
Facebook Network Breach Impacts Up to 50M Users - coloneltcb
https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html
======
herpderperator
Excerpts from the press call transcript [1] by Guy Rosen explaining what lead
to this breach being possible:

> The first bug was that, when using the View As function to look at your
> profile as another person would, the video uploader shouldn’t have actually
> shown up at all. But in a very specific case, on certain types of posts that
> are encouraging people to post happy birthday greetings, it did show up.

> The second bug was that this video uploader incorrectly used the single
> signon functionally, and it generated an access token that had the
> permissions of the Facebook mobile app. And that’s not the way the single
> sign-on functionality is intended to be used.

> The third bug was that, when the video uploader showed up as part of View As
> -- which it wouldn’t do were it not for that first bug -- and it generated
> an access token which is -- again, wouldn’t do, except for that second bug
> -- it generated the access token, not for you as the viewer, but for the
> user that you are looking up.

> It’s the combination of those three bugs that became a vulnerability. Now,
> this was discovered by attackers. Those attackers then, in order to run this
> attack, needed not just to find this vulnerability, but they needed to get
> an access token and then to pivot on that access token to other accounts and
> then look up other users in order to get further access tokens. This is the
> vulnerability that, yesterday, on Thursday, we fixed that, and we’re
> resetting all of those access tokens to protect security of people’s
> accounts so that those access tokens that may have been taken are not usable
> anymore. This is what is also causing people to be logged out of Facebook to
> protect their accounts.

[1]
[https://fbnewsroomus.files.wordpress.com/2018/09/9-28-press-...](https://fbnewsroomus.files.wordpress.com/2018/09/9-28-press-
call-transcript.pdf)

~~~
partycoder
The "View as" feature has been the source of many security vulnerabilities.

There was a time where you could read other peoples' chats using this feature.

~~~
groestl
When designing such a system, the immediate failure mode is obvious: at some
point, someone will read data not meant for them.

As every feature on FB needs to take "View as" into account when handling
their own permissions, a lot of developers on FB's payroll get a chance to
f'up. We are all humans, so the probability of this happening is very high.
The impact (for the users) is also high, given that it's automated and
concerns every user on FB equally.

When dealing with a very probable, high impact risk in a software project,
considerable additional effort is warranted to mitigate that risk: in this
case maybe taint checking and additional implementations of the same feature
in different programming paradigms, to ensure the system is fail-stop.

But in contrast to airlines and railways, the interests of FB and their users
are not aligned. For Facebook, this risk is not (or was not deemed to be of)
high impact, so we did't get any of this.

------
iMuzz
Here's the banner that they put up on peoples newsfeeds:
[https://imgur.com/G7sBbwX](https://imgur.com/G7sBbwX)

Nowhere on that banner does Facebook make it clear that there was recently a
severe security issue that may have resulted in the loss of personal user
information (Making it much less likely for the user to actually click 'Learn
More'). It's misleading to title this with just "An Important Security Update"
and make it seem like they've just updated their systems. No mention of the
recent compromise until you click 'Learn More'.

~~~
jazoom
They've been showing me that banner for a while. In fact, they stopped showing
it to me about a week ago. Are your sure it's related?

~~~
KyeRussell
This is 100% the banner I have received. The call to action directs you to
this page:

[https://www.facebook.com/help/2687943754764396?ref=comms](https://www.facebook.com/help/2687943754764396?ref=comms)

Which is the issue at hand.

~~~
jazoom
Okay. That's very deceptive of Facebook.

Also, it's "100%" the banner I saw for several days last week. Make of that
what you will. I didn't click it so I don't know what it pointed towards.

------
testplzignore
Fun fact: [https://newsroom.fb.com/news/2018/09/security-
update/](https://newsroom.fb.com/news/2018/09/security-update/) was published
at 16:42:44. [https://www.nytimes.com/2018/09/28/technology/facebook-
hack-...](https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-
breach.html) was published at 16:45:41. NYT writes fast :)

~~~
laken
In the journalism world, pre-written articles are apparently quite common. I
assume they had a boilerplate already for the next Facebook controversy, and
just wrote 2-3 opening paragraphs that were relevant for this one.

CNN many years ago accidentally left some of their pre-written obituaries for
(living) world figures publically accessible.
[https://en.wikipedia.org/wiki/List_of_premature_obituaries#T...](https://en.wikipedia.org/wiki/List_of_premature_obituaries#The_CNN.com_incident)

~~~
reaperducer
_In the journalism world, pre-written articles are apparently quite common._

Actually, not "common" at all.

Obituaries for famous people are often done in advance, since everyone dies.
It used to be one of the things that young journalists/interns did to cut
their teeth.

But not every company has a massive security breach, so this was not pre-
written.

It's not uncommon for big companies to fax (yes, fax) bad news to news
organizations a few hours or days before posting it on their own web sites.

In the past, there would be embargoes on the information, but in the case of
bad news, those are routinely ignored.

~~~
ianamartin
Welp, this sounds like a pretty bad practice. If there's one thing that
journalists can count on, it's that famous companies are going to have a data
breach.

You should probably get on that.

------
genzoman
Until they can provide some data that say the 50 million number is a fact, I
don't believe it's that low. Every breach starts out on the low end, and
miraculously ends up being double or triple as they do "more research" and the
initial anger dies down.

~~~
sct202
I'm pretty sure they logged out more than <5% (90m of 2B) of their users,
because of the people I talk to on a daily basis on Messenger like well over
2/3s got logged out. I could see if they meant 90m of American users or
something.

~~~
arnaudsm
Why the downvotes ? This is important data, and no one gave this information
in the whole thread.

~~~
nkozyra
Probably because it's entirely anecdotal and attempts to extrapolate from such
a small sample size.

~~~
azernik
It's more a problem of a biased sample than a small sample - this attack
spread through the friend network, and so if one of your Facebook friends is
in the attacked/vulnerable group then other ones are also likely to be.

~~~
nkozyra
Sure, but that's very different than the logical problem I'm talking about.

------
dom96
Some more details here: [https://newsroom.fb.com/news/2018/09/security-
update/](https://newsroom.fb.com/news/2018/09/security-update/)

~~~
sdwisely
> But it’s clear that attackers exploited a vulnerability in Facebook’s code
> that impacted “View As”, a feature that lets people see what their own
> profile looks like to someone else. This allowed them to steal Facebook
> access tokens which they could then use to take over people’s accounts

oh boy, what a mess.

~~~
erichurkman
User impersonation code always terrifies the bajeebus out of me.

~~~
sp332
You only get to see your own profile. It's a very useful tool to make sure
you're not leaking data you people you'd rather not give it to.

~~~
seq
Well, thanks to Facebooks "View As" functionality, I recently discovered that
their privacy setting "Only Me" does not work for only me, if another person
is tagged in the picture. Meaning that if I have a picture with my ex
somewhere in profile, set to "Only Me", it actually means "Only me... and
her".

~~~
sp332
Right, the interface isn't very clear but instead of "Only Me" it shows "Only
Me (+)" and if you hover it says: "Only Me, Anyone tagged."

------
red_admiral
I find facebook's effects on privacy and democracy as scary as the next
person, but so far their secure coding standards have been extremely high.
They're one of the few big names NOT on haveibeenpwned.com, they run their
passwords through a KDF and then encrypt the result with a hardware security
module, and a whole lot of other good things.

I guess even the best (at secure coding) sometimes mess up.

~~~
ern
_They 're one of the few big names NOT on haveibeenpwned.com_

Have Amazon, Google, Twitter, Microsoft or Apple been on haveibeenpwned?
That’s what I think of when I hear “big names”.

~~~
koko775
MS yes, via LinkedIn (at least)

~~~
manquer
Not the same.. that breach was way before the acquisition, you can't conclude
from that breach that MS development or security practices were lacking ..

------
wfwefwef32
Recently talked to 2 friends working for fb. According to them, the culture
there is very toxic. For a master's degree, once get in, you need to get
promoted in 22 months (I might misremember the actual number.) or you will
have to leave. Debugging is never counted as a real work, so for quick
promotion, nobody wants to solve bugs unless a bug becomes too obvious. And
they also complained about no work-life balance. They got pushed to check-in
code at 12a.m. for example.

~~~
quotemstr
What, exactly, is wrong with the expectation that people make senior level
eventually? What exactly is wrong with being able to work at any time? I
worked there for years, and if I was landing code at 12am, it was because I
was excited about what I was doing. It was wonderful being able to work with
people from all over the world on high-impact projects, and fixing important
bugs was definitely high-impact. People who fixed vexsome bugs were heroes.

~~~
twoheadedboy
What you call being "excited about working at 12am" I call "accepting being a
corporate slave".

~~~
quotemstr
I don't think you can so glibly dismiss enthusiasm as Stockholm syndrome.
Passionate people push the world forward, and mocking passion is a recipe for
mediocrity and stagnation.

~~~
twoheadedboy
I think i'd just much rather spend the short time I've got left in my one
existence doing things outside of work that actually make me happy and
fulfilled, than being exploited for the benefit of the mostly rich and
powerful and the illusion of "progress". If you truly get fulfillment from
that stuff then more power to you, but I don't think the vast majority of
people who are pressured to perform do.

Just because we have more "stuff" and more advanced "technology" doesn't make
life more worth living. Happiness levels across society don't increase
alongside productivity.

~~~
quotemstr
> I think i'd just much rather spend the short time I've got left in my one
> existence doing things outside of work

Okay. That's your choice. But having made this choice, don't complain when
those of us who choose to devote more time to work receive greater rewards.
There's nothing wrong with paying for performance.

~~~
Aeolun
Of course there is. If you are working 12 hours a day, how am I with my paltry
8 hours ever going to be considered for a promotion? I quite need it to keep
feeding my family after all.

I can’t stop my bosses from judging based on time spent working (which is
silly, but hey, we’re all human), but I sure can try to stop my coworkers from
subscribing to such insane work hours.

------
Globz
What really freaks me out is the day Facebook die, what will happen to all of
this data?

If you heard about the NCIX story where they basically abandoned their servers
filled with users data (over 13 years of data) and someone scooped them up and
tried to resell them on the black market, one could think that a similar fate
is possible.

source :
[https://www.privacyfly.com/articles/ncix_breach/](https://www.privacyfly.com/articles/ncix_breach/)

Obviously if Facebook was going under it would probably trigger a huge legal
process on how to handle the data but it clearly doesn't happen for smaller
businesses...

~~~
mtrn
> What really freaks me out is the day Facebook die, what will happen to all
> of this data?

Interestingly, Facebook owns your data. I believe if they wanted to, they
could close the company tomorrow and put a facebook.tar.xz of everything they
collected on archive.org or somewhere else.

~~~
kotajacob
I wonder if archive.org could actually store that much data.. and how long it
would take to create a tar.xz of it.

~~~
jrowley
What file systems would support a tar that big?

~~~
birracerveza
[https://en.wikipedia.org/wiki/ZFS](https://en.wikipedia.org/wiki/ZFS)

------
gouggoug
From Facebook's announcement: "After they have logged back in, people will get
a notification at the top of their News Feed explaining what happened."

I personally did not get any explanation as to why I had to log back in. It
did surprise me to be logged out this morning and was wondering why.

~~~
dylan604
Logged out of and back into what? Your mobile app? Your web browser tab that
is left open indefinitely? I no longer use FB, so just curious. I know people
that never log out of FB, and have closed their browser window/tab thinking
that was good enough even though the "remember me" type option was checked.
Opening a new window/tab to FB would show their account just like nothing
happened because they did not log out. I know this is to FB's advantage of
tracking all the things, but wow what a security nightmare.

~~~
kilpikaarna
There's no remember me option antymore, it always remembers. You have to log
out manually and/or set your browser to delete the cookies and/or use Ghostery
if you don't want FB tracking you all over the web...

------
thegeomaster
The "View As" feature has caused a massive vulnerability in the past:
[https://techcrunch.com/2010/05/05/video-major-facebook-
secur...](https://techcrunch.com/2010/05/05/video-major-facebook-security-
hole-lets-you-view-your-friends-live-chats/)

I bet they're now really regretting keeping it around.

~~~
xeromal
Yeah, I thought this was old news I heard years ago, but I guess the broke it
again.

------
chrdlu
My girlfriend and I experienced a really weird bug in the past. We would see
that Facebook said we were active in the middle of the night when we were
definitely asleep. It didn't make too much sense then, but now its possible
that those instances might have occurred due to someone else accessing our
accounts? Both of our accounts were logged out.

Did anyone else experience anything like that?

~~~
SubMachineGhost
AFAIK if you have messenger installed and you have internet connection,
Facebook displays your status as active.

------
IvyMike
So here is a question: my girlfriend only uses FB on her laptop, and always
logs out when she's done. I usually make fun of her for doing this.

But does this mean most of the time that there was no active access token and
she is mostly safe? (Excluding the windows of time where she _was_ actively
using FB) Do I have to take back all of my teasing?

~~~
modeless
I doubt it. The "View As" feature does not require the target to be currently
logged in to Facebook AFAIK.

~~~
IvyMike
This is an interesting point. Right now, I can't reconcile the "we canceled
active sessions thus logging people out" as a fix with the fact that "View As"
was the attack vector.

~~~
leddt
I'm guessing they invalidated all access tokens for accounts that have been
used as "View As" targets since the issue was introduced.

They also disabled "View As" which is the actual fix for the time being.

------
rvnx
The interesting part is that it is the second time (at least) that this is
happening. In the past, when you were using "View As" you could read private
messages without doing anything malicious (you were actually logged on
victim's Messenger account).

------
rajathagasthya
> This attack exploited the complex interaction of multiple issues in our
> code. It stemmed from a change we made to our video uploading feature in
> July 2017, which impacted “View As.”

Obviously, Facebook is an extremely complicated system. But I find it hard to
believe a video uploading feature would impact 'View As'.

~~~
throwawaymath
It's very easy for me to believe. "View As" is an authorization and
authentication sensitive, limited user impersonation feature. Video uploading
interacts with, and complicates, authorization in an application with fine
grained privacy and permission models.

It's intuitively straightforward that modifying code for uploading videos
could (read: not should) have authorization and authentication ramifications.
One of those ramifications could then result in a vulnerability chain
compromising user impersonation functionality.

I have seen far, far more incredulous head scratchers in penetration tests and
code reviews. The interaction boundaries of, or middleware between, two
seemingly unrelated systems is generally a good start to look for a security
vulnerability.

~~~
rajathagasthya
> It's intuitively straightforward that modifying code for uploading videos
> could (read: not should) have authorization and authentication
> ramifications.

I get this part. But why would it affect _only_ videos and not other entities
(photos, status etc.)? I would think creating (or uploading) any of the
entities have the same authorization and authentication ramifications. What
could be different for videos? Unless the privacy models are so fine grained
that you can have different privacy settings for different entities (haven't
used Facebook in years, so I don't really know). Your explanation makes sense,
I'm just looking for a concrete example.

~~~
munchbunny
As someone who works specifically on user authentication stuff...

The problem is often that there are multiple sources of truth for who the user
is. And if you have an impersonation feature, you by definition have two
sources of truth: who the user actually is, and who the user is impersonating.
It would just be a matter of a single mistake of using the wrong one.

Considering that "view as" requires your page view to render every control as
the impersonated user but only when it comes to your profile, but renders all
controls outside of your profile as the original user, I could see any
engineering team dealing with some very carefully drawn and potentially
confusing boundary cases.

Edit: just to elaborate, it's not just obvious impersonation contexts where
this gets interesting. For example, linking your Humble Bundle account to your
Steam account, or on Netflix which user you are vs. which email address is
being billed. Many apps have a function to share some document using a one-
time expiring token. If you're also logged in, then do you read permissions
from the shared token or from your account? If you mix them, do you make sure
anything that writes to this shared view can't touch your account itself on
accident? We don't think about it much but I think you can see how these
subtle distinctions are important when you are thinking about access control,
and that makes it a breeding ground for subtle mistakes.

------
dawhizkid
Is it wrong to be glad FB's reputation has tarnished (and stock price
sideways) over the past year or so? For so long they've monopolized the talent
pool in the Bay Area. If more people decide 1) they don't want to work at FB
and 2) FB employees are itching to leave then I see any stain on FB's
employment brand as a net positive to the greater tech + startup ecosystem.

~~~
tmh79
they havent monopolized talent, they pay for talent. Facebook paying high
salaries has increased all of our pay, equity etc, whether you work there or
not. The only thing this may be bad for is founders who are in a zero sum
competition with FB for talent and now need to spend more money and equity to
get it.

~~~
chalkandpaste
This is a very short-sighted view. Yes it has some immediate benefit in terms
of pay, but you have to consider the long-term societal tradeoff of not
developing addictive mental candy for people or developing societally useful
technologies (or vice-versa, as it now stands). We can focussed on getting
paid a lot now, or improving the wealth of everyone and generative the value
we can all enjoy later.

~~~
prostoalex
> the long-term societal tradeoff of not developing addictive mental candy

Along with React, GraphQL and a bunch of other technologies with various
degrees of popularity [https://opensource.fb.com](https://opensource.fb.com)

Along with various startups building around the projects incubated at Facebook
- Asana, Interana, Phacility, Qubole, etc.

~~~
yaseer
React + GraphQL < B

Where B is the sum of the set consisting of:

-Breaking democracy in the US and the UK by being _the_ platform for disinformation.

-Disinformation assisting genocide in Myanmar.

-Use correlating strongly with poor mental health

-Manipulating behaviour to encourage poor attention spans for the sake of ad-clicking

-Constantly violating basic standards of privacy

-(I could go on..)

Oh wait, excuse my arithmetic. I forgot to add another JS framework like Relay
to the LHS of the equation, that makes it a net positive from Facebook! :D

~~~
justaman
I don't think its fair to blame FB on the decay of democracy in the
information age. Surely Twitter is also to blame them. I think the blame is on
the users. Its not possible to be perfectly informed. It is possible to keep
your mouth shut if you don't know something for sure. Perhaps its the fact
that in real life, to say something you need to say it to someone's face and
on social media you don't have that social weight to carry. This brings about
people more likely to share misinformation. If this is the case, its not the
fault of social media, rather the fault of internet culture. More personal
responsibility is the solution. Not an improved ML system to detect fake news.

~~~
yaseer
Yes, Twitter is also to blame.

It is a problem inherent in the structure of most social media companies. And
Facebook is the most significant social media company, and thus contributor to
the problem.

------
samfriedman
Related to the recent black-hat turned white-hat episode with the guy who was
going to delete Zuck's page, perhaps?

~~~
murph-almighty
That was my immediate thought. Is the livestream cancelled?

~~~
simonswords82
I heard on Reddit that it had been cancelled as he'd been paid out by FB.

------
Xyik
Its sad that everytime there is a post about Facebook the comments are
extremely toxic and negative, and don't really even discuss the article
itself. I would argue that 80% of all tech companies are doing close to 0 in
making the world a 'better place'.

~~~
genericone
Facebook's goal: Connect all the people

Google's goal: Organize all the information

Amazon's goal: Sell all the merchandise

\-----------

Taken at face value, all those companies were/are all trying to make the world
a better place in the ways available to them. But when the externalities of
those goals affect other people, they will become hated. Everyone has a
different opinion of what 'better' means.

Since giant companies are most able to execute their vision of better, they
will get most of the hate from people who have a different opinion of better.

Looks to me like its all just a battle for power: People with ideas but
lacking implementation and execution, vs Companies with ideas, implementation,
execution, AND momentum. Let's not forget all the different forms of
government either...

~~~
omgtehlion
Facebook's goal: sell ads

Google's goal: sell more ads

Amazon's goal: Sell all the merchandise... and ads

FTFY

~~~
genericone
NYT/WaPo/WSJ: Make people click or view ads

All other news outlets: Make people click or view ads

Random-blog: Make people click or view ads

Free games companies: Make people click or view ads.

Internet businesses are a vicious circle of cash for ads. Ads are deeply
embedded in the business model, but is advertising the goal of any of these
companies?

------
SketchySeaBeast
2.23 billion active users, 50 million affected. ~2% of their user base. Wow,
that's a lot of people affected, and somehow just a tiny sliver of their user
base.

~~~
saagarjha
As many have mentioned here, estimates about the number of accounts affected
usually start off low and increase as the full scope of the vulnerability is
known.

------
lemming
I'm glad this doesn't affect me since I don't use Facebook.

Oh, wait, it doesn't matter since they move heaven and earth to collect and
store my data anyway, and of course I can't get them to delete it.

Seriously, fuck Facebook.

~~~
inglor
Random question - is there a way to naturalize in the EU and use GDPR to ask
Facebook to remove your data? (For example an Estonian digital citizenship)

I might be way way off and I am (obviously) not a lawyer but interested in
material about this.

~~~
arprocter
I believe it only applies if you are physically in Europe

~~~
qwertay
The GDPR only says "EU citizens" Doesn't mention if that means you have to be
in the EU or not currently.

------
humanbeinc
Was affected by this. Hacker used the token to run rogue Ads on my business
manager account.

They were pretty clever, because they used proxies in my region so facebook
wouldnt send me automatic warnings.

I can only encourage everyone to check their running Ads & campaigns and check
the audit history log at business.facebook.com asap!

Facebook support sucks (also for business users) so dont expect to get your
money back.

------
sabalaba
Looks like they're clearing out compromised sessions.
[https://twitter.com/facebook/status/1045722820582432768](https://twitter.com/facebook/status/1045722820582432768)

I was logged out of Facebook about 30 minutes ago.

~~~
dylan604
Why not just clear out 100% of sessions?

~~~
jpdb
I am speculating, but perhaps, "Thundering Herd,"[0] concerns?

[0]
[https://en.wikipedia.org/wiki/Thundering_herd_problem](https://en.wikipedia.org/wiki/Thundering_herd_problem)

------
umbula
Deeper analysis from Brian Krebs:
[https://krebsonsecurity.com/2018/09/facebook-security-bug-
af...](https://krebsonsecurity.com/2018/09/facebook-security-bug-
affects-90m-users/)

------
losvedir
I wonder where the "50M users" estimate comes from. It seems like the feature
that caused it, "View As", is probably available to more than that many
people. Does this mean that they managed to trace the attacker capturing the
access tokens of 50M users? Even allowing for the bug in the first place, it
seems like exploiting it should be detected before 50M uses.

~~~
moltar
Probably they have stats on how many people actually used the feature.

~~~
tlobes
Most likely this. I have a few dev accounts, one which I know I used the
feature at some point, another few which did not and those were not reset.

------
pdeuchler
Said this yesterday in the other Facebook thread, and I'll say it again.

Working for Facebook is a morally bankrupt position. If you are an engineer
you have plenty of job opportunities available to you and there is no excuse
for you to continue contributing your labor and time to a wholly malignant
organization. At a certain point one has to ask how we as an industry will
start dealing with those who continue to take a paycheck from Facebook even in
the face of constant and horrific evidence of wholesale ethical violations and
negligence.

~~~
chronid
So is working at Google, Amazon and probably 90% of the big corps of the world
in many sectors - from oil to finance to pharmaceutical to telecommunications
and so on. And we can include the government. If you're a subcontrator or sold
in body rental (modern IT slavery) you're also in the same position as an
employee, so you're enabling their evils. Also, if one of those companies is a
client of your company you're also enabling them (or a client of a client of
your company? How many layers of separation should exist between you and
Walmart before you stop being an accomplice in enabling their abuse of
workers?).

Your point? Should we stop working in IT and go back to the fields?

Also, I fear that HN somewhat forgets the world is not SF, in Europe going to
work for Facebook/Google/Amazon is a enormous bump (we're speaking 2-4x) of
salary for many people, which in some cases means you can buy an house after
3-4 years even with the crazy rents back in your home country - and that's
HUGE. Why should those people spend their time slaving as a subcontractor for
yet another TLC/bank trying to squeeze their customers dry at the first
occasion while getting 25% the salary and zero benefits? Are those less evil?

What needs to happen is that people keep applying pressure so facebook is
forced to adapt its business model even if it hits their bottom line - which
is already happening apparently.

~~~
pslam
"They're all like this so it's impossible to do good" is an even more morally
bankrupt position. It rejects personal responsibility and agency, places you
as the victim, and allows you to continue to be a bad actor in the world.

You should change this.

~~~
chronid
It's not impossible to do good, that's not what I'm claiming at all, and
that's why the last line is there.

I'm pretty sure you can do good even within facebook, doing your utmost to
keep the company accountable (from my experience in another big corp, we don't
see 1% of what's happening inside it, and how many people are facepalming -
and we'll never know if many things were just humans being stupid or actual
calculated decisions). You can also keep your guard up from outside and force
facebook to fix itself (obviously, as much as its business allows) from
outside, for example pushing it to hire more moderators and get as better so
to prevent things like myanmar from happening again.

What I'm saying is that it's impossible (and in my opinion, pointless) to
claim moral superiority and to accuse people of being morally bankrupt because
they work for corp X.

~~~
DSingularity
Why are you so invested in the continuity of facebook?

Its like, "Doctor, why dont we just apply pressure on the tumor until it
starts to grow at more reasonable rates!".

No. When you find cancer, you try to eliminate it.

Facebook is exactly this -- cancer. They have been aggressively monopolizing
software for socializing so that they can arrive to the dominant position they
are in now.

Until Facebook becomes more transparent w.r.t how they use the user data and
until Facebook gives users autonomy -- they need to be regulated. We need to
define constraints regarding how they present and manipulate user data and
interactions.

~~~
jaequery
whatever happened to the saying, "if you dont like it, dont use it" ?

~~~
Al-Khwarizmi
It died with network effects. And no, I'm not going to make all my family
(including non tech-savvy, 60-year-old people) download a second app to talk
with me apart from the ubiquitous Whatsapp they use to talk with everyone
else.

------
jimnotgym
The billion dollar question: are any of the affected users EU citizens?

~~~
seq
Definitely yes, and plenty enough.

------
coldcode
Did not mention what was leaked/taken or how 50M and not everyone.

~~~
microwavecamera
Or why FB waited almost a week to tell us.

~~~
r3bl
> On the afternoon of Tuesday, September 25, our engineering team discovered a
> security issue affecting almost 50 million accounts.

Now it's 28th, meaning that they've disclosed the breach within 72 hours, as
requested by at least one regulation (Article 33 of the GDPR).

That's clearly not even half a week.

~~~
microwavecamera
Over 50M accounts are compromised and we're going to split hairs on the proper
way to divide up a week? The optimal number of days to alert your 50 million
users that their accounts have been compromised is zero. Think about how many
businesses that use FB and the thousands of 3rd party sites that use
Facebook's API to authenticate users. I don't feel Facebook should get to be
sole arbiter on deciding the severity of the incident when if affects so many
and has so much potential to financially impact other businesses. They should
have immediately sent out an alert when they discovered it.

------
lima
Worst case: the attacker now has 90 million user's messaging history.

Fun times.

~~~
propman
...is that seriously possible with this scope and such little time?

~~~
millzlane
I know for sure that you can view all of the pictures sent in a conversation
if you have never "ended" the conversation. All I can think about is all of my
partners who have sent x rated photos using messenger. It could very well be
the next "fappening" and tied to real identities.

------
jzawodn
So that's why I had to re-login this morning.

------
sct202
Are they under-estimating that 90 million people (out of 2 billion accounts)
have to log back in?

I had to log back in and so did 6 out of the 8 people I've asked so far.
Purely anecdotal, but it just seem unusual that if only 5% of accounts are
affected that so many of the people I talk to would be potentially affected.

~~~
DickVanDyke
Where are you located, I suspect it is related to location.

------
riquito
90 millions, the title should be updated (50 millions certainly affected + 40
millions for precaution (so far))

------
bogomipz
>"“This is another sobering indicator that Congress needs to step up and take
action to protect the privacy and security of social media users,” Senator
Mark Warner, a Democrat from Virginia and one of Facebook’s most vocal critics
in Congress, said in a statement."

What an ass. It's simply amazing that he makes a statement like that when
Congress hasn't bothered to "stand up" to Equifax, Experian and TransUnion
yet. Not once. Maybe look into protecting privacy and security of people
period, FB and social media are but one component of that.

------
zaman8040
The second bug was that this video uploader incorrectly used the single signon
functionally, and it generated an access token that had the permissions of the
Facebook mobile app. And that’s not the way the single sign-on functionality
is intended to be used. Is it just me or does this sound like an terrible idea
in the first place? Guess we can't know for sure, but why would anything
unrelated to authentication generate access tokens?

------
arduinomancer
Does anyone else get the feeling that maybe security just doesn't scale for
sites like this?

You have facebook being this huge target for attacks and you combine that with
10,000 engineers with likely not a lot of security training.

Even a single point of failure could compromise the whole site, what are the
chances that no one makes a mistake?

Its like the bigger your company grows while still having a single product,
the higher the probability something like this happens...

------
hvass
I was logged out of my account, but reviewing logs of devices that are
using/have used my account in the past I don't see anything suspicious. What
is the likelihood that the account was breached and accessed without
triggering any of those systems? Is it plausible to speculate that it was
possible for accounts to have been accessed without users receiving emails
from Facebook?

------
ianamartin
It's not 50 million users. It's all of them. The numbers will go up and up and
up in small increments until they basically just admit that it's everyone.
They break the news in the middle of a national political event, minimize the
numbers, and that's the worst of it. The coming ripples that up the numbers
will be mostly ignored.

------
sp527
They logged me out of all my accounts and now I can't log back in because of
their ridiculous 2FA setup. I never provided them my phone number, so they
need me to use their code generator via an active login...except of course I
no longer have any active logins. This is the most ridiculous possible edge
case for a $X00B firm. #SoftwareIsHard

------
erjohnson
What are some secure Facebook Messenger alternatives to use? The only reason I
currently have Facebook is because of the ease behind Messenger but I do not
want to continue using their services. I also need to be able to convince my
friends to try a different platform since I want to be able to continue to
communicate with them. Any advice?

~~~
albertgoeswoof
Totally understand, instead you can use WhatsApp

Or Instagram has great messaging, and if you’re brave oculus can do great VR
chat!

~~~
erjohnson
Thanks! VR chat looks like the wild west, not sure if I'm ready for that.

~~~
mokus
I suspect they were being facetious - every option in that list is owned by
Facebook.

------
leothekim
The security update was written by.. a VP of product management[1]. I would
have thought they'd have a bigger bench for their security team.

[1] [https://newsroom.fb.com/news/2018/09/security-
update/](https://newsroom.fb.com/news/2018/09/security-update/)

~~~
jzl
You know they just lost their highly revered head of security and said there
would be no replacement, right?

[https://www.theverge.com/2018/8/1/17640852/facebook-cso-
alex...](https://www.theverge.com/2018/8/1/17640852/facebook-cso-alex-stamos-
departing-no-replacement)

~~~
leothekim
Yep. Doesn't mean there isn't a bench.

------
stretchwithme
It sounds like users might be more susceptible if they recently had a birthday
or know someone that did. Of course, birthdays aren't the only reason the
uploader is active.

"But for certain types of posts on users' timelines, such as prompts to post
happy birthday greetings, the video uploader function was shown as active."

------
dillondoyle
My session was reset. I don't remember using view as feature in probably at
least a year or two (I haven't actually use FB web/app over the last year or
two). But my company does buy political ads and I have gone through the
affidavit/id verification.

I wonder if FB reset all political buyer accounts too just to be safe?

------
enitihas
Was everyone logged out automatically or only those who were affected? Is
anyone here who wasn't logged out today?

~~~
bonniemuffin
I was still logged in. I just went and did the "log out all my active
sessions" thing just for good measure, even though I didn't see anything
unusual there.

------
zinssmeister
We compiled details on this breach here, including some insights on the attack
vector [https://breachroom.templarbit.com/facebook-is-breached-by-
ha...](https://breachroom.templarbit.com/facebook-is-breached-by-hackers-
putting-50-million/)

~~~
ehsankia
Is this in any way related to the person earlier who said they would
livestream hacking Zuckerberg's account?

~~~
zinssmeister
No, but that sounds entertaining!

------
tempodox
I'd be curious to know how much information was stolen on people who aren't
even FB users.

------
RobertSmith
Even after two grilled Senate hearings in this year, Facebook has not taken
things seriously

~~~
saagarjha
They weren’t really grilled at the hearings at all. I heard maybe two
“difficult” questions from Senators, and both ended up getting the response
“we’ll follow up later”.

------
lorinm
Move fast and break things...

------
anontechworker
I have some friends who were new grads and put on the security team. My first
thought was, why put new grads on the security team? Do they really have the
experience to protect this sort of data?

~~~
rock_hard
How else do you suggest would people who don't have experience gather it?

~~~
raarts
By first letting them work on frontend and backend code for a while so they
understand how security problems originate from daily process?

------
Tade0
In my case during re-log-in the second factor of 2FA didn't appear at all.

My frist thought was that I must've had turned it off at some point, but I
just checked and that isn't the case.

~~~
tatar
2fa and access tokens are probably stored separately, no?

------
bogomipz
So "View As" a tool intended to help you prevent leaking data about yourself
was used by others to leak your data. What a complete shit show this company
has become.

------
jt3
Being an application security consultant, I see this stuff a lot
unfortunately. Just takes a missing authorization check on the feature, then
you got the keys to the kingdom.

------
wil3
Would it be premature to change my account password in response to this? Also,
does anyone know if phone numbers associated with accounts are included in
this breach?

~~~
cheeze
Rotating your password is never a bad thing

------
ouid
>One of the challenges for Facebook’s chief executive Mark Zuckerberg is
convincing users that the company handles their data responsibly.

------
0xmohit
Facebook is blocking users from posting stories about its security breach

    
    
        Some users are reporting that they are unable to post today’s
        big story about a security breach affecting 50 million
        Facebook users. The issue appears to only affect particular
        stories from certain outlets, at this time one story from The
        Guardian and one from the Associated Press, both reputable
        press outlets.
        ...
        The situation is another example of Facebook’s automated
        content flagging tools marking legitimate content as
        illegitimate, in this case calling it spam.
    
    

[https://techcrunch.com/2018/09/28/facebook-blocks-
guardian-s...](https://techcrunch.com/2018/09/28/facebook-blocks-guardian-
story/)

~~~
Jedi72
I posted on Facebook about how the NSA have a profile of everyones race,
sexual preference religion etc- it was in the context of the Australian
government digital health record scheme, I basically said no point opting out
of that if you already have Facebook. The post was gone within 20 minutes,
right off my wall. Facebook is a closed platform now, at least in China
everyone acknowledges the censorship, in the west were still cencored but the
fact that it happens is also cencored.

~~~
astronautjones
>how the NSA have a profile of everyones race, sexual preference religion etc-
it was in the context of the Australian government digital health record
scheme,

do you have a good link for this?

------
dwighttk
I was just logged out of my account hours after this story broke... that "50M
users" is probably going to go up...

~~~
DickVanDyke
I think the total number of 'affected' users is 90M. The reason for this is
they KNOW of 50 million, but there are an additional 40 M logged out "just in
case".

------
spike021
Ah, so this is why I was force-logged out everywhere for my two accounts in
the past day or so.

------
itsdrewmiller
Fun quotes from all of two months ago:

'Facebook is clearly aware that losing its chief security officer and
dissolving its dedicated security team, in the middle of all that’s going on,
is not a great look. So many of the company’s statements today are clearly
designed to address obvious concerns that arise.

“We expect to be judged on what we do to protect people’s security, not
whether we have someone with a certain title,” a spokesperson said. In another
statement, Facebook said it is “investing heavily in security to address new
types of threats” and that its new security structure has “helped us do more
to keep people safe.”'

Source: [https://www.theverge.com/2018/8/1/17640852/facebook-cso-
alex...](https://www.theverge.com/2018/8/1/17640852/facebook-cso-alex-stamos-
departing-no-replacement)

~~~
quotemstr
It is essential that tech companies, especially ones that provide critical
infrastructure, place technical excellence above other priorities. Denigrating
meritocracy is like pollution: the impact may not be immediate, and in the
short term, it may look like you can have your cake and eat it too, but the
universe is not caring and not kind, and if you forget about the need for
excellence in the continual struggle against entropy, nature will eventually
get around to teaching you a harsh and remedial lesson.

~~~
gaahrdner
Is Facebook now considered critical infrastructure?

~~~
wolf550e
If everything facebook knows about all its users and their contacts who are
not themselves facebook users becomes public, people will get hurt.

~~~
Kalium
You're absolutely, completely, 100% correct. Facebook holds an _immense_ trove
of private information that in the wrong hands could be leveraged to inflict
unimaginable pain and suffering.

With that said, is it perhaps possible that some people might view this as
subtly distinct from power plants, hospitals, roads, and ISPs? Those are what
are generally considered "critical infrastructure".

~~~
wolf550e
If you also add the ability to micro-target voters at scale using everything
facebook knows about them using secret ads and niche content that only those
voters will see and no one knows need debunking, and thus changing the
government, then it is very much like the power plants.

I understand the point that you don't need facebook the way you need the
ability to feed the people in the cities (and thus need roads and power
plants). If facebook disappears, life will go on. But as long as it exists,
control of it is critical like control over power plants.

~~~
Kalium
In the sense that it allows for power, you're completely correct!

In the sense that it's an _immediate_ need for the continued basic functioning
of the state, it's possible that there may be some distinctions that could be
drawn. Some might opine that these are the distinctions that matter for the
designation of what is and isn't critical infrastructure.

------
rachelbythebay
Don’t chase away the fixers.

------
allthecybers
It's pretty sad that FB still has 50 million users to compromise.

------
DickVanDyke
Those of you that did have to login again, where are you located?

~~~
rrdharan
I'm in the US (NY).

------
kgc
Maybe 'view as' should just return a static page.

------
daveheq
The more popular something is, the more it's a target.

------
seem_2211
Facebook is really getting hammered in the press this week.

------
hestefisk
I am so glad I shut down my fb account six months ago.

~~~
a_imho
More probable you gave up access to your account six months ago. Imo it is
worth considering keeping it around and actually obfuscating its content.

------
shanemlk
I read that article about how the Whatsapp founder got screwed over by
Facebook. Facebook is sad company. I'd much rather pay for a quality product,
then be a pawn in this data collection crap.

------
carrja99
Well thank goodness I left facebook a year ago. Never regret it! Now I can
interact with people in person in peace vs. heated online debates about DJT
that make me want to avoid them in person.

------
hmate9
Good time to buy facebook shares

------
tflinton
i know i'm a jerk for thinking this but "what do you expect from PHP"

~~~
Zelphyr
I'm no fan of how bad PHP code is often written but between the choice of
laying blame on PHP or Facebook's "Move fast and break shit" philosophy, I'm
choosing the latter.

------
securityn00b
Another big bummer for FB

------
sonnyblarney
inevitable

------
IBM
If you watched the Senate hearing on privacy two days ago you'd have seen that
they were remarkably on the same page about potential privacy legislation [1].
Facebook's continued fuck ups will only help the cause, and for that I'm
grateful.

[1] [https://www.c-span.org/video/?451963-1/google-apple-
amazon-t...](https://www.c-span.org/video/?451963-1/google-apple-amazon-tech-
companies-testify-data-privacy)

~~~
nv-vn
Of course they're on the same page. They can afford the best lawyers and as
much infrastructure as they need to fulfill the requirements, while every new
competitor gets sued from all angles. I'd be very surprised if any of that
regulation actually serves the user in any positive way.

~~~
IBM
I was talking about the Senators.

------
aviv
> The company is in the beginning stages of its investigation.

This is code for "this is much worse than we are telling you now, we just
can't reveal it all at once".

I dislike Facebook as much as the next person.. but I have to say, Facebook
Ads are a goldmine if you know what you're doing. It's not going to be that
way forever.

------
prolikewh0a
Isn't this what happens at Facebook 24/7/365, just this time it wasn't
authorized/paid for?

~~~
bitL
No, this affected only 50M users.

------
irishcoffee
Empty dupe also on front page:
[https://news.ycombinator.com/item?id=18094852](https://news.ycombinator.com/item?id=18094852)

~~~
sctb
Thanks! We've duped it.

------
raffael-vogler
Why is this not listed on hckrnews.com?

~~~
raffael-vogler
why the downvotes?

------
EGreg
On the one hand, every time another scandal or breach is revealed about
centralized networks, I want to post this and have everyone recognize the root
problem and the solution:

[https://Qbix.com](https://Qbix.com) (see the video)

On the other hand, I feel like I’m shamelessly promoting/shilling my own
company.

How to do it in a classy way? I really believe that there is a problem people
are not recognizing enough to do something about it (Diaspora and Mastodon and
Solid are exceptions).

And I spent the last 7 years and $700K of our company’s profits solving it. So
it’s now solved. If Mastodon is “a decentralized Twitter creation kit” where
you own your own data, then Qbix is a “decentralized Facebook creation kit”
where you can assemble social apps from a growing marketplace of reusable
components, some of which don’t exist anywhere. Here for example is a Group
Rides plugin that basically makes a social Uber, and ANYONE can have it on
their OWN social network:

[https://youtu.be/Z7Q7IzVv1VU](https://youtu.be/Z7Q7IzVv1VU)

OK, but we are perfectionists and are spending months polishing “the other
90%” so it’s not a flop when we release it to the public to create their own
facebooks. We need really clean onboarding and measure engagement metrics and
fix bugs etc. It took 7 years thus far.

For example this was last year, we are way more advanced now:

[https://vimeo.com/208438090](https://vimeo.com/208438090)

So, advice would be appreciated from people who have successfully done before.
Maybe contact me (qbix.com/about has my email link). How do we get the story
out there that Qbix is being built to FIX the underlying root problem of
decentralizing social networking, so people’s data isn’t in one place?

Please if you have some knowledge about this, take a look at the above videos
and let us know what advice you have to get stories actually published.

 _PS: one more thing, we managed to get tons of inadvertent press back in
March including BBC and Newsweek, which you will find if you search for
“calendar mining” or “qbix calendar”. BUT when I reached back out to thise
journalists to cover an actual story of Qbix is actually doing, none of them
replied. Many of them just want to break the sensational controversy because
that brings notoriety. How do you make them write about SOLUTIONS to
problems?_

~~~
lukebennett
Seeing as you asked... your website's terrible UX doesn't help. I just took a
look and moved on within 30 seconds - a dated look and feel (that also feels
targeted at primary school teachers), walls of text, broken links, no clear
route back to the homepage to reorient yourself (can't click the logo), no
clear waypoints to follow...

You only get one chance to make a first impression. I'm afraid the first
impression I got means I'm unlikely to return. I suspect the same applies to
all those who took a look in March.

~~~
EGreg
Which links were broken?

What makes it dated specifically? Versus let’s say
[https://joinmastodon.org/](https://joinmastodon.org/)

Also did you visit from a mobile phone or desktop?

~~~
TACIXAT
>What makes it look dated?

3D strong blue and green spinning globe. 3D logo, hard (high contrast?) RGB
values. Child's drawing header looks like a hospital. Mission statement not at
all aligned with what your comment says. Empowering people page, weird lego
photoshop. More strong RGB icons.

>We build apps for all kinds of communities.

I assume this is an app building consultancy from this statement. Nothing
about decentralization. Way too much text on the page (for people like me who
cbf to read). Are you trying to get people to download your group / calendar
app or build apps on qbix? Choose a goal and optimize your copy for it.

Mastadon - Single page layout. Clear missions statement (Social networking,
back in your hands). Flat (material?) icons. Single, fixed width column of
text. Lower contrast color scheme.

------
RoadieRoller
My mind has fashioned me to think that these leaks, so called, are planned. To
why I think so, is simple. When you, as Facebook, sell user data to other
companies/third parties/countries, then it is crime, or is subject to
investigation when it is known. But these so called leaks, are deemed "we are
sorry, we will fix it, but we are so sorry about the data". And that is it. No
one is responsible.

Now you have 50 million people's data for sale. Are you in that 50 million?
You don't know or you will never know.

Connected incidents - British Airways Data Leak, Equifax, Uber Data Theft
Cover Up, Air Canada, T-Mobile, Dixons Carphone......how many such. All of
them soon will be available for sale, with no one to blame for.

~~~
maym86
Wild speculation. Any evidence?

I don't think there has been much stopping these companies selling the data up
to this point. That's been the issue with Facebook and others, they have
happily sold peoples data with little legal protection for the people whose
data they sell. There is no crime in just selling the data within the US so
your theory doesn't hold up.

Never attribute to conspiracy that which is adequately explained by
incompetence.

~~~
RoadieRoller
I don't have any evidence. But I just like to think it that way. Also it could
be because I finished reading most of the books mentioned here
[https://news.ycombinator.com/item?id=17749283](https://news.ycombinator.com/item?id=17749283)

BTW there are people who need data, not just people within US.

[https://www.nytimes.com/2018/09/26/world/asia/trump-china-
el...](https://www.nytimes.com/2018/09/26/world/asia/trump-china-
election.html) "Mr. Trump did not suggest that China’s behavior was on the
scale of Russia’s sophisticated campaign of manipulating social media and the
release of hacked emails during the 2016 presidential election."

[https://www.rappler.com/technology/news/211276-facebook-
twit...](https://www.rappler.com/technology/news/211276-facebook-twitter-
testimony-us-senate-september-5-2018) Sen. Richard Burr, R-N.C., the chairman
of the Senate Intelligence Committee, opened the hearing by citing the promise
of social media before adding, "But we've also learned about how vulnerable
social media is to corruption and misuse. The very worst examples of this are
absolutely chilling and a threat to our democracy."

Already, Russia and Iran have sought to interfere by passing themselves off as
American groups or people to shape the views of American voters, say lawmakers
and technology executives. Facebook, Google and Twitter together took down
hundreds of accounts tied to the two countries last month, a move that
prompted Burr to open the hearing Wednesday by expressing fear that "more
foreign countries are now trying to use your products to shape and manipulate
American political sentiment as an instrument of statecraft."

Cambridge Analytica - Worked with some Indian Political Parties or the
Government itself too.

Lawmakers aren't limited in the questions they can pose Facebook and Twitter.
Sandberg's boss, Facebook CEO Mark Zuckerberg, faced questions in April
hearings that extended far beyond the reason the hearing was called:
Facebook's entanglement with Cambridge Analytica, a political consultancy that
improperly accessed 87 million users' personal information. Sandberg could
also face questions on Cambridge Analytica.

~~~
Angostura
> But I just like to think it that way.

You should try and change that. Best to deal with the actual verifiable ills
of the world, without causing misdirection and making up new ones

------
0xmohit
Why do I get a feeling that this "breach" notification is related to the
following news that appeared a day earlier?

“Facebook Is Giving Advertisers Access to Your Shadow Contact Information”

Source: [https://gizmodo.com/facebook-is-giving-advertisers-access-
to...](https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-
shadow-co-1828476051)

