back to article Facebook: Up to 90 million addicts' accounts slurped by hackers, no thanks to crappy code

Facebook confessed today that buggy code potentially exposed all of its users' accounts to hackers over the past 14 months. It reckons miscreants snooped on least 50 million people's private profiles, and perhaps as much as 90 million. In a security note posted Friday morning, the social media giant's VP of product management …

  1. bombastic bob Silver badge
    Meh

    oh what a tangled 'web' we weave

    Facebook. that's all I need to say.

    1. Anonymous Coward
      Anonymous Coward

      'We are clear about how we use the information we collect'

      That quote about the 2FA Ads really irks me, because Facebook's chief security officer outright lied saying 'the ads were being sent out due to a bug" (Alex Stamos). And he was considered one of the good guys at Facebook before his departure... What does that say about rest of the Alan B'stards who still work there. Not much then!

      https://www.buzzfeednews.com/article/ryanmac/facebook-alex-stamos-memo-cambridge-analytica-pick-sides

    2. Anonymous Coward
      Anonymous Coward

      Re: oh what a tangled 'web' we weave

      You also know, they break the news it's 50m, and before you know it's it's 500m, but they know that because all the media have already run with the other story, very few will bother running with the update.

      Several other companies have done this recently....

      I've been Facebook free for 8 years now, and living life. I do know however, that despite me asking them to delete my data 8 years ago, they decided to hang onto it.. How do I know this. Every once in a while, I setup a fake account with no personal details whatsoever, just logging in from my home internet, and immediately, it recommends people I know to connect with. They clearly haven't deleted my data, as they have retained IP/Friend data from over 8 years ago.

      I would report them to the ICO, but they are just a big waste of space. Best just avoid the Facebook, the kings of data scumbaggery.

      1. Danny 14

        Re: oh what a tangled 'web' we weave

        im on the other side of the coin. i got locked out of FB years ago because i couldnt remember what fake date of birth i used. I still get notifications on the hotmail email address i used so its still active. I could do with logging in again to get some old chums contact details (who were also fake so i cant look them up).

        are there any lists of users vs dob's?

        1. werdsmith Silver badge

          Re: oh what a tangled 'web' we weave

          This is what puzzles me, why would hackers go to the trouble of cracking faecebook accounts when all they are likely to find is petabytes of puerile drivel from mouth-breathers.

          1. jmch Silver badge

            Re: oh what a tangled 'web' we weave

            "why would hackers go to the trouble of cracking faecebook accounts when all they are likely to find is petabytes of puerile drivel from mouth-breathers."

            they can send out very plausible messages along the lines of "hey I'm in foreign country, wallet's been stolen, could you wire me some cash"

          2. Fonant

            Re: oh what a tangled 'web' we weave

            1) To be able to use you r information for social engineering attacks, "Log in with Facebook", etc.

            2) To be able to use mass data analytics (Cambridge Analytica) to influence millions of people in an automated and targetted way to swing elections.

        2. Avatar of They
          Thumb Up

          Re: oh what a tangled 'web' we weave

          Why not find someone who is friends with your old account. Wait till it says "celebrate X's birthday" then you will know your data of birth???

      2. Anonymous Coward
        Anonymous Coward

        Re: oh what a tangled 'web' we weave

        And the next drip feed of bad news. If you used the obviously retarded Facebook login for lazy people on other sites, that's those sites compromised also...

        Your whole digital life has been raped, it's not not just Cambridge analytica that knows everything about you, the Russians do too..

        1. Nick Ryan Silver badge
          WTF?

          Re: oh what a tangled 'web' we weave

          I have never use the ridiculous "Facebook login" feature, nor the other brand alternatives, on any site. Nor would I allow a site that I own, manage or have any meaningful influence over to offer this choice either. Entrust your site security to a huge, anonymous, organisation based in a regime that has zero effective data protection laws? How about hell no?

      3. Anonymous Coward
        Anonymous Coward

        @AC Re: oh what a tangled 'web' we weave

        You admit to having a FB account.

        I only got one because it was required to do work at FB.

        I was a contractor and it wasn't my choice to go to FB.

        I deleted it within minutes of leaving... but want to bet they still capture information about me?

        Sorry, but when you're their customer and their product... never a good ending.

    3. macjules

      Re: oh what a tangled 'web' we weave

      Facebook staff said it appears no posts were made on users' behalf by the hackers, and that no credit card information was taken.

      © August 2018 British Airways. All Rights Reserved.

  2. Korev Silver badge
    Big Brother

    Has anyone been informed by FB?

    I had to relogin this morning, but haven't heard anything else from them. Has anyone been notified that their account was compromised?

    I'm pleased that I use a unique password for the site...

    1. Zippy´s Sausage Factory

      Re: Has anyone been informed by FB?

      I got a message saying my FB had probably been targeted by government-sponsored hackers and was immediately logged out and made to change my password.

      At the time I checked my login history and didn't see anything that I couldn't recognise as me, but it's possible that this was the way they got in.

    2. Anonymous Coward
      Anonymous Coward

      Re: Has anyone been informed by FB?

      I'm pleased that I use a unique password for the site...

      Whilst there will be a dollar value on hijacked accounts, I wonder if there's other information that you've provided to FB that has a dollar value to the crims?

      1. doublelayer Silver badge

        Re: Has anyone been informed by FB?

        There is absolutely such information. I don't know how much facebook divulged to these people, but they could easily have gotten post history, images uploaded, messages between people, etc. This includes data that was not public on that person's pages. It is possible that the people may have gotten more information. It is not safe to use facebook for many reasons, this being only the latest one.

        1. Anonymous Coward
          Anonymous Coward

          Re: Has anyone been informed by FB?

          Respectfully suggesting the following correction:

          It is not safe to use facebook for many reasons.

        2. TxRx
          Big Brother

          Re: Has anyone been informed by FB?

          All you need to do is hit 'download my data' into a quickly compiled zip file from their backend and you have absolutely everything, private and public, that the user has touched using their FB account.

          Crivvens knows what a fully authorised session could gain access to...

    3. Version 1.0 Silver badge

      Re: Has anyone been informed by FB?

      "I'm pleased that I use a unique password for the site"

      It doesn't help - if you use your FB account to log into other sites then they have been compromised too. Once they have to FB login token then they can access every other site that uses it.

    4. Mage Silver badge
      Coat

      Re: Has anyone been informed by FB?

      "I'm pleased that I use a unique password for the site"

      I hope you use fake person details, a fake name, and a unique to Facebook email address too.

      Also a burner anonymous SIM if you've given them a phone number.

      Also that you don't use a Facebook or related company App on your phone.

      *It's best actually to not use Facebook at all.*

      1. Anonymous Coward
        Anonymous Coward

        Re: Has anyone been informed by FB?

        I wanted to view something (a particular photograph, I think - it was a while ago!) that was only available on FB and created an account with a completely false identity, together with a disposable e-mail address, set for around six messages to actually arrive, which I promptly "bounced" in Mailwasher, as they were all trite and banal. Eventually, FB cottoned on and suspended the account, their reason being that I was not using my "real" details. That's the only contact I have ever had with FB and good riddance, I say!

      2. Anonymous Coward
        Anonymous Coward

        Re: Has anyone been informed by FB?

        It's best to not use Google at all either for reasons stated above.

    5. John Lilburne

      Re: Has anyone been informed by FB?

      "I had to relogin this morning ..."

      And you did? That was your opportunity to dump.

      it

      1. Michael H.F. Wilkinson Silver badge

        Re: Has anyone been informed by FB?

        I did get a vague message that "Your security is our greatest concern </hypocrisy>" and got logged out, but nothing to state my account was compromised. I am not terribly worried. As with all online stuff: I avoid putting anything online (even if purportedly private) that I wouldn't want others to see, don't use Facebook (or Google) to log in to anything else, and keep separate passwords for different sites. I keep in touch with some friends and colleagues on FB, I post some hobby stuff, which may be of use to those selling cookery items, astronomy and photography gear, and camping equipment, but I get plenty of adverts for those kinds of things anyway (or I did till I installed adblocker).

    6. jmch Silver badge
      Boffin

      Re: Has anyone been informed by FB?

      "I'm pleased that I use a unique password for the site"

      As I understood the information that has been made public*, the bug allowed users to generate security tokens as other users. I guess that since many people keep a FB page/tab open all the time and/or FB mobile app is 'always-om', these tokens don't expire (or at least not for a long time) and so hackers can reuse these tokens to act as the spoofed users.... BUT hackers did not actually get any passwords. That's why users were not asked to change passwords... a simple logoff/logon would invalidate the previous security token and create a new one.

      *of course there could be other things NOT made public

  3. Kaltern

    Consider what this actually means.

    'View As' exposes your account as whatever setting you want. So if you locked it down to Friends, generally speaking, you'll not be hiding very much. So ANYTHING you have on there was viewable by whoever used the correct token.

    The amount of information people put on their supposed 'safe' FB account is staggering. Dates, addresses, full names, photos of all types... Not to mention the friends list, which will show other photos of potentially 'interesting' things... which would then be ripe for leeching info from.

    This is EXACTLY the reason Facebook etc are just such a bad idea. Identity thieves will be having a field day from all this - far more valuable than just a simple debit card number...

    And what will be the result? The repercussions? The world is watching because if FB is not taken to task for this, then what's the point of GPDR and whatever other rules should apply to this...

    1. ecofeco Silver badge
      Unhappy

      History shows that the vast majority of people always have to learn the hard way.

  4. FuzzyWuzzys
    Facepalm

    They've had so many cockups, this is not news.

    Given the primary business of Facebook is collect data and hand it out willy-nilly to anyone willing to pay for it, I think the phrase "Facebook security" is the ultimate oxymoron.

    Is it really news that yet again Facebook has been compromised? They hand out any data they collect like free handjobs from a £10 dollar hooker on a street corner. They cause nothing but misery to those addicted to their mornic presence on the internet. They allow ne'er do wells to lurk in their site, uploading sh*t propaganda and images of abuse. They insert their vile hooks into websites that don't belong to them. Run by an upstart little turd who's bascially won a lottery and whom barely understands what working in the real world is, pretends to understand what people need and want.

    They're too big, too powerful and they have no comprehension of responsibility they have and the quicker the site is shut down the better off humanity will be.

    1. heyrick Silver badge

      Re: They've had so many cockups, this is not news.

      "the quicker the site is shut down the better off humanity will be"

      While morally I agree with you, if Facebook and its ilk get shut down, that means certain people at work will need to start working. Those of us that do actual work tolerate these immovable obstacles staring at social media because then they leave us the hell alone...

      1. Korev Silver badge
        Joke

        Re: They've had so many cockups, this is not news.

        >if Facebook and its ilk get shut down, that means certain people at work will need to start working.

        Nah, they'll still be on Slack

        1. adnim
          Joke

          Re: They've had so many cockups, this is not news.

          "Nah, they'll still be on Slack"

          Nope... Blocked that when MS took hold.

          Pretty soon I will have blocked all the Internet ;-)

          1. Destroy All Monsters Silver badge
            Trollface

            Re: They've had so many cockups, this is not news.

            There is a rumor that Google-issued Captchas (v3?) will demand that you have a Google Account and a reliable clickstream on file that can be distinguished from a bot. So most of the Internet will be inaccessible to reticent deplorables unwilling to share their data.

            1. Anonymous Coward
              Anonymous Coward

              "Google-issued Captchas"

              Have you ever seen the amount of information they capture from the page they are used in? It's another dirty trick by Google.

              1. Anonymous Coward
                Anonymous Coward

                Re: "Google-issued Captchas"

                I have witnessed Google's Captchas software being used by miscreants to keep web scrapers from following the many redirects that lead to fake virus warnings, fake Windows and Apple support sites that trick users into installing malicious Android apps or adware/malware for Windows and Apple products.

                I am wondering if there is analytics built into the Captcha API that phones home to Google that would have or should have alerted Google to these goings on.

                https://malware.dontneedcoffee.com/hosted/anonymous/kotd.html

              2. Mage Silver badge

                Re: "Google-issued Captchas"

                The Google Captchas ought to be illegal. Any company / person using them as a "gatekeeper" should be ashamed for coercing the public to help Google's "AI" parasitical crowdsourcing.

                "Crowdsourced steering" doesn't sound quite as appealing as "self driving."

              3. doublelayer Silver badge

                Google-issued Captchas

                I think they did that already. I notice a lot more of the message "Sorry, your computer or network is sending automated requests [it is not] so we can't handle your request [so I just give up]" when the email address isn't a gmail one. I have considered just never using such a site anymore, but that cuts out a lot of smaller sites that use it for spam prevention.

              4. bombastic bob Silver badge
                FAIL

                Re: "Google-issued Captchas"

                it suggests that using a captcha should be avoided, since you also have to enable google's stupid 3rd party scripting to make them work...

                "how many of these are [fill in the blank]" - waiting for one that uses pornography

            2. Anonymous Coward
              Anonymous Coward

              Re: They've had so many cockups, this is not news.

              You mean like you can't use facebook unless you have a phone they can contact you on during the signup... Have you tried creating anonymouse Facebook accounts recently, if you manage it, they are deleted within days. Facebook NEEDS to know everything about you.

              Even the IT crowd worked this out 10 years ago, go watch the FriendFace episode, and look how everything has turned out to be exactly like it was portrayed then. Still plenty of morons don't get it.

              No more AC...

              AC because I like being ironic...

    2. Anonymous Coward
      Mushroom

      Re: They've had so many cockups, this is not news.

      > Is it really news that yet again Facebook has been compromised? They hand out any data they collect like free handjobs from a £10 dollar hooker on a street corner.

      Exactly. And to make matters worse - if that's even possible - Facebook's main concern right now seems to be focused on managing the PR around this debacle. How do we make Mark Zuckerberg and Sheryl Sandberg come out smelling like roses from all of this?

      On top of this, they have the temerity of claiming that "the bug has been patched".

      Really? Facebook doesn't even know about the security holes lurking in their own code. They stumble upon them by happenstance. Not security research, not testing. Just panic reactions after the bug has been out in the wild for ages. That little fact alone tells me everything I need to know about their code reviews and secure coding practices.

      26-year-old geniuses. Yeah.

      Yo, Zuckerberg. Why won't you hire some greybeards? They'll teach your pimple-faced geniuses - who still enjoy living in a dorm - a thing or two about secure coding practices and hunting down possibly catastrophic bugs.

      Ooooh, I almost forgot. You stated publicly that any software engineer over 30 is just dumb.

      1. Anonymous Coward
        Anonymous Coward

        '26-year-old geniuses. Yeah'

        Yep that's the biggest Fake News of them all. The reality is Zuck & Co can't fix the problems at Facebook. They're not savants, they're just aggressive greedy a$$holes. Deeper insight here:

        https://www.bloomberg.com/view/articles/2018-09-18/mark-zuckerberg-profile-reveals-origins-of-facebook-fb-problems

        https://www.newyorker.com/magazine/2018/09/17/can-mark-zuckerberg-fix-facebook-before-it-breaks-democracy

        https://www.forbes.com/sites/parmyolson/2018/09/26/exclusive-whatsapp-cofounder-brian-acton-gives-the-inside-story-on-deletefacebook-and-why-he-left-850-million-behind

      2. Vometia Munro Silver badge

        Re: They've had so many cockups, this is not news.

        > "Ooooh, I almost forgot. You stated publicly that any software engineer over 30 is just dumb."

        That was quite... special. It has some real gems regarding his wisdom about software development. Like hiring coders in every department so they can just change random stuff on the fly: no need for any sort of planning, design, impact assessment, peer review, testing, quality control, security review, or any of that other boring crap that makes the oldies dumb, we're all such geniuses that we can change random shit on a whim with no consequences! *cough*

        1. Bruno de Florence
          IT Angle

          Re: They've had so many cockups, this is not news.

          Sounds like you're talking about the Universal Credit software, which even DWP staff have difficulties using :-)

      3. Fruit and Nutcase Silver badge
        Alert

        Re: They've had so many cockups, this is not news.

        A bit later on in the article that @ST linked above, is this from PayPal Founder Max Levchin...

        As a final word of product development advice, Levchin encouraged founders to think about the Bible’s seven deadly sins – especially greed, sloth, envy, pride and gluttony. These characteristics, he said, describe many of the primal motivations for users.

    3. Spiz

      Re: They've had so many cockups, this is not news.

      I love the sole down-voter. Made me laugh.

      Zuck, is that you?

    4. emmanuel goldstein

      Re: They've had so many cockups, this is not news.

      Technically speaking, if she is handing out free handjobs, she's not a £10 hooker.

      1. Glenturret Single Malt

        Re: They've had so many cockups, this is not news.

        It is my understanding that hooking and handjobs are two different things. Perhaps the handjob could be seen as the free try before you buy?

  5. Herring`

    Is your Facebook data vulnerable?

    9 out of 10 of users can't get 50% on this quiz

  6. Anonymous Coward
    Anonymous Coward

    Egg all over their Facebook.

  7. Robert Helpmann??
    Headmaster

    Inconceivable!

    "We are constantly improving our security and this underscores the fact that there are constant attacks," said CEO Mark Zuckerberg. "We need to keep focusing on this over time."

    He said it, but I do not think it means what you think it means. "Constantly improving" would seem to indicate that things are actually going to get better when in reality it means that while they do patch the occasional vulnerability, there are more discovered than will ever be addressed. Saying there is a need to do something doesn't mean that something will get done and it certainly doesn't mean that what gets done will have a meaningful effect.

  8. briandavies

    >>Earlier this week, it emerged Facebook was using people's cellphone numbers, provided for two-factor authentication, to target them with adverts, even though the numbers were only provided for security reasons rather than ads.<<

    Really? How surprising!

    1. FlamingDeath Silver badge

      People love money, Facebook is no different, in fact they love it even more

      Money is such a wonderful incentive, it incentives greedy little shitbags, to which there are many, to do all sorts of immoral shenanigans with little regard for consequences

      Whoever invented money literally consigned humans to extinction, and that is no hyperbole

      1. Nick Ryan Silver badge

        Of course money is important to Facebook. How does Facebook make money? Have anyone here, personally, paid any money to Facebook. They have huge storage, Internet connectivity, management and development overheads... where does the money for this come from?

        • The (information stealing) apps and the cuts on the micro-payments within these.
        • Advertising. This is very low income however when scaled out massively can still produce a good return, however untargetted advertising is nearly worthless.
        • Profiling. Profiling trends in content and topics to sell to those who are interested. Ideally entirely anonymous, however then there's the temptation to link this to the advertising and feedback loops become possible.

        Any more?

  9. adnim

    "multiple issues in our code."

    And ya fuckin ethics

    1. Destroy All Monsters Silver badge

      Re: "multiple issues in our code."

      Going fast and breaking things has its downsides.

    2. Potemkine! Silver badge

      Re: "multiple issues in our code."

      And ya fuckin ethics

      As said FB's doorman: "Sorry, Mister, ethics are not allowed here."

  10. Anonymous Coward
    Anonymous Coward

    "using people's cellphone numbers, provided for 2FA to target them with adverts"

    ....."even though the numbers were only provided for security reasons rather than ads.".....

    ____________

    And that in one sentence is why 'Acton of WhatsApp fame' bailed... Pretty good inside take on the WhatsApp founders departure below and the rise of Signal as an App. The chilling ruthlessness of Facebook is pretty clear here:

    ____________

    ....."When Acton reached Zuckerberg’s office, a Facebook lawyer was present. Acton made clear that the disagreement—Facebook wanted to make money through ads, and he wanted to make it from high-volume users—meant he could get his full allocation of stock. Facebook’s legal team disagreed, saying that WhatsApp had only been exploring monetization initiatives, not “implementing” them. Zuckerberg, for his part, had a simple message: “He was like, This is probably the last time you’ll ever talk to me.”.....

    ____________

    http://www.forbes.com/sites/parmyolson/2018/09/26/exclusive-whatsapp-cofounder-brian-acton-gives-the-inside-story-on-deletefacebook-and-why-he-left-850-million-behind/

    1. Peter X

      Re: "using people's cellphone numbers, provided for 2FA to target them with adverts"

      Another article explaining the same "Shadow Profile" thing:

      https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-shadow-co-1828476051

      In case anyone isn't aware (I wasn't), where you might expect FB to allow advertisers to target people by obvious data like location, age, gender and things like "interests", they also allow advertisers to target users by their email address or phone numbers. Which means that advertising can be super-targeted... a clothes shop can target their own customers via FB with advertising in the full knowledge of what they've previously purchased.

      And like that isn't bad enough, the information that is used for targeting includes phone numbers that are supposedly only used for two-factor authentication.

      Aaand if that isn't bad enough, it can include contact details that they've skimmed from your FB-friends who have allowed FB access to their contacts.

      All this stuff is part of a "shadow profile" and they won't tell you about that or let you download it.

      This might be obvious to others, but personally, whilst I'd guessed they would build a profile that would place users in broadish categories for interests and perhaps infer a bit more data from that, I didn't know advertisers could target people so specifically. Which is really terrifying when you consider political campaigns.

      1. Anonymous Coward
        Anonymous Coward

        'I didn't know advertisers could target people so specifically'

        Makes me sad to read that @PeterX. As it means the message still isn't getting out. What you're quoting is ancient history. It started with friends / family / colleagues phone & email address phonebook uploading 'shadow profiles' ... 'Ugly Truth' memo etc.

        That progressed into firms being coerced into uploading their CRM databases to help advertising campaigns. But it was really about Facebook compiling highly accurate metadata from those databases. Much more accurate than data brokers like Experian could provide. That's why Zuck doesn't need them anymore.

        But things are far worse now... Facebook and Google have been secretly buying financial transaction history (credit-cards etc) for 2-3 years now, and matching it to offline and online activity. They're also buying up medical and patient records. On the side, insurers are now insisting on IoT feeds from fitness trackers. Who will they trade or sell that data too? The usual suspects! When combined when constant Android location tracking the metadata is immense and this is just the beginning...

        Both Facebook and Google are desperate to get into China. They want to use their infrastructure as part of China 2020 Social Credit Score. Then bring that whole dystopian nightmare back to the West. This is the stuff of 1984 meets Blakes7. Its horrific! And you've just shown that you're stuck in the Matrix and still have little idea what's really going on. Wake up Neo...

      2. fajensen
        Big Brother

        Re: "using people's cellphone numbers, provided for 2FA to target them with adverts"

        Which is really terrifying when you consider political campaigns.

        Politics is one thing, but, it is slow and inefficient; How about not bothering with the political process at all, since one could be getting a reasonable solid list of people being homos, left-wing, jewish, female + about town + muslim, not-swedish-enough - and then sending the thicko boys round to sort them out and really explain things to them!?

        All it takes, for anyone today, to run ones own private morality police service is: A FB business account, a little money, some nutters who like violence and some targeted advertising.

  11. Anonymous Coward
    Anonymous Coward

    "using people's cellphone numbers [...] to target them with adverts"

    That's why I'll never use any service that requires my phone number to be registered or login.... and of course also because I don't want to give them an almost perfect unique identifier.

    Unluckily, I can't kill the friends who let their phonebooks to be slurped.

    What do the many people here who defended the practice of asking your phone number think now?

    1. frank ly

      Re: "using people's cellphone numbers [...] to target them with adverts"

      I still have an old Nokia 6310i (a lovely phone) that I've fitted with a PAYG sim card with £10 on it. I intend to use that phone if I ever have to set up 2FA by text for anything and it will only ever be turned on for that purpose.

      (Also it has to be turned on at least every six months to make a call to my landline to keep the SIM card active. I don't have to pickup the landline for that to work. That's a calendar event with an alert to remind me every four months.)

      1. ivan5

        Re: "using people's cellphone numbers [...] to target them with adverts"

        I intend to use that phone if I ever have to set up 2FA by text for anything and it will only ever be turned on for that purpose.

        I already have a throwaway Android phone used for that and it is only switched on when I need to use 2FS, cost €2 a month. The phone can also be used as an emergency phone if necessary.

  12. ma1010
    Pirate

    GDPR violation?

    Earlier this week, it emerged Facebook was using people's cellphone numbers, provided for two-factor authentication, to target them with adverts, even though the numbers were only provided for security reasons rather than ads.

    If this is true, it sounds like a massive GDPR violation to me, although I'm no lawyer, so I could be wrong.

    If it is a violation, I'm hoping some folks in Europe manage to get a big GDPR case going against FB. Four percent of their global turnover would amount to quite a bill! And they so richly deserve every penny of it.

    Icon 'cause FB (and just about every other big corporation) have about the same scruples as Blackbeard. If only there were some sort of regulation of these rapacious corporations here in America!

    1. heyrick Silver badge

      Re: GDPR violation?

      "If only there were some sort of regulation of these rapacious corporations here in America!"

      Corporations manipulatelobby democracypoliticians to ensure that such a thing won't happen.

    2. Anonymous Coward
      Anonymous Coward

      Re: GDPR violation?

      If only there were some sort of regulation of these rapacious corporations here in America!

      Both the State of California and the United States Congress are working on legislation that implements GDPR-like privacy protections for U.S. citizens. The current thinking is that the tough California legislation (which passed and will go into effect in 2020) will be superseded by toothless federal legislation that is bought and paid for by your friendly, neighborhood Google and Facebook.

      1. Anonymous Coward
        Anonymous Coward

        'superseded by toothless federal legislation that is bought and paid for by ... Google & Facebook'

        Its hard to argue against that because Govt is fundamentally divided in their loyalties. Right now they're looking at China 2020 'Social-Credit-Score' and thinking... Wow - that looks useful...

        Have an activist / protestor / human-rights reporter in your family or circle of friends? Your score suffers. You can't take a flight, get into university, get a job, get a date. That's population control. Embarrassing public officials or calling out corruption?

        Never again! Meanwhile in the west Facebook & Google are buying up everything, including medical / patient / health and banking & credit-card transactions... And Insurers are now insisting on IoT live-feeds. See where this is all going???

    3. Anonymous Coward
      Anonymous Coward

      Re: GDPR violation?

      I think GDPR is one of the reasons, if not the main one, while this has been published quickly enough... but a breach is not automatically a GDPR violation that brings a massive fine. Still, if an investigation discovers behaviours that violated it, then fines could come...

  13. J. Cook Silver badge

    ... and that's why I call it failbook. Absolutely no surprise here.

    1. Anonymous Coward
      Anonymous Coward

      Nah. Graham Linehan nailed it perfectly a decade ago; Friendface - it’s a diseased face of friendship!

    2. Jaspa

      Prefer Farcebook.

  14. Brian Miller

    50 million "snooped", so??

    What in the world are people putting up on Facebook that is so important?? "Oh, a bot came by and made a copy of my Facebook info." Hello, it's a service for the technically inept to fill with garbage. "Me am got computer, haz keyboard, make typing."

    Privacy != Facebook. If something is private, then you are supposed to keep it off of a public service. "Private" means "this data has been generated in hardware, and cannot be extracted even by de-lidding the chip."

    1. Mark 85

      Re: 50 million "snooped", so??

      As I understand it, it may not be just bots. Several friends have complained that there's fake accounts for them that look exactly like the page they made. Complaining to FB just gets them being forced to send in "official" ID and a demand for more personal info. The paranoid in some us has to wonder if this is a random crim or FB is doing it to collect more data.

    2. Anonymous Coward
      Anonymous Coward

      'What in the world are people putting up on Facebook that is so important?'

      Facepalm! The stolen tokens also allow attackers access to 3rd-Party accounts (see below). So there's a major security issue here alongside all the privacy aspects. Some users will have leaked posts or embarrassing or comprising pics etc that were hidden, but can now be used for full-on extortion.

      So this is a huge issue, far bigger than the political interference angle of Cambridge-Analytica/Palantir etc. And you've just shown you're part of the whole problem because you don't get it, or are just underestimating it... Anyone in your circle you've given advice to, seriously needs to do their own research!

      ----------

      "Facebook has confirmed to reporters that the breach would allow hackers to log in to other accounts that use Facebook's system, of which there are many. This means other major sites, such as AirBnB and Tinder, may also be affected."

      ----------

      https://www.bbc.co.uk/news/technology-45686890

  15. Anonymous Coward
    Anonymous Coward

    Who is going to buy Facebook user information?

    Lets face it, the users don't care about privacy anyway so are probably duplicated in every other breach.

  16. razorfishsl

    Yep... only 50 million users, just a small amount.

  17. Wellyboot Silver badge

    Only & Appears

    Only 50 million directly affected = nearly 1/6 of all Americans or all of Belgium, Greece, Portugal, Sweden & Austria combined.

    Appears that no credit card information was taken - so they don't actually know?

    I hope the devil has a special place just for PR types.

  18. corestore

    Needs more clarity...

    How does this interact with 2FA? Is that still secure, if it's turned on?

    Presumably any attempt to actually *use* these access tokens would generate a 'new login from unknown device' warning from FB? I certainly always see that when I try to login from a device I haven't used before. Is that warning a default, or something you have to set up when you configure security? I can't recall.

  19. pɹɐʍoɔ snoɯʎuouɐ

    how many times must it be said that you don't put anything on the internet you don't want to be public. forget privacy settings, just assume everything is there for the world and his wife to read.

    and in the case of facebook in particular, with all the shit flinging done about it, you must have been living under a penis shaped rock on Mars for the last 2 years if you were not aware that all your supposed private information was public, add to that the fact that mankind does not currently have the technology to put man beyond low earth orbit, there is no excuse for not being aware that Facebook security is a joke.

    simple. Just assume every bit of information you put on the internet is public.

  20. Anonymous Coward
    Anonymous Coward

    But wait - there’s more!

    ”In effect, every single Facebook user account was wide open to being hacked, although the Silicon Valley goliath estimated that "only" 50 million accounts were, in the words of a spokesperson, "directly affected." “

    What’s that, the ‘pull numbers out of a hat’ school of security breach PR’?

    I’d take bets that in a couple of weeks they’ll take a leaf out of Yahoo’s book and mysteriously ‘discover’ the problem is much much bigger than stated, neatly bypassing the GDPR rules on disclosing breaches promptly and avoiding the shareholder upsetting fines. They can round it off by pointing the finger at the fiendish Norks and telling us all they take the security of user data very seriously.

    1. Anonymous Coward
      Anonymous Coward

      'in a couple of weeks they’ll take a leaf out of Yahoo’s book'

      I hope GDPR has a pro-rated fine system to motivate firms to fess up early with accurate and not just massaged numbers.

  21. handle handle

    info wars

    Me thinks Google found a way to suck info from Facebook.

  22. Anonymous South African Coward Bronze badge

    Patch one bug and create a couple of other fun bugs in the process.

    Evil laughter. Muhuhahaha.

  23. 5p0ng3b0b
    Thumb Up

    Data Slurping Company's Data Gets Slurped

    Using the vuln to delete accounts or data rather than just slurping would have done more damage. All the culprits managed to achieve is wipe a few pennys off the share value and given the FB legal team more job security. FB still has the data of these 50m users (which will probably pay any losses incurred and still make a profit) and has now closed the vuln.

    50m is only 0.0022421524663677% of 2.23bn so maybe a more parallel attack and process the profile id number in random order next time to delay the detection!

    Let the dawn of API injection vulns commence!

    1. doublelayer Silver badge

      Re: Data Slurping Company's Data Gets Slurped

      WRONG.

      "50m is only 0.0022421524663677% of 2.23bn so [...]"

      5.7e7/2.23e9 = 0.02242152466367713

      0.02242152466367713 = 2.242152466367713%

      And the detection wasn't based on sequential accesses; we don't know in what order, if any, the accounts were accessed. The thing that tipped them off was the quantity of accesses, so the perpetrators could have gotten more data by slowing it down, potentially evading facebook security forever.

      Also, the people didn't break in with the intention of taking facebook down. They wanted the data, and they got it. We don't yet know what they're going to do with it, but the results were intended to be and will be problematic for the users, not facebook.

  24. Spasticus Autisticus

    To my shame, I have a FB account. I haven't used it for ages and haven't agreed to the new terms post GDPR, so its sort of dormant.

    What I'd like to do is delete my FB account but first have FB give me ALL the info they have on me. I've never given them my mobile number but suspect they have it. FB is almost certain to have more info about me then shows on my account which I can delete (deletefacebook).

    Is there somewhere that details how to go about getting FB to tell me everything they hold on me? I know it would be pretty much impossible to know they have complied but I would at least like to try.

    1. Anonymous Coward
      Anonymous Coward

      >Is there somewhere that details how to go about getting FB to tell me everything they hold on me?

      https://www.facebook.com/help/930396167085762

      I did that and deleted my account. Not looked at it admittedly, but nice to have.

      1. werdsmith Silver badge

        This is my shame. I did this some years ago and discovered that my phone contacts had been uploaded to Faecebook. I apologised to all my contacts and closed the account. Too late though.

        So it's worth knowing that whilst you may avoid faecebook you can still be shat on and let down by any so called friends that still have an account and feed the depraved animal.

        Lucky that I only know one die-hard user who is still defiantly fucking the rest of us over. It's easy to get rid of faecebook and you won't miss it. There is always a much better way to do whatever you think you need it for if you are not a lazy-arsed bastard.

    2. Wayland

      Spasticus,

      Deleting FB account is not as easy as you think. Just as deleting a file is really just de-listing it from the directory it's the same with FB. Then when you finally want to scrub it off their system they are suddenly unsure it's really you and need you to register your phone and other methods of ID.

  25. Velv
    Boffin

    Facebook @ Work

    I wonder if the same issue could potentially have been open on Workplace (Facebook collaboration for companies). How many businesses could have had data stolen that’s not just kitten videos and people’s lunch pictures?

    https://www.facebook.com/workplace/case-studies

    1. Destroy All Monsters Silver badge

      Re: Facebook @ Work

      As Mr. White says in Reservoir Dogs:

      "A lot"

  26. CrysTalK
    Childcatcher

    'View As' Could be an intentional feature

    That feature could've been intentional for TLA's so agents can access anybody's private account, even if said agents were deployed overseas.

    If not for TLA's and secret agencies, then maybe that feature was given to big corps who wanted some private data of FB users.

    Just patched by FB when that Taiwanese guy claimed he would delete the FB account of Zuckerberg in a live stream.

    That's why it's not good to put backdoors, as claimed by most tech gurus, be it hardware or software because sooner or later someone will discover those backdoors. Ok, as usual, just claim it was a bug and not an intentional feature.

  27. WibbleMe

    Also in other news, hacker website publishes links to 1 trillion cat photos

  28. Anonymous Coward
    Anonymous Coward

    A challenge for The Register

    Get rid of all the share buttons on your pages, starting with the Facebook one. Otherwise you’re part of the problem.

    1. Anonymous Coward
      Anonymous Coward

      Re: A challenge for The Register

      Upvoted.

      I don't see those share buttons thanks to uBlock Origin but this also has the detrimental effect of denying El Reg ad revenue.

      I'd happily pay to read if you'd let me El Reg.

      You could leave an ad supported non subscribed option to keep the scummy ad revenue.

  29. Anonymous Coward
    Anonymous Coward

    Hey Facebook

    Suffer in ya jocks!

  30. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    Facebook hires great hacker talent, too talented for a f*ckup like this. Data on 50+ Million Facebook users is a heck of a lot more valuable than a measly little bug bounty. This stinks of an inside job.

  31. Destroy All Monsters Silver badge

    "used Facebook to authenticate the hacked users... oops!"

    No I finally know what "use Facebook to login" is good for.

    Absolutely nothing.

  32. Winkypop Silver badge
    Devil

    That horse, it bolted from the stable

    It went that a way....

    And that....

    And that....

    And that....

    And that....

    And that....

    And that....

    And that....

    And that....

    ...

  33. Anonymous Coward
    Anonymous Coward

    >It reckons miscreants snooped on least 50 million people's private profiles, and perhaps as much as 90 million.

    As many?

  34. tiggity Silver badge

    Hard to avoid FB slurpage

    I'm not on FB (no surprise there)

    But difficult to stop others, who are on there, posting information about you (including images), sharing their contacts and so publishing your phone number.

    Fortunately SO is also not on FB, so has number of my second SIM, that I don't make available to general data spilling friends.

    Does not stop my "main" number getting owned by FB, but does mean I have a "private" number.

    Biggest irony is that (ex directory) landline number is private as everyone we know only has mobile number, nobody asks for (or is given) landline (bar "need to know" people such as bank, solicitor)

  35. Wolfclaw
    FAIL

    I can hear the chanting in the backgrond ... GDPR FINE ... GDPR FINE and the EU beaucrats lining up to spend the billions !

    GDPR been waiitng for the first of the big boys to royally screw up, now time for the 2-4% annual global turnover, even the mighty Zuck who knows nothing and sees the world through his rose tinted FB VR goggles, must be crapping his pants !

  36. Bruno de Florence

    It's I.T., but not as we know it, Jim.

  37. Sidney FFF

    No logout for me?

    I've certainly used the "View As" feature in the last year and wasn't logged out by Facebook.

  38. steviebuk Silver badge

    I don't...

    ....dislike Facebook itself. It's a system, it's useful for some people (family members keeping in touch with people across the world) and from a programming point of view having done a little years ago and being shit, it amazes me how complex these systems get, but I choose not to use it in the normal sense of use it.

    I used to use Friends Reunited before Facebook become so big. I hated how people from school on there were the same knobs they were in school. I also hated how narcissistic it seemed to make people. Have avoided it ever since. I now only use it when a site insists the only way you can login with them or post comments is via a Facebook account so then a dummy one gets created & used.

    I understand they should be keeping everyone's data private etc. but the service is free, people choose to use it. I bet loads of the users that currently use it would stop if it suddenly introduced a subscription model. But I guess all users do have a right to moan when Facebook is only worth what it's worth because of all it's users, free or not.

    I'm surprised Zuckerberg is still even there. With all that money I'd just get out while you still can before it all comes crashing down like MySpace. And I just couldn't be arsed with the aggro. But then that's probably also why I'd never succeed in business.

    1. Wayland

      Re: I don't...

      "I'm surprised Zuckerberg is still even there. With all that money I'd just get out while you still can before it all comes crashing down like MySpace. And I just couldn't be arsed with the aggro. But then that's probably also why I'd never succeed in business.

      "

      Exactly. You've gotta be a bit power hungry to want to keep doing that work.

      I think the current big boys are arranging legislation to prevent upstarts and so they can carry on with impunity no matter how crap they become.

      1. JDX Gold badge

        Re: I don't...

        I thought Zuck was a proper nerd who would be bored by all the business stuff and would sell out. But then Bill Gates was a proper nerd and he stayed for decades.

        It's easy to ascribe power hunger but I don't know either got into IT for that purpose. Perhaps they both share the same sense of genuinely caring and thinking what their companies do is important. Gates always seemed pretty passionate.

  39. JDX Gold badge

    Imagine being the one who figures it out

    Facebook spotted the hole after it noted a suspicious "spike" in user activity on Tuesday. The attack was "fairly large scale," it admitted, and when it investigated the cause, it discovered hackers were using the site's API to automate the process of grabbing users' profile information.

    I'm sure many of us have had on a much smaller scale has an "oh crap" moment (formatting the wrong drive, etc, etc). But the process from seeing that spike to figuring out what is happening must involve a pretty substantial sinking feeling!

  40. Mattt
    Facepalm

    Possibly exploitable before July?

    I was one of the "lucky" few who had their accounts hacked. I took a look in the "Logins and Logouts" section of the Activity Log (which is buried about 6 clicks deep) and spotted that there had been lots of logOUTs from China, Adis Ababa, Russia, Vietnam, etc. since June and possibly earlier (no data before the end of May because, GDPR). No logins from these locations at all, so I received no warnings - presumably Facebook only checks for suspicious logins only (and warns if the appropriate setting is enabled) and ignores logouts altogether, so I was none the wiser.

    Has anyone else spotted the same pattern in their Facebook login/logout history? Curious to know if anyone else had this activity prior to July.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like