of the breach and the risk to users.
FTC Commissioner Rohit Chopra also tweeted that “I want answers” regarding the Facebook hack. It’s reasonable to assume that there could be investigators in both the U.S. and Europe to figure out what happened.