Facebook Update on the Security Issue

Brink

Administrator
Staff member
Local time
1:00 AM
Messages
74,928
Location
Oklahoma
We have been working around the clock to investigate the security issue we discovered and fixed two weeks ago so we can help people understand what information the attackers may have accessed. Today, we’re sharing details about the attack we’ve found that exploited this vulnerability. We have not ruled out the possibility of smaller-scale attacks, which we’re continuing to investigate.

As we’ve said, the attackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018. The vulnerability was the result of a complex interaction of three distinct software bugs and it impacted “View As,” a feature that lets people see what their own profile looks like to someone else. It allowed attackers to steal Facebook access tokens, which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.

Here’s how we found the attack that exploited this vulnerability. We saw an unusual spike of activity that began on September 14, 2018, and we started an investigation. On September 25, we determined this was actually an attack and identified the vulnerability. Within two days, we closed the vulnerability, stopped the attack, and secured people’s accounts by resetting the access tokens for people who were potentially exposed. As a precaution, we also turned off “View As.” We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack.

We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen. Here’s how it happened:
First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.

The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.

People can check whether they were affected by visiting our Help Center. In the coming days, we’ll send customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls.

mocks2.png


Customized messages that people will see depending on how they were impacted.

This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts. As we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks, we’ll continue to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities.


Source: An Update on the Security Issue | Facebook Newsroom
 

My Computer My Computer

At a glance

64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self built custom
OS
64-bit Windows 11 Pro for Workstations
CPU
Intel i7-8700K OC'd to 5 GHz
Motherboard
ASUS ROG Maximus XI Formula Z390
Memory
64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
Graphics Card(s)
ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Sound Card
Integrated
Monitor(s) Displays
2 x Samsung Odyssey G7 27"
Screen Resolution
2560x1440
Hard Drives
1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
PSU
Seasonic Prime Titanium 850W
Case
Thermaltake Core P3
Cooling
Corsair Hydro H115i
Keyboard
Logitech wireless K800
Mouse
Logitech MX Master 4
Internet Speed
2 Gb/s Download and 100 Mb/s Upload
Antivirus
Malwarebyte Anti-Malware Premium
Browser
Google Chrome
Other Info
Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
They never talk about the "elephant in the room" - Facebook is continually getting ever more of your personal data. For me, that is a major security breach.
 

My Computer My Computer

At a glance

Linux Mint 18.2 xfce 64-bit (VMWare host) / W...Haswell4 GB
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Linux Mint 18.2 xfce 64-bit (VMWare host) / Windows 8.1 Pro 32-bit (VMWare guest)
CPU
Haswell
Memory
4 GB
Monitor(s) Displays
Acer 23"
Screen Resolution
1920 x 1080
Hard Drives
Two hard drives, 1TB each: One for Linux, one for my data.
Keyboard
IBM Model M
Antivirus
Sophos (Linux), Trend Micro (Windows)
Browser
Firefox, Opera
Other Info
I use Samba to share my data drive with the other computers at my house and with my guest session in VMWare Workstation Player.
If I'm reading this right the hackers created multiple accounts and friended everyone they could and those are the victims. I went to the link and it said that based on what they know I wasn't impacted. I'm not a friend collector. I have 32 friends and I know all of them personally (most are family). On top of that I have friend requests restricted to friends of friends rather than the general public. Maybe others should take a lesson from this. Know all of your friends and verify their account before friending them. When one of my friends created a second account I didn't accept the request until I verified that it was her. Call me paranoid but that worked out in my favor.
 

My Computers My Computers

  • At a glance

    Windows 7 pro/Windows 10 ProIntel i7 860 Quad core 2.8 ghz8 gbATI Radeon HD 5770 1 gb ram
    Computer type
    PC/Desktop
    Computer Manufacturer/Model Number
    HP Pavillion Elite HPE-250f
    OS
    Windows 7 pro/Windows 10 Pro
    CPU
    Intel i7 860 Quad core 2.8 ghz
    Memory
    8 gb
    Graphics Card(s)
    ATI Radeon HD 5770 1 gb ram
    Monitor(s) Displays
    Alienware 25 AW2521HF & Viewsonic
    Screen Resolution
    1920 x1080 & 1680x1050
    Hard Drives
    WD blue 1 tb & 500 gb.
    Browser
    FF of course.
    Other Info
    https://www.bestbuy.com/site/hp-pavilion-elite-desktop-intel-core-i7-processor-8gb-memory-1tb-hard-drive/9921493.p?skuId=9921493
  • At a glance

    Windows 2012 R2 Data center/Linux Minti3 9100 3.6GHz, 8M cache, 4C/4T8GB 2666MT/s DDR4 ECC UDIMM
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Dell Poweredge T140
    OS
    Windows 2012 R2 Data center/Linux Mint
    CPU
    i3 9100 3.6GHz, 8M cache, 4C/4T
    Memory
    8GB 2666MT/s DDR4 ECC UDIMM
    Monitor(s) Displays
    Viewsonic
    Screen Resolution
    1680x1050
    Hard Drives
    1 TB & 750 GB
    Other Info
    https://www.dell.com/en-us/work/shop/productdetailstxn/poweredge-t140?~ck=bt
That doesn't sound paranoid to me at all. When I did have a Facebook account, I didn't add any random people to my account. If I got a friend request and didn't know them I just deleted it.

Really don't see the point in adding people I don't know. But I guess that's modern life, and how people "socialise" these days. I personally have no interest in strangers posting selfies of themselves 50 times a day, or posting photos of their lunch.

If you're using it as a business account I can see the appeal. It's a good way to advertise your business these days. But, I've never really understood adding loads of random people to a personal account. Each to their own though.
 

My Computer My Computer

At a glance

Win 7 Ultimate, Win 8.1 Pro, Linux Mint 19 Ci...Intel i5 4690KCorsair Vengeance LP 32GB DDR3MSI GTX 1060 GAMING X 6GB
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Win 7 Ultimate, Win 8.1 Pro, Linux Mint 19 Cinnamon (All 64-Bit)
CPU
Intel i5 4690K
Motherboard
Gigabyte Z97X-UD3H
Memory
Corsair Vengeance LP 32GB DDR3
Graphics Card(s)
MSI GTX 1060 GAMING X 6GB
Sound Card
Onboard
Hard Drives
Samsung 850 EVO 250GB SSD (x2)
Samsung 860 EVO 1TB SSD (x2)
Crucial MX300 525GB SSD
WD Blue 2TB 5400rpm Intellipark Disabled (x2)
PSU
Corsair HX750i
Case
Phanteks Enthoo Pro
Cooling
CM Hyper 212 EVO on CPU, Noctua Redux NF-P14S 1500rpm (x6)
Keyboard
Corsair K70 RGB LUX
Mouse
Corsair Sabre RGB
Antivirus
Avast Free, MalwareBytes, SAS & CryptoPrevent
Browser
Chrome
Other Info
StarTech PEXESAT322I 2 Port PCI-E SATA Card
ASUS PCE-AC56 Dual-band AC1300 Wireless Card
Akasa FC.Six Manual Fan Controller
And a Partridge in a Pear Tree!
Back
Top