Sep 29, 2018

Security breach is new ground for Facebook

Photo: Zach Gibson/Getty Images

Facebook crossed into new territory on Friday as it publicly disclosed a massive security breach that gave away the keys to as many as 50 million Facebook user accounts — just months after CEO Mark Zuckerberg said such an event had never occurred on its platform.

Why it matters: The Cambridge Analytica scandal was about gaming Facebook’s systems to scrape user data. This is something different: what looks like the biggest intrusion taking advantage of flaws in Facebook’s code since the social network was created on Harvard’s campus in 2004.

Flashback: At a Senate hearing earlier this year, Sen. Cory Gardner asked Zuckerberg if Facebook had ever been hacked.

Gardner: "Have those hacks ever accessed user data?"
Zuckerberg: "I don't believe so."

That changed midday Friday, when Facebook staffers disclosed in a hastily-assembled call with reporters that bugs had allowed hackers to obtain "access tokens" — which would let them effectively take over an account — for 50 million accounts.

  • Another 40 million users saw their accounts flagged because they had been subject to an internal lookup used in the hack.
  • Facebook says it doesn't know yet whether or how the access tokens were used, but if they were used, they provided full access to the account and its data.
  • The bugs have been in place since July 2017, and Facebook says it won't know more about the timing of the activity until it completes an internal investigation.

It became clear later on Friday that the breach would have an impact beyond Facebook. On a second press call, the company revealed that if a user's account was compromised, the same access would be available to any other services a user accessed by logging in with Facebook.

  • A wide variety of popular apps — including Tinder and Spotify — allow users to log in with a Facebook account.
  • Facebook said it had reached out to major third-party apps that let users log in with Facebook accounts about the breach.

The other coast: Policymakers called for investigations into the breach.

  • “I’m alarmed by today’s news of another breach," said Democratic Federal Trade Commission member Rohit Chopra. "The cost of inaction is growing and we need answers.”
  • The agency, which is controlled by a Republican majority, declined to comment.
  • Democratic lawmakers also called for some kind of investigation.

The bottom line: Millions of Facebook users are learning that someone, for an undetermined amount of time, was able to see everything they see when they log into Facebook, and potentially other services, too. That's uncharted ground for the social network.

Go deeper

In photos: Protests over George Floyd's death grip Minneapolis

Protesters gather at Hennepin County Government Plaza on Thursday in Minneapolis, Minnesota.

Protests in response to the death of George Floyd, a black man who died shortly after a police encounter in Minneapolis, are ongoing as the nation waits to see if the officers involved will be charged with murder.

The state of play: Minnesota's governor on Thursday activated the state's national guard following violent outbreaks throughout the week.

Updated 3 hours ago - Health

World coronavirus updates

Data: The Center for Systems Science and Engineering at Johns Hopkins; Map: Axios Visuals

New Zealand has a single novel coronavirus case after reporting a week of no new infections, the Ministry of Health confirmed on Friday local time.

By the numbers: Nearly 6 million people have tested positive for COVID-19 and over 2.3 million have recovered from the virus. Over 357,000 people have died globally. The U.S. has reported the most cases in the world with over 1.6 million.

Updated 4 hours ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 8:30 p.m. ET: 5,803,416 — Total deaths: 359,791 — Total recoveries — 2,413,576Map.
  2. U.S.: Total confirmed cases as of 8:30 p.m. ET: 1,720,613 — Total deaths: 101,573 — Total recoveries: 399,991 — Total tested: 15,646,041Map.
  3. Public health: The mystery of coronavirus superspreaders.
  4. Congress: Pelosi slams McConnell on stimulus delay — Sen. Tim Kaine and wife test positive for coronavirus antibodies.
  5. World: Twitter slapped a fact-check label on a pair of months-old tweets from a Chinese government spokesperson that falsely suggested that the coronavirus originated in the U.S.
  6. 2020: The RNC has issued their proposed safety guidelines for its planned convention in Charlotte, North Carolina.
  7. Axios on HBO: Science fiction writers tell us how they see the coronavirus pandemic.
  8. 🏃‍♀️Sports: Boston Marathon canceled after initial postponement, asks runners to go virtual.
  9. What should I do? When you can be around others after contracting the coronavirus — Traveling, asthma, dishes, disinfectants and being contagiousMasks, lending books and self-isolatingExercise, laundry, what counts as soap — Pets, moving and personal healthAnswers about the virus from Axios expertsWhat to know about social distancingHow to minimize your risk.
  10. Other resources: CDC on how to avoid the virus, what to do if you get it, the right mask to wear.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.