back to article Facebook: Up to 90 million addicts' accounts slurped by hackers, no thanks to crappy code

Facebook confessed today that buggy code potentially exposed all of its users' accounts to hackers over the past 14 months. It reckons miscreants snooped on least 50 million people's private profiles, and perhaps as much as 90 million. In a security note posted Friday morning, the social media giant's VP of product management …

Page:

  1. bombastic bob Silver badge
    Meh

    oh what a tangled 'web' we weave

    Facebook. that's all I need to say.

    1. Anonymous Coward
      Anonymous Coward

      'We are clear about how we use the information we collect'

      That quote about the 2FA Ads really irks me, because Facebook's chief security officer outright lied saying 'the ads were being sent out due to a bug" (Alex Stamos). And he was considered one of the good guys at Facebook before his departure... What does that say about rest of the Alan B'stards who still work there. Not much then!

      https://www.buzzfeednews.com/article/ryanmac/facebook-alex-stamos-memo-cambridge-analytica-pick-sides

    2. Anonymous Coward
      Anonymous Coward

      Re: oh what a tangled 'web' we weave

      You also know, they break the news it's 50m, and before you know it's it's 500m, but they know that because all the media have already run with the other story, very few will bother running with the update.

      Several other companies have done this recently....

      I've been Facebook free for 8 years now, and living life. I do know however, that despite me asking them to delete my data 8 years ago, they decided to hang onto it.. How do I know this. Every once in a while, I setup a fake account with no personal details whatsoever, just logging in from my home internet, and immediately, it recommends people I know to connect with. They clearly haven't deleted my data, as they have retained IP/Friend data from over 8 years ago.

      I would report them to the ICO, but they are just a big waste of space. Best just avoid the Facebook, the kings of data scumbaggery.

      1. Danny 14 Silver badge

        Re: oh what a tangled 'web' we weave

        im on the other side of the coin. i got locked out of FB years ago because i couldnt remember what fake date of birth i used. I still get notifications on the hotmail email address i used so its still active. I could do with logging in again to get some old chums contact details (who were also fake so i cant look them up).

        are there any lists of users vs dob's?

        1. werdsmith Silver badge

          Re: oh what a tangled 'web' we weave

          This is what puzzles me, why would hackers go to the trouble of cracking faecebook accounts when all they are likely to find is petabytes of puerile drivel from mouth-breathers.

          1. jmch Silver badge

            Re: oh what a tangled 'web' we weave

            "why would hackers go to the trouble of cracking faecebook accounts when all they are likely to find is petabytes of puerile drivel from mouth-breathers."

            they can send out very plausible messages along the lines of "hey I'm in foreign country, wallet's been stolen, could you wire me some cash"

          2. Fonant

            Re: oh what a tangled 'web' we weave

            1) To be able to use you r information for social engineering attacks, "Log in with Facebook", etc.

            2) To be able to use mass data analytics (Cambridge Analytica) to influence millions of people in an automated and targetted way to swing elections.

        2. Avatar of They Silver badge
          Thumb Up

          Re: oh what a tangled 'web' we weave

          Why not find someone who is friends with your old account. Wait till it says "celebrate X's birthday" then you will know your data of birth???

      2. Anonymous Coward
        Anonymous Coward

        Re: oh what a tangled 'web' we weave

        And the next drip feed of bad news. If you used the obviously retarded Facebook login for lazy people on other sites, that's those sites compromised also...

        Your whole digital life has been raped, it's not not just Cambridge analytica that knows everything about you, the Russians do too..

        1. Nick Ryan Silver badge
          WTF?

          Re: oh what a tangled 'web' we weave

          I have never use the ridiculous "Facebook login" feature, nor the other brand alternatives, on any site. Nor would I allow a site that I own, manage or have any meaningful influence over to offer this choice either. Entrust your site security to a huge, anonymous, organisation based in a regime that has zero effective data protection laws? How about hell no?

      3. Anonymous Coward
        Anonymous Coward

        @AC Re: oh what a tangled 'web' we weave

        You admit to having a FB account.

        I only got one because it was required to do work at FB.

        I was a contractor and it wasn't my choice to go to FB.

        I deleted it within minutes of leaving... but want to bet they still capture information about me?

        Sorry, but when you're their customer and their product... never a good ending.

    3. macjules Silver badge

      Re: oh what a tangled 'web' we weave

      Facebook staff said it appears no posts were made on users' behalf by the hackers, and that no credit card information was taken.

      © August 2018 British Airways. All Rights Reserved.

  2. Korev Silver badge
    Big Brother

    Has anyone been informed by FB?

    I had to relogin this morning, but haven't heard anything else from them. Has anyone been notified that their account was compromised?

    I'm pleased that I use a unique password for the site...

    1. Zippy´s Sausage Factory

      Re: Has anyone been informed by FB?

      I got a message saying my FB had probably been targeted by government-sponsored hackers and was immediately logged out and made to change my password.

      At the time I checked my login history and didn't see anything that I couldn't recognise as me, but it's possible that this was the way they got in.

    2. Anonymous Coward
      Anonymous Coward

      Re: Has anyone been informed by FB?

      I'm pleased that I use a unique password for the site...

      Whilst there will be a dollar value on hijacked accounts, I wonder if there's other information that you've provided to FB that has a dollar value to the crims?

      1. doublelayer Silver badge

        Re: Has anyone been informed by FB?

        There is absolutely such information. I don't know how much facebook divulged to these people, but they could easily have gotten post history, images uploaded, messages between people, etc. This includes data that was not public on that person's pages. It is possible that the people may have gotten more information. It is not safe to use facebook for many reasons, this being only the latest one.

        1. Anonymous Coward
          Anonymous Coward

          Re: Has anyone been informed by FB?

          Respectfully suggesting the following correction:

          It is not safe to use facebook for many reasons.

        2. TxRx
          Big Brother

          Re: Has anyone been informed by FB?

          All you need to do is hit 'download my data' into a quickly compiled zip file from their backend and you have absolutely everything, private and public, that the user has touched using their FB account.

          Crivvens knows what a fully authorised session could gain access to...

    3. Version 1.0 Silver badge

      Re: Has anyone been informed by FB?

      "I'm pleased that I use a unique password for the site"

      It doesn't help - if you use your FB account to log into other sites then they have been compromised too. Once they have to FB login token then they can access every other site that uses it.

    4. Mage Silver badge
      Coat

      Re: Has anyone been informed by FB?

      "I'm pleased that I use a unique password for the site"

      I hope you use fake person details, a fake name, and a unique to Facebook email address too.

      Also a burner anonymous SIM if you've given them a phone number.

      Also that you don't use a Facebook or related company App on your phone.

      *It's best actually to not use Facebook at all.*

      1. Anonymous Coward
        Anonymous Coward

        Re: Has anyone been informed by FB?

        I wanted to view something (a particular photograph, I think - it was a while ago!) that was only available on FB and created an account with a completely false identity, together with a disposable e-mail address, set for around six messages to actually arrive, which I promptly "bounced" in Mailwasher, as they were all trite and banal. Eventually, FB cottoned on and suspended the account, their reason being that I was not using my "real" details. That's the only contact I have ever had with FB and good riddance, I say!

      2. Anonymous Coward
        Anonymous Coward

        Re: Has anyone been informed by FB?

        It's best to not use Google at all either for reasons stated above.

    5. John Lilburne Silver badge

      Re: Has anyone been informed by FB?

      "I had to relogin this morning ..."

      And you did? That was your opportunity to dump.

      it

      1. Michael H.F. Wilkinson Silver badge

        Re: Has anyone been informed by FB?

        I did get a vague message that "Your security is our greatest concern </hypocrisy>" and got logged out, but nothing to state my account was compromised. I am not terribly worried. As with all online stuff: I avoid putting anything online (even if purportedly private) that I wouldn't want others to see, don't use Facebook (or Google) to log in to anything else, and keep separate passwords for different sites. I keep in touch with some friends and colleagues on FB, I post some hobby stuff, which may be of use to those selling cookery items, astronomy and photography gear, and camping equipment, but I get plenty of adverts for those kinds of things anyway (or I did till I installed adblocker).

    6. jmch Silver badge
      Boffin

      Re: Has anyone been informed by FB?

      "I'm pleased that I use a unique password for the site"

      As I understood the information that has been made public*, the bug allowed users to generate security tokens as other users. I guess that since many people keep a FB page/tab open all the time and/or FB mobile app is 'always-om', these tokens don't expire (or at least not for a long time) and so hackers can reuse these tokens to act as the spoofed users.... BUT hackers did not actually get any passwords. That's why users were not asked to change passwords... a simple logoff/logon would invalidate the previous security token and create a new one.

      *of course there could be other things NOT made public

  3. Kaltern

    Consider what this actually means.

    'View As' exposes your account as whatever setting you want. So if you locked it down to Friends, generally speaking, you'll not be hiding very much. So ANYTHING you have on there was viewable by whoever used the correct token.

    The amount of information people put on their supposed 'safe' FB account is staggering. Dates, addresses, full names, photos of all types... Not to mention the friends list, which will show other photos of potentially 'interesting' things... which would then be ripe for leeching info from.

    This is EXACTLY the reason Facebook etc are just such a bad idea. Identity thieves will be having a field day from all this - far more valuable than just a simple debit card number...

    And what will be the result? The repercussions? The world is watching because if FB is not taken to task for this, then what's the point of GPDR and whatever other rules should apply to this...

    1. ecofeco Silver badge
      Unhappy

      History shows that the vast majority of people always have to learn the hard way.

  4. FuzzyWuzzys Silver badge
    Facepalm

    They've had so many cockups, this is not news.

    Given the primary business of Facebook is collect data and hand it out willy-nilly to anyone willing to pay for it, I think the phrase "Facebook security" is the ultimate oxymoron.

    Is it really news that yet again Facebook has been compromised? They hand out any data they collect like free handjobs from a £10 dollar hooker on a street corner. They cause nothing but misery to those addicted to their mornic presence on the internet. They allow ne'er do wells to lurk in their site, uploading sh*t propaganda and images of abuse. They insert their vile hooks into websites that don't belong to them. Run by an upstart little turd who's bascially won a lottery and whom barely understands what working in the real world is, pretends to understand what people need and want.

    They're too big, too powerful and they have no comprehension of responsibility they have and the quicker the site is shut down the better off humanity will be.

    1. heyrick Silver badge

      Re: They've had so many cockups, this is not news.

      "the quicker the site is shut down the better off humanity will be"

      While morally I agree with you, if Facebook and its ilk get shut down, that means certain people at work will need to start working. Those of us that do actual work tolerate these immovable obstacles staring at social media because then they leave us the hell alone...

      1. Korev Silver badge
        Joke

        Re: They've had so many cockups, this is not news.

        >if Facebook and its ilk get shut down, that means certain people at work will need to start working.

        Nah, they'll still be on Slack

        1. adnim Silver badge
          Joke

          Re: They've had so many cockups, this is not news.

          "Nah, they'll still be on Slack"

          Nope... Blocked that when MS took hold.

          Pretty soon I will have blocked all the Internet ;-)

          1. Destroy All Monsters Silver badge
            Trollface

            Re: They've had so many cockups, this is not news.

            There is a rumor that Google-issued Captchas (v3?) will demand that you have a Google Account and a reliable clickstream on file that can be distinguished from a bot. So most of the Internet will be inaccessible to reticent deplorables unwilling to share their data.

            1. LDS Silver badge

              "Google-issued Captchas"

              Have you ever seen the amount of information they capture from the page they are used in? It's another dirty trick by Google.

              1. Anonymous Coward
                Anonymous Coward

                Re: "Google-issued Captchas"

                I have witnessed Google's Captchas software being used by miscreants to keep web scrapers from following the many redirects that lead to fake virus warnings, fake Windows and Apple support sites that trick users into installing malicious Android apps or adware/malware for Windows and Apple products.

                I am wondering if there is analytics built into the Captcha API that phones home to Google that would have or should have alerted Google to these goings on.

                https://malware.dontneedcoffee.com/hosted/anonymous/kotd.html

              2. Mage Silver badge

                Re: "Google-issued Captchas"

                The Google Captchas ought to be illegal. Any company / person using them as a "gatekeeper" should be ashamed for coercing the public to help Google's "AI" parasitical crowdsourcing.

                "Crowdsourced steering" doesn't sound quite as appealing as "self driving."

              3. doublelayer Silver badge

                Google-issued Captchas

                I think they did that already. I notice a lot more of the message "Sorry, your computer or network is sending automated requests [it is not] so we can't handle your request [so I just give up]" when the email address isn't a gmail one. I have considered just never using such a site anymore, but that cuts out a lot of smaller sites that use it for spam prevention.

              4. bombastic bob Silver badge
                FAIL

                Re: "Google-issued Captchas"

                it suggests that using a captcha should be avoided, since you also have to enable google's stupid 3rd party scripting to make them work...

                "how many of these are [fill in the blank]" - waiting for one that uses pornography

            2. Anonymous Coward
              Anonymous Coward

              Re: They've had so many cockups, this is not news.

              You mean like you can't use facebook unless you have a phone they can contact you on during the signup... Have you tried creating anonymouse Facebook accounts recently, if you manage it, they are deleted within days. Facebook NEEDS to know everything about you.

              Even the IT crowd worked this out 10 years ago, go watch the FriendFace episode, and look how everything has turned out to be exactly like it was portrayed then. Still plenty of morons don't get it.

              No more AC...

              AC because I like being ironic...

    2. ST Silver badge
      Mushroom

      Re: They've had so many cockups, this is not news.

      > Is it really news that yet again Facebook has been compromised? They hand out any data they collect like free handjobs from a £10 dollar hooker on a street corner.

      Exactly. And to make matters worse - if that's even possible - Facebook's main concern right now seems to be focused on managing the PR around this debacle. How do we make Mark Zuckerberg and Sheryl Sandberg come out smelling like roses from all of this?

      On top of this, they have the temerity of claiming that "the bug has been patched".

      Really? Facebook doesn't even know about the security holes lurking in their own code. They stumble upon them by happenstance. Not security research, not testing. Just panic reactions after the bug has been out in the wild for ages. That little fact alone tells me everything I need to know about their code reviews and secure coding practices.

      26-year-old geniuses. Yeah.

      Yo, Zuckerberg. Why won't you hire some greybeards? They'll teach your pimple-faced geniuses - who still enjoy living in a dorm - a thing or two about secure coding practices and hunting down possibly catastrophic bugs.

      Ooooh, I almost forgot. You stated publicly that any software engineer over 30 is just dumb.

      1. Anonymous Coward
        Anonymous Coward

        '26-year-old geniuses. Yeah'

        Yep that's the biggest Fake News of them all. The reality is Zuck & Co can't fix the problems at Facebook. They're not savants, they're just aggressive greedy a$$holes. Deeper insight here:

        https://www.bloomberg.com/view/articles/2018-09-18/mark-zuckerberg-profile-reveals-origins-of-facebook-fb-problems

        https://www.newyorker.com/magazine/2018/09/17/can-mark-zuckerberg-fix-facebook-before-it-breaks-democracy

        https://www.forbes.com/sites/parmyolson/2018/09/26/exclusive-whatsapp-cofounder-brian-acton-gives-the-inside-story-on-deletefacebook-and-why-he-left-850-million-behind

      2. Vometia Munro

        Re: They've had so many cockups, this is not news.

        > "Ooooh, I almost forgot. You stated publicly that any software engineer over 30 is just dumb."

        That was quite... special. It has some real gems regarding his wisdom about software development. Like hiring coders in every department so they can just change random stuff on the fly: no need for any sort of planning, design, impact assessment, peer review, testing, quality control, security review, or any of that other boring crap that makes the oldies dumb, we're all such geniuses that we can change random shit on a whim with no consequences! *cough*

        1. Bruno de Florence
          IT Angle

          Re: They've had so many cockups, this is not news.

          Sounds like you're talking about the Universal Credit software, which even DWP staff have difficulties using :-)

      3. Fruit and Nutcase Silver badge
        Alert

        Re: They've had so many cockups, this is not news.

        A bit later on in the article that @ST linked above, is this from PayPal Founder Max Levchin...

        As a final word of product development advice, Levchin encouraged founders to think about the Bible’s seven deadly sins – especially greed, sloth, envy, pride and gluttony. These characteristics, he said, describe many of the primal motivations for users.

    3. Spiz

      Re: They've had so many cockups, this is not news.

      I love the sole down-voter. Made me laugh.

      Zuck, is that you?

    4. emmanuel goldstein

      Re: They've had so many cockups, this is not news.

      Technically speaking, if she is handing out free handjobs, she's not a £10 hooker.

      1. Glenturret Single Malt

        Re: They've had so many cockups, this is not news.

        It is my understanding that hooking and handjobs are two different things. Perhaps the handjob could be seen as the free try before you buy?

  5. Herring`

    Is your Facebook data vulnerable?

    9 out of 10 of users can't get 50% on this quiz

  6. Anonymous Coward
    Anonymous Coward

    Egg all over their Facebook.

  7. Robert Helpmann?? Silver badge
    Headmaster

    Inconceivable!

    "We are constantly improving our security and this underscores the fact that there are constant attacks," said CEO Mark Zuckerberg. "We need to keep focusing on this over time."

    He said it, but I do not think it means what you think it means. "Constantly improving" would seem to indicate that things are actually going to get better when in reality it means that while they do patch the occasional vulnerability, there are more discovered than will ever be addressed. Saying there is a need to do something doesn't mean that something will get done and it certainly doesn't mean that what gets done will have a meaningful effect.

  8. briandavies

    >>Earlier this week, it emerged Facebook was using people's cellphone numbers, provided for two-factor authentication, to target them with adverts, even though the numbers were only provided for security reasons rather than ads.<<

    Really? How surprising!

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019