
Facebook Says Hackers Stole Detailed Personal Data from 14M People - aportnoy
https://www.bloomberg.com/news/articles/2018-10-12/facebook-s-recent-hack-exposed-user-location-search-data
======
donalhunt
Facebook posting: [https://newsroom.fb.com/news/2018/10/update-on-security-
issu...](https://newsroom.fb.com/news/2018/10/update-on-security-issue/)

Check if you are affected here:
[https://www.facebook.com/help/securitynotice](https://www.facebook.com/help/securitynotice)

(posting because it took 10+ mins to find it - many media outlets are not
linking directly to it)

~~~
dhimes
FB should timestamp these articles. It happened a couple of weeks ago, or is
this new news?

~~~
philsnow
Everybody should timestamp all articles.

People don't want to because they want their content to be "evergreen" and
they think that if there's a date that's more than a year or so old, people
will disregard / discount the content. So by default many blog CMSs default to
not showing the date of any articles.

~~~
coliveira
Facebook is not a small blog operator. They should view this as a professional
communications medium.

~~~
staticautomatic
Someone in Facebook's PR department is reading this part of the thread and
saying "it's working!"

------
rlt
I'm one of the unlucky 400,000 who had the most information stolen. Complete
notification:

    
    
        Is my Facebook account impacted by this security issue?
    
        Yes. Based on what we've learned so far in our investigation, attackers accessed the following Facebook account information:
    
          * Name.
          * Primary email address.
          * Most recently added phone number.
          
        Additionally, the attackers also accessed other account information, including:
    
          * The following information associated with your Facebook account:
            * Username.
            * Date of birth.
            * Gender.
            * Types of the devices you've used to access Facebook.
            * The language you choose to use Facebook in.
          * If you previously added this specific information to your Facebook account, it was also accessed:
            * Relationship status.
            * Religion.
            * Hometown.
            * Current city.
            * Work.
            * Education.
            * Website.
          * The 10 most recent locations you've checked in to or been tagged in. These locations are determined by the places named in the posts, such as a landmark or restaurant, not location data from a device.
          * The 15 most recent searches you've entered into the Facebook search bar.
          * People or Pages you follow on Facebook.
    
        A small subset of Facebook accounts, including yours, had additional Facebook information made available to the attackers. Learn more about how this information was made available. This is specifically information that appears when viewing your own profile and includes additional information, such as:
    
          * Posts from your timeline.
          * Your Friends list.
          * Messenger conversation names, but not their contents.
          * If you are a Page admin, you may have also had messages to your Page made available to the attackers.
          * Groups you're a member of.
    
        Based on what we've learned so far in our investigation, the attackers did not gain access to certain information, such as:
    
          * Account passwords.
          * Payment card or credit card information.

~~~
zavi
> The 15 most recent searches you've entered into the Facebook search bar.

I can see how the attacker can use this to blackmail somebody.

~~~
Spiritus
I don't. Can you provide an example or two?

~~~
jypepin
"single female friends who live in <town you just visited>" while you are
married, for example?

------
bargl
This is why I hate not having custom security questions from Banks. What is my
fathers middle name? Well, if you have facebook and he puts it up there you
can find out. I have no control over that.

I could start using fake answers but trying to remember the fake answers vs
real answers is tough. Whereas when I get a custom question I have a custom
answer that I will always remember. Such as _made up on the spot_ Name of the
babysitter with curly finger nails. I remember that and no one can figure it
out based on the internet.

~~~
nathanaldensr
I use KeePass for password management and the way I handle this is I generate
a random string for each security question answer, then just include it in the
Notes field of the entry.

~~~
hermanradtke
People are social engineering a random string when talking to customer care.
The attacker says “Ah, a bunch of random characters, do I have to say it?” or
even worse I have had a customer service rep look at it, laugh and say never
mind.

I use “batteryhorsestaple” type of passwords stored in a password manager for
the security questions. Those are easy to say over the phone and more
resistant to social engineering.

~~~
EpicEng
>The attacker says “Ah, a bunch of random characters, do I have to say it?

The vast majority of users aren't using random characters, so how would they
know to say that to begin with? Are you implying they try that line, idk,
10,000 times until it (maybe) works?

~~~
cortesoft
Nah, it would go like this:

Support: what is your fathers middle name?

Hacker: Michael

Support: sorry that is wrong

Hacker: oh shoot, I forget I always put the incorrect information in this
one... i can't remember, did I put a fake name or random characters? Or was
this the one I put a bunch of words into?

Support: yeah, it looks like random characters... let's move on

~~~
pbhjpbhj
Proper training, required. That person presumably is legally liable as they've
breeched the providers security by giving information; and maybe given away
PII.

~~~
acct1771
This is the point of failure. This never comes to fruition.

"Computers are hard, and I'm just not very good with them!"

------
spike021
Logged in today and found:

"[name], we have more information about the security incident we discovered on
September 25, 2018. An unauthorized third party accessed your name, email
address and phone number. We acted quickly to secure the site and took action
to protect your account, and we're working closely with law enforcement to
address the incident."

Ridiculous.

~~~
a13n
Why is that ridiculous?

Here are the facts:

1\. A software company had a security incident.

2\. They urgently resolved the issue.

3\. They looked into who was impacted, and sent customized notifications
letting people know how they were impacted.

None of this behavior is ridiculous. It's quite responsible. What would you
expect to happen differently?

~~~
spike021
Well, let's see. A feature used to view _profile_ information had a
vulnerability that allowed an attacker to get my phone number. My phone number
isn't even listed on my profile.

This means the credentials from the original implementation of said feature
weren't locked down to only data available from your viewable profile.

While my phone number may be available elsewhere outside of FB, I only have it
tied to my account as a password reset contact.

~~~
a13n
> This means the credentials from the original implementation of said feature
> weren't locked down to only data available from your viewable profile.

Yeah, that's the entire security incident. So are you saying you expect
software companies to never have security incidents? Now that's ridiculous.

~~~
panic
Why is that ridiculous?

~~~
Kalium
It's only possible with a very different set of tradeoffs around risk and
innovation than are the norm in software. It takes NASA-grade layers of slow
development processes to be 100% certain that there will never be any
incidents.

Most companies, most developers, and most consumers would not be happy with
the cost and speed this would result in.

In short: it's not that it's impossible. We know how to do it. It just comes
with a cost attached that nobody wants to pay.

~~~
_Tev
And let's keep in mind how successful NASA safety policies actually were.

Perfect safety is a pipe dream.

~~~
Kalium
I mean, I'm not aware of any _software security_ incidents involving the
Apollo or Shuttle systems, so the system seems to work that far.

------
sorokod
Should it not be "Hackers Stole Detailed Personal Data of 14 Million People
from Facebook" ?

~~~
miles
Exactly this. Please forgive me reposting an old comment[0]:

This sort of victim blaming is all too common in the mainstream press:

 _IRS Says More Taxpayers May Have Been Hacked_ [http://time.com/4000659/irs-
taxpayer-hacked-cybercrime/](http://time.com/4000659/irs-taxpayer-hacked-
cybercrime/)

It wasn't the taxpayers that were hacked - it was the IRS.

 _Hackers stole personal information from 104,000 taxpayers, IRS says_
[https://www.washingtonpost.com/news/federal-
eye/wp/2015/05/2...](https://www.washingtonpost.com/news/federal-
eye/wp/2015/05/26/hackers-stole-personal-information-from-104000-taxpayers-
irs-says/)

Hackers did not steal personal information from 104,000 taxpayers - they stole
it from the IRS.

Smaller media outlets often get it right:

 _Over 700,000 People Got Screwed in Last Year 's IRS Data Breach_
[http://gizmodo.com/over-700-000-people-got-screwed-in-
last-y...](http://gizmodo.com/over-700-000-people-got-screwed-in-last-years-
irs-data-1761565531)

[0]
[https://news.ycombinator.com/item?id=13681544](https://news.ycombinator.com/item?id=13681544)

~~~
crunchiebones
I guess directly mentioning the user makes it sounds more personal, and click-
worthy

------
propman
If I type my full name on google, I can find my home and cell phone number,
age, all family members, home address, my last home address, and my google +
(fb and LinkedIn I changed settings so not searchable).

And it’s a pain to ask them to delete the info. It’s obscure and time
consuming and no guarantees. That in my mind is worse than anything here. I
didn’t allow that info to be public, we need more privacy laws.

~~~
alain94040
Sounds like a startup opportunity. For only $5, we'll file take down notices
left and right for all the info that is available online about you.

~~~
lsmarigo
already multiple players in this space but last time I checked none were very
reputable or well reviewed so hey still an opportunity.

------
40acres
Interesting trend I'm noticing with Facebook data controversies: 3rd parties
are exploiting Facebooks connectedness to exponentially scale the # of
accounts targeted by an attack.

Both Cambridge Analytica and these hackers were able to launch a successful
attack on a relatively small number of accounts and through Facebook's graph
like network were able to leverage the initial attack to affect more people.

Social networks mirror real life networks; they can be attacked with virus
like tendencies.

------
40acres
Regulation is coming. If data is the new oil these are the oil spills that
lead to the EPA.

~~~
adanto6840
Spot on. Another comment here sounds like it may be suggesting mandatory
bounties -- at first glance that sounds very bad for small players, but some
thresholds and/or percentages of revenue make the concept more palatable. The
users themselves should be able to receive some kind of equitable relief too,
but it's difficult when a single user's data is worth <$100 yet the _cost_ to
the user is potentially a much larger sum.

Regardless, I completely agree - that's almost surely where this is headed.

------
jlmorton
If Facebook could go back in time and choose between:

a) Paying out a $1m USD bug bounty, or

b) Accepting the reputational hit from a successful exploit

I wonder which they would choose with perfect hindsight?

Facebook runs a great bug bounty program, but given Facebook's size, data
footprint, and profitability, perhaps it's worth increasing the rewards.

~~~
therein
Perhaps any vulnerability reported that can lead to the compromise of user
data at a scale should be automatically paid out $1M.

~~~
tantalor
Are you suggesting requiring this by law?

------
nathanaldensr
Title says 14M people but Facebook's notice says this:

>We have now determined that attackers used access tokens to gain unauthorized
access to account information from approximately 30 million Facebook accounts.

~~~
smelendez
They got 30 million users' access tokens. They didn't do anything with 1
million of them but grabbed contact info from 29 million people and additional
profile info from 14 million of them, according to Facebook.

------
makecheck
So: “We collected detailed personal data on 14M people, much of it not
directly given to us by those people. This created an enticing target for data
thieves. Despite our obscene profits from data, we disproportionately
reinvested in protection of this sensitive information. Since we lacked
security and have a unique ability to hold more data in one place than anyone
else, thieves got more of your data than they could have dreamed of.”

Did I miss anything?

------
prolikewh0a
So they've just participated in Facebook's exact business model, just never
paid for the data. Anything really concerning here?

~~~
vuln
So much this!! Facebook's mad they didn't makes any cash off it.

------
thinelvis
Facebook is just pissed that a marketing or analytics company didn't pay them.

------
nafizh
When will we start prosecuting these companies for letting user data getting
hacked? If you cannot protect user data, you have no business dealing with
them. At the very least, there should be monetary compensation.

~~~
aaaaaaaaaab
We’ve accepted their terms on signup...

------
barrad0s
I guess I don't really understand the frustration of some people. I do but I
don't. I don't have a facebook account, or instagram, or any social media,
haven't had one in many years. No one NEEDS to have one. I guess to me, if you
don't want this info to be exposed, just don't have an account. Assume the
worst can happen. This is not like other sites, I get that you're "trusting"
them with your info, but you are willingly putting your information there,
just don't.

~~~
reaperducer
You forget that you don't need to have a Facebook account for Facebook to
create a profile for you. You just have to exist.

The same is true for many other social networks.

So while you're posting about being all smug and happy that you never signed
up for one of these services, your personal data is still in their servers,
ready to be exploited by both the company and hackers.

~~~
barrad0s
Oh yes I understand that very much, but I do what I can not to help them. The
point I was making is about people who willingly put all of their info there,
photos, addresses, location etc.

------
nyokodo
A downside to having deleted my facebook account before this security breach
was reported is that I cannot find out if my data was compromised.

------
jimnotgym
The multi-billion dollar question is still... how many of them were EU
citizens?

~~~
kasey_junk
Why? Do you think they didn't report this breach to a supervisory authority?
Even though they made it public?

~~~
jimnotgym
That is not the only thing you can get fined for under GDPR.

~~~
kasey_junk
I’m fairly knowledgeable in the GDPR and I’m legitimately curious what you
think the fine basis would be related to this breach.

~~~
jimnotgym
A few things made me wonder

1)
[https://news.ycombinator.com/item?id=18203002](https://news.ycombinator.com/item?id=18203002)

This comment suggests that they discovered the vulnerability and spent two
days working out how to fix it, whilst leaving the site live for exploitation.

2) Did they report the breach in a timely manner. That is not clear to me yet

3) Until a detailed analysis is done we don't know if there was anything
negligent about this.

4) If in other investigations into Facebook it is found that Facebook were
storing data they had no right to, and it transpired that they had lost some
in this attack, they would be culpable because they shouldn't have had the
data to lose.

So nothing specific, but lots of maybees

~~~
kasey_junk
We don’t have a lot of case law to go on but generally speaking most experts
assume article 33 will be the easiest part of gdpr to conform to.

Even under the most harsh interpretations 3 days is the standard & that comes
with all kinds of outs.

To the rest of your other points they largely are not at all covered by GDPR.

For instance I’ve never seen an interpretation of the GDPR that required a
timeframe for remediation.

Further there is no requirement to allow a supervisory authority
_investigatory_ power after a breach.

In any case this appears to be a Facebook acting with extreme transparency.
Exactly what the regulators want. It would be weird if this lead to negative
ramifications.

------
shiado
As with any breach it is always interesting to see how the scope gets
broadened day by day. Tomorrow there might be some headline like "Hackers
actually took all of your location data, a timestamp of every breath you took
in the last week, and 4K video of everything you looked at through your eyes
for the last ten years."

~~~
bogomipz
And of course they make sure that the bad news comes out on a Friday. FB has
the all the credibility of a greasy politician at this point.

------
exodust
Never been a member, but I do receive regular notification emails from a Fb
account/person I don't know, and an account I've never had anything to do
with.

Yesterday after news of stolen data emerges, I received a "Facebook password
reset" email sent to my gmail address. I ignore all and filter as spam, but
sometimes I see them. The email headers do show the source is facebook.

Seems like Facebook allows new account sign up from unverified email
addresses. That's a flaw in their policy against spam and abuse, making these
hacking events worse when they happen. They need to use activation codes in
the email used to sign up with.

------
myth_buster
Hey it's election season. Time to refresh DB. /s

------
xab9
I still think that facebook can be tremendously useful, even if I unfollowed
everyone and have zero posts (mostly to see events, access facebook-homepages,
let people find my email address or just occasionally tell someone to send me
an email instead of writing on messenger) - but heck, this latest breach is a
bit too much to swallow.

------
thelastidiot
That's one of the numerous reasons I'll never use fb as a payment or ecommerce
platform when they launch these products.

~~~
ams6110
I doubt other payment or ecommerce platforms are any more secure. Given its
size, I assume Facebook has a lot of smart people working on security. And
they still screw it up. How are smaller platforms, who can't attract or pay
for the very best talent, going to do any better (other than by being smaller
targets, I guess)?

~~~
samat
Visa and MasterCard seems to handle security ok.

~~~
tialaramex
This requires pretty loose definitions of OK, which, I guess, works out OK for
Visa and MasterCard ?

Both systems experience what on the Web we'd consider a staggering level of
problems. Fraud losses just in the UK for the card payment system exceed £500M
per year. They're proud of themselves for catching about 60% by value of
potential fraud. That is, people _tried_ to steal over a billion pounds each
year, but only get away with £500M...

They use out-dated cryptography, they straight up lie to their partners, to
customers and even to the courts. I trust them about as much as some random
Etsy maker.

Now, my country's laws mean when Visa screws up, my bank, regulated by those
laws, has to make me whole. And I'm a middle-aged white guy, so good old-
fashioned unconscious bias means when I'm screaming at a regulator about my
rights they listen.

But if I didn't have those laws, if I was an elderly black lady, I can expect
that I'd be told it's not the payment card company, I must have secretly
travelled to Hong Kong last weekend and bought $5000 of men's watches and so I
have to pay for that transaction even if I have witnesses who say I never
left... after all the computer says it was my card and how could that be
wrong?

------
dsr_
And you know it's stolen, because they didn't pay Facebook for it the way they
should have.

------
zaphirplane
The headline made sense to me as \- Facebook; says hackers, stole Or as \-
Facebook says, hackers stole

------
Alterlife
The wording of this is so off.

Hackers stole personal information stored by FACEBOOK not 'people'.

It sounds like they are creating a new way for their company to avoid
responsibility, just like banks created 'identity theft'.

------
wimgz
And after that they want to put a Facebook camera in your living room?

------
lisardo
I'm among the hacked people. I'm feeling so disappointed.

~~~
w8rbt
Don't feel bad... everyone, everywhere has been compromised. The corporations
that say they have not are either ignorant or lying.

~~~
ams6110
That's where I've ended up. I just assume that anything I enter on any website
or app is potentially public. I've seen no real evidence that we as
technologists and tech companies are able to do better.

------
aviv
Yep...
[https://news.ycombinator.com/item?id=18095071](https://news.ycombinator.com/item?id=18095071)

------
madrox
To me, this is less about what a devil Facebook is, but that nothing is worth
the risk that comes from putting too much of your data in one place.

------
mike22223333
Increase the bug bounty rewards for such things to depend on the scale so
$1M-$10M bounty should be given. Otherwise face a reputation hit.

------
cmpb
> For about 14 million people the hackers accessed information such as the
> last 10 places that person checked into, their current city and their 15
> most-recent searches...

I imagine such information will be very useful for fine-tuning phishing scams.
E.g. something like “we saw you the other day at the Baton Rouge State Fair,
and it’d be a shame if anyone saw what you did there. Send 0.5 BTC here so no
one finds out.”

------
pbhjpbhj
Massive GDPR fine coming soon then?

------
anigbrowl
This dataset seems more than usually worth procuring for the demographic data
rather than the PII.

------
jwbensley
A detailed tech breakdown of the hack would be great, I assume this is out of
the question?

------
tw1010
What's the most sci-fi worst case scenario that could come of this?

~~~
ry_ry
Public collectively shrugs, sites get hacked all the time and nothing bad ever
happens to them, so it's just people getting worked up over nothing.

I consider that pretty scary, at least.

~~~
tw1010
Oh come on. Mass blackmail, that'd be pretty cool. Or models trained on our
behaviour, subtly affecting the market to make us do silly things purely for
the enjoyment of some accidental bitcoin millionaire, never detectable by
governmental or human-intution anomaly-detectors because all effects are below
the noise level. Something cool like this must be going on somewhere, and I
want to read a (non-fiction) book about it.

------
StreamBright
Exactly the reason why facebook should not store any PII

------
sam1r
what are the chances that a class lawsuit will follow? not an expert on this
but haven't seen it mentioned yet on this discussion.

------
silveira
Enough to subvert a few democracies.

------
8bitsrule
"Hackers Stole" ...

Yeah. It's all their fault.

Dumb fucks.

/s

------
LeicaLatte
The Facebook has the media by its balls.

------
WindowsFon4life
They mean that what they already sell, was stolen without being paid for?

------
fpalacios10
Luckily i deleted my facebook account over the summer, One less account to
have to worry about now.

~~~
rustcharm
Thank you for letting us know.

~~~
fpalacios10
no problem

