Facebook reveals sophisticated hacking attack, no data compromised
Facebook said it had been the target of an unidentified hacker group, but it found no evidence that user data was compromised.
“Last month, Facebook security discovered that our systems had been targeted in a sophisticated attack,” the company said in a blog post posted on Friday afternoon, just before the three-day Presidents Day weekend. “The attack occurred when a handful of employees visited a mobile developer website that was compromised.”
The social network, which says it has more than one billion active users worldwide, also said: “Facebook was not alone in this attack. It is clear that others were attacked and infiltrated recently as well.”
Facebook declined to comment on the motive or origin of the attack.
A security expert at another company with knowledge of the matter said he was told the Facebook attack appeared to have originated in China.
The FBI declined to comment, while the Department of Homeland Security did not immediately return a call seeking comment.
Facebook’s announcement follows recent cyber attacks on other prominent websites. Twitter, the microblogging social network, said earlier this month it had been hacked and that about 250 000 user accounts were potentially compromised, with attackers gaining access to information, including user names and email addresses.
Newspaper websites, including those of The New York Times, The Washington Post and The Wall Street Journal, have also been infiltrated. Those attacks were attributed by the news organizations to Chinese hackers targeting coverage of China.
While Facebook said no user data was compromised, the incident could raise consumer concerns about privacy and the vulnerability of personal information stored within the social network.
Facebook has made several privacy missteps over the years because of the way it handled user data and it settled a privacy investigation with federal regulators in 2011.
Facebook said it spotted a suspicious file and traced it back to an employee’s laptop. After conducting a forensic examination of the laptop, Facebook said it identified a malicious file, then searched company-wide and identified “several other compromised employee laptops.”
Another person briefed on the matter said the first Facebook employee had been infected via a website where coding strategies were discussed.
The company also said it identified a previously unseen attempt to bypass its built-in cyberdefences and that new protections were added on Feb. 1.
Because the attack used a third-party website, it might have been an early-stage attempt to penetrate as many companies as possible.
If they followed established patterns, the attackers would learn about the people and computer networks at all the infected companies. They could then use that data in more targeted attacks to steal source code and other intellectual property.
In its statement, Facebook said the attack was launched using a “zero-day,” or previously unknown flaw in its software that exploited its Java built-in protections.
“Zero-day” attacks are rarely discovered and even more rarely disclosed. They are costly to launch and often suggest government sponsorship.
In January 2010, Google reported it had been penetrated via a “zero-day” flaw in an older version of the Internet Explorer Web browser. The attackers were seeking source code and were also interested in Chinese dissidents, and Google reduced its operations in the country as a result.
Attention to cybersecurity has ratcheted up since then and this week President Barack Obama issued an executive order seeking higher safety standards for critical infrastructure.
Other companies stand to benefit more from comprehensive legislation, which has stalled in Congress. Republicans have opposed additional regulations that would come with mandatory security standards.