Facebook logs out 90 million people after security breach

Hackers stole information that could have allowed them to take over 50 million user accounts.

By Brian Fung / The Washington Post

Facebook said Friday that hackers had stolen information that could have allowed them to take over 50 million user accounts, in the latest mishap for the social media company, which has spent months struggling to regain the confidence of policymakers and the public.

The company said that as many as 90 million Facebook users — out of a total of 2.2 billion — will have to log back into their accounts as a result of the breach. Notifications will appear at the top of the Facebook news feed for the 50 million users who were directly affected, executives said on a call with reporters.

The hackers were able to gain access to profile information, such as users’ names, hometowns and genders, Facebook said. It is possible they could have had access to more information, but Facebook said its investigation is in the early stages. No credit card information was exposed, Facebook executives said, and so far there is no evidence the attackers sought to access private messages or post fraudulent messages from the accounts.

“This is a serious issue and we’re committed to addressing it,” said Facebook chief executive Mark Zuckerberg. “This underscores that there are constant attacks from people who are trying to take over accounts or steal information from people in our community.”

Facebook discovered the breach on Tuesday after noticing a spike in user activity on Sept. 16., which prompted engineers to investigate further. They soon found three interlocking bugs on Facebook’s website that attackers had been using to gain access to accounts.

The attackers exploited Facebook’s systems through a flaw in the company’s “View As” feature, the company said, which allows a Facebook user to view his or her own profile as somebody else might see it.

Embedded in the “View As” feature was a video uploader that was incorrectly generating security tokens – pieces of code that, under normal circumstances, are designed to let a user remain logged in even after navigating away from Facebook’s website.

The incident prompted Facebook to disable the “View As” feature for the time being, and users are not being asked to change their passwords. The company has not determined who is responsible for the attack.

“People’s privacy and security is incredibly important, and we’re sorry this happened,” Facebook said in a blog post. It’s why we’ve taken immediate action to secure these accounts and let users know what happened.”

The company said that the security issue was patched Thursday night. Facebook’s stock dropped more than 3 percent following the news.

The disclosure adds to a brutal year for Facebook, which is still grappling with the fallout from its Cambridge Analytica fiasco and the prospect of new regulations or legislation in Washington that could target tech companies. Zuckerberg and his top lieutenants have been summoned repeatedly to Capitol Hill to answer for their company’s role in spreading misinformation and hate speech online.

Sen. Mark Warner, D-Va., the ranking member of the Senate Intelligence Committee, called the breach “deeply concerning” and called for a full investigation.

“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users,” said Warner. “As I’ve said before – the era of the Wild West in social media is over.”

Other lawmakers on Wednesday grilled representatives from Google, Twitter and a number of telecom companies on their approach to user privacy, in some cases demanding commitments to concrete proposals such as a requirement that companies disclose data breaches within 72 hours of discovery. The companies largely balked at discussing specifics, instead pledging to work with the Senate Commerce Committee to craft a comprehensive national privacy law.

Meanwhile, tech companies such as Facebook face growing scrutiny by state and federal law enforcement who are exploring whether to invoke antitrust law against some of the industry’s practices. The Federal Trade Commission has held a series of hearings on the issue, and the Justice Department this week met with numerous state attorneys general to discuss Silicon Valley’s handling of user data.

The meeting opened the door to a possible multi-state probe into the tech industry even as federal officials weigh whether they have the resources to mount an antitrust effort. On Friday, the Justice Department’s antitrust chief, Makan Delrahim, said he was receptive to complaints about tech companies but that regulators lack “credible evidence” to build an antitrust case. In the United States, antitrust lawsuits typically require regulators to marshal enough economic data to persuade a judge that competition has been harmed by a company’s actions.

Facebook on Wednesday notified federal authorities as well as European data security officials of the security incident, but on Friday the company declined to say whether it has reached out to other law enforcement agencies.

Ireland’s Data Protection Commission — the watchdog charged with monitoring compliance with GDPR, the European Union’s new data privacy law — said in a statement Friday that Facebook’s disclosure “lacks detail” and that it was pushing the company to reveal more as a “matter of urgency.” Violations of GDPR can carry enormous penalties: Up to 4 percent of a company’s annual revenue.

Talk to us

More in Herald Business Journal

Demolition of the YMCA in downtown continues on Tuesday, April 13, 2021 in Everett, Wa. (Olivia Vanni / The Herald)
Apartments will rise from the site of the former YMCA annex

In all, 260 units are planned for the downtown Everett site. The older brick building will remain.

Signs from the Department of Ecology warning about contamination in the creek that runs through Powder Mill Gulch on Wednesday, March 31, 2021 in Everett, Wa. (Olivia Vanni / The Herald)
State order targets Boeing Everett plant’s polluted history

Records show a dispute over cleanup requirements for chemically tainted water. The company denies there’s a disagreement.

FILE - In this Oct. 1, 2020 file photo, traffic passes the Boeing airplane production plant, in Everett, Wash.  U.S. manufacturers expanded in March 2021 at the fastest pace in 37 years, a sign of strengthening demand as the pandemic wanes and government emergency aid flows through the economy.  (AP Photo/Elaine Thompson, file)
Boeing sees uptick in airplane orders as travel picks up

The company in April delivered 19 Maxes, three 737s for military use and seven larger widebody planes.

FILE- In this Sept. 30, 2020, file photo, a Boeing 737 Max jet, piloted by Federal Aviation Administration (FAA) chief Steve Dickson, prepares to land at Boeing Field following a test flight in Seattle. Boeing says it has informed 16 of its customers that they should address a possible electrical issue in certain 737 Max aircraft before using them further. Boeing said Friday, April 9, 2021, that the recommendation was made “to allow for verification that a sufficient ground path exists for a component of the electrical power system.” (AP Photo/Elaine Thompson, File)
Boeing: possible electrical issue in some 737 Max aircraft

The company said that the new problem was unrelated to the flight-control system.

The 214-foot tall cranes work to unload their first cargo shipments at South Terminal at the Port of Everett on Thursday, April 8, 2021 in Everett, Wa. (Olivia Vanni / The Herald)
Renovated Port of Everett terminal gets first cargo customer

The 655-foot Westwood Columbia is the first ship to call at the newly upgraded South Terminal dock.

Project Roxy is a proposed 2.8 million square foot distribution center that would be built on a 75-acre parcel at the Cascade Industrial Center. The rendering depicts the proposed project at 4620 172nd Street in Arlington from a northwest perspective.
1,000 jobs: Amazon to open distribution center in Arlington

The company is the tenant behind Project Roxy, a $355 million building at the Cascade Industrial Center.

Edmonds grocery store workers may soon earn hazard pay

Some employers are required to increase wages by $4 an hour, the city council voted Tuesday.

Aerospace supplier with Everett site files for bankruptcy

Wichita-based TECT Aerospace filed for Chapter 11 and plans to sell an Everett manufacturing facility.

Washington's Lottery ticket display. (Andrea Brown / The Herald)
Want to get lucky? Washington’s Lottery lists Top 10 stores

One of the luckiest retailers in the state was a Safeway in Everett, as measured by $1,000-plus winners.

What local firms are doing to promote diversity and equity

Here’s how some of Snohomish County’s biggest companies and organizations say they are making a difference.

Garry Clark, the new CEO of Economic Alliance Snohomish County (Kevin Clark / The Herald)
At a tough time, a new CEO leads local economic development

Garry Clark has taken the helm at Economic Alliance Snohomish County, where job one is pandemic recovery.

Kathy Coffey (left) and Courtney Wooten
Leadership Snohomish County offers racial equity conference

The fifth annual day-long Step Up: Moving Racial Equity Forward will be held online on April 30.