There’s been a major security incident at Facebook. The company admits that they were hacked and 50 million accounts were affected.
It’s no doubt the last thing Facebook needs right now. After things have gotten rather quiet for the company on the issue of personal information, Facebook quietly announced a bombshell admission. They say that their security team discovered unauthorized access to their data. Hackers, they say, exploited a vulnerability in their security to gain this access. From Mashable:
A Friday morning press release from our connect-people-at-any-cost friends in Menlo Park detailed a potentially horrifying situation for the billions of people who use the social media service: Their accounts might have been hacked. Well, at least 50 million of them were “directly affected,” anyway.
The so-called “security update” is light on specifics, but what it does include is extremely troubling.
“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts,” reads the statement. “[It’s] clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.”
That’s right, almost 50 million accounts were vulnerable to this attack. As for how many were actually exploited?
“Fifty million accounts were directly affected,” explained Facebook VP of product management Guy Rosen on a Friday morning press call, “and we know the vulnerability was used against them.”
“We did see this attack being used at a fairly large scale,” added Rosen. “The attackers could use the account as if they are the account holder.”
Facebook went on to say that they have no information on whether account information was improperly used. They also say that they have since fixed the vulnerability.
In terms of public relations, this is about the last thing Facebook needs right now. Just when they probably thought that the could move past a previous firestorm about personal information, this happens. That previous firestorm is, of course, the Cambridge Analytica scandal where there was an uproar over data mining practices.
Many at the time called this a security breach. However, by most technical accounts, it is merely a data handling issue. Technically speaking, a breach is when an unauthorized party gains access to a computer system. Others have called that incident a leak, but a leak involves a party accidentally exposing information to potential unauthorized third parties. Neither of those definitions fit the Cambridge Analytica case.
What accurately fits the case is the definition of data mining where the company examined what amounts to public information. That analysis permits companies to use artificial intelligence to fill in whatever information gaps there are including information about people’s friends. While this had been going on for a considerable amount of time at Facebook, the fact that one company used this information to help sway the US presidential election as well as, allegedly, the Brexit vote cause the issue to get considerable amounts of public scrutiny.
Because of all of this, the risk for Facebook is that this is going to blow up in the media and the personal information nightmare will get repeated. So, no doubt, Facebook is caught between a rock and a hard place when they discovered this recent security incident. Announce now that, yes, Facebook was hacked and deal with the consequences? Alternatively, keep quiet and hope it doesn’t go public? If the latter, then the public relations problem would be substantially worse because it adds the element of hiding bad developments from the public.
So, the calculus is understandable here. Quietly bury this in a seemingly innocuous security update. If people find it, well, the company was transparent, so who could knock that? At the same time, gamble that no one would notice. If no one notices, great, no big deal.
With word getting out, what is likely the hope at this point is that this whole thing will blow over with minimal damage. So, it’ll be interesting to see if there is any fallout as a result of all of this.
Drew Wilson on Twitter: @icecube85 and Google+.
