The Facebook hack may be the work of spammers, not a nation-state affiliated group, according to a report.
The Wall Street Journal reported earlier this week that, according to anonymous sources familiar with Facebook Inc.’s internal investigation, the hack of 30 million users was the work of spammers, not a nation-state as previously assumed.
Facebook has been investigating the hack since it discovered the incident in late September and is working with the FBI on the criminal portion of the investigation. The social media giant last week found that the attack affected 30 million user accounts, which is 20 million less than the original estimate.
The company has not officially announced any attribution of the attack, nor has it speculated publicly about the source, though many suspected that it was the work of a nation-state such as Russia, Iran, North Korea or China — all of which have carried out cyberattack campaigns against other countries through social media platforms in the past.
But according to the new report from The Wall Street Journal, initial findings of Facebook’s investigation point to spammers that front as a digital marketing company. According to the report, the activities of the group of Facebook and Instagram spammers were previously known to Facebook’s security team.
The Facebook hack was the result of a vulnerability in the platform’s “View As” feature, which enables users to see their own profile the way the public can see it. According to an update from Guy Rosen, Facebook’s vice president of product management, the vulnerability was the “result of a complex interaction of three distinct software bugs” that enabled attackers to steal Facebook access tokens. The access tokens were digital keys that enabled hackers to access any part of a user’s Facebook account.
Rosen said that, of the 30 million users affected by the Facebook hack, the attackers accessed the names and contact details — including phone numbers and/or email addresses — of 15 million people. For another 14 million, the hackers accessed names, contact details and other information depending on what the user included in their profile. This could have included usernames, genders, locations, languages, relationship statuses, religions, hometowns, current cities, birthdates, education, work, places they had checked into, people and pages they follow, personal websites and the types of devices they use to log in to their account. The remaining one million users did not have any of their information accessed, according to Rosen.
Facebook has not confirmed or denied the report from The Wall Street Journal and has not responded to requests for comment at the time of this writing.
In other news
- Researchers have discovered up to 35 million voter records for sale on a hacker forum on the dark web. The researchers at Anomali Labs and cybercrime intelligence provider Intel 471 said they found a cache of information from S. voter registration databases from 19 states. “The databases include valuable personally identifiable information and voting history,” the researchers wrote. “The disclosure reportedly affects 19 states and includes 23 million records for just three of the 19 states. No record counts were provided for the remaining 16 states, but do include prices for each state. We estimate that the entire contents of the disclosure could exceed 35 million records.” The records are from Georgia, Idaho, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Mississippi, Montana, New Mexico, Oregon, South Carolina, South Dakota, Tennessee, Texas, Utah, West Virginia, Wisconsin and Wyoming. The information includes names, phone numbers, addresses, voting history and “other unspecified voting data.”
- All of the major web browsers have announced that they will stop supporting TLS 1.0 and 1.1 in early 2020. Mozilla, Google, Apple and Microsoft have all said they will no longer support the outdated encryption protocol. TLS 1.0 has been around for 20 years as of January 2019. “Though we are not aware of specific problems with TLS 1.0 that require immediate action, several aspects of the design are neither as strong or as robust as we would like given the nature of the Internet today,” wrote Martin Thomson, principal engineer at Mozilla, in a blog post. “Most importantly, TLS 1.0 does not support modern cryptographic algorithms.” The latest version of the protocol, TLS 1.3, was published in August 2018 by the Internet Engineering Task Force.
- This week Oracle released its quarterly critical patch update (CPU) with 301 patched vulnerabilities. One vulnerability had a severity rating of 10 out of 10; 45 were rated 9.8 out of 10, meaning they can be exploited easily and remotely with no authentication. The 10/10 rated vulnerability affects Oracle GoldenGate. The 9.8-rated vulnerabilities affected products such as the Oracle Database Server, Oracle Communications, the Oracle Construction and Engineering Suite, and several others. The large number of vulnerabilities included in this quarter’s CPU is still not the largest ever. In July 2018, Oracle’s CPU included patches for 334 vulnerabilities, 55 of which had a 9.8 severity rating. The July 2017 CPU also brought 308 patches. Oracle’s conference, Oracle OpenWorld, is set to start next week with security as a major focus.