Oct 2, 2018 - Technology

Facebook, regulators search for answers after big hack

Mark Zuckerberg, photographed outside and wearing a suit

Facebook CEO Mark Zuckerberg. Photo: Aurelien Morissard/IP3/Getty Images

Facebook, third-party apps and regulators are scrambling to figure out key details of a breach that gave hackers access to 50 million accounts — a week after it was first discovered and four days after it was revealed.

The big picture: Observers widely noted that past security failures on this scale have always ended up affecting much larger numbers of users than originally announced. Two major online services that allow users to sign in with Facebook reported no evidence of problems, but investigations are just beginning.

What happened: Hackers stole "access tokens" that gave them the ability to control 50 million accounts. It's not clear whether they used them to get into Facebook or any of the thousands of other services that take Facebook credentials.

What they’re saying:

  • A spokesperson for Tinder said the dating app “has conducted a full forensic investigation and has no evidence to suggest accounts have been accessed based on the limited information Facebook has provided.”
  • “Spotify has not experienced a security breach,” said a spokesperson for the music streaming service, which lets you log in with a Facebook account.
  • Airbnb, another major company that lets users log in with Facebook credentials, did not comment on the potential impact of the breach. Pinterest told CNN it examining the impact on its platform.

Yes, but: Tinder's spokesperson said that "if Facebook would share the affected user lists, it would be very helpful in our investigation."

  • A Facebook spokesperson noted the company had reached out to Tinder. He also pointed Axios to exec Guy Rosen’s comments last week that developers who let users log in with their Facebook accounts would be able to detect whose access tokens had been reset in response to the breach.

Multiple Congressional committees want answers about the breach, with both the House Energy and Commerce Committee and the Senate Commerce committees seeking staff briefings from Facebook, per aides.

  • “We’re looking at it, our staff’s been in contact with them and we’ll determine whether or not it’s something we need to have a hearing about,” said Senate Commerce Committee Chairman John Thune (R-S.D.) on Monday night, adding the breach was “pretty serious.”
  • Democratic staffers on the Senate Intelligence Committee are also interested in the breach and have spoken to Facebook about it, said a Congressional aide.
  • A Facebook spokesperson also said the company had not yet been contacted by the Federal Trade Commission about an investigation. The agency reached a settlement over privacy issues with the social giant in 2012.

The hack has also reverberated in Europe, where regulators have taken a hard line on data protection.

  • “This is really worrying news,” tweeted the European Union’s top data protection official in response to the Irish Data Protection Commission's statement that less than 10% of the 50 million affected accounts were located in the European Union, which could still amount to almost 5 million users.

What’s next: Facebook has promised to provide regulators and the public with more details. “As we work to confirm the location of those potentially affected, we plan to release further info soon,” it said in a tweet.

Go deeper