The vulnerability that compromised the data of close to 50 million accounts is resolved and Facebook has informed law enforcement, the company said. | Drew Angerer/Getty Images Technology Facebook reveals breach of nearly 50M users' information

Facebook on Friday disclosed that close to 50 million users had account data compromised through a security vulnerability.

The social media giant discovered the issue on Tuesday afternoon and is still in the early stages of investigating, according to a company blog post. The vulnerability is resolved and Facebook has informed law enforcement, the company said.


“The reality here is we face constant attacks,” Facebook CEO Mark Zuckerberg told reporters during a press call this afternoon. “We need to do more to prevent this from happening in the first place. … We’re going to keep investing very heavily in security going forward.”

He insisted security has become "an arms race" for social media giants. "This is going to be an ongoing effort," he said.

This latest revelation comes amid a year of brutal public relations battles for Facebook, which included Zuckerberg testifying for the first time before Congress. The executive's two-day appearance before Senate and House panels came in the wake of news that Trump-linked data firm Cambridge Analytica had improperly obtained data on as many as 87 million Facebook users.

Morning Tech Technology news from Washington and Silicon Valley — weekday mornings, in your inbox. Email Sign Up By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

That incident already triggered a Federal Trade Commission probe that remains ongoing. The company in 2011 signed a consent decree with the FTC that included commitments around keeping user data secure.

Democratic FTC Commissioner Rohit Chopra signaled his discontent with the latest revelation Friday, writing on Twitter, “I want answers.”

The Irish Data Protection Commission is likewise “concerned." In a tweet Friday, the agency said, “At present Facebook is unable to clarify the nature of the breach & risk to users. We are pressing Facebook to urgently clarify these matters.”

Guy Rosen, the Facebook vice president of product management who authored the blog post, said on the call with Zuckerberg that the company had already contacted the Irish Data Protection Commission as well as the FBI about the incident.

Europe’s sweeping privacy rules, the General Data Protection Regulation that went into effect in May, require companies to notify the Irish commission within 72 hours of becoming aware of a data breach.

Of the latest breach, Facebook on Friday said attackers exploited a vulnerability involving a feature known as “View As,” allowing users to see what a profile looks like to other users.

A "complex interaction of multiple issues" involving that feature and Facebook's video upload function allowed hackers to break into accounts by effectively stealing the digital keys that let users stay logged in to Facebook without reentering their credentials, the company said in its blog post. The vulnerability stemmed from changes to video uploading that Facebook made in July 2017.

Since discovering the data breach, the company reset the digital access codes of the nearly 50 million accounts affected. It's also, as a precaution, resetting that information for another 40 million accounts, meaning about 90 million people will need to go through a formal log-in process with Facebook now. They will get a notification in their news feed explaining the incident. Facebook says no one should have to change account passwords.

“We patched the issue last night and are taking precautionary measures for those who might have been affected,” Zuckerberg said on the press call. “In the interest of transparency, we want to share everything we know now.”

He added that the company doesn't know if any accounts were misused and said there’s no evidence of any users’ private messages being accessed or anything posted on others’ accounts but did not rule out the possibility.

Rosen added on the call that no credit card information was taken. He said the company doesn't know the attackers’ identities or where they might be based.

Sen. Mark Warner of Virginia, top Democrat on the Senate Intelligence committee, called the news "deeply concerning" in a statement and called for a full investigation.

"This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before — the era of the Wild West in social media is over," Warner said.

Rep. Frank Pallone (D-N.J.), ranking member of th e House Energy and Commerce Committee, made an even more overt call for legislation. "Enough is enough," he tweeted. "It is time for Congress to pass comprehensive consumer privacy protections."

The lawmakers' comments come as members of both parties have called for comprehensive federal privacy legislation. The EU and California have already passed their own wide-ranging data privacy laws.

Absent such legislation, the tech industry at present still enjoys a broad grant to self-regulate. Zuckerberg told the Senate Commerce and Judiciary committees in April that he hoped to lead company efforts to make Facebook a better steward of user data. “We didn’t take a broad enough view of our responsibility, and that was a big mistake,” he said.

“It will take some time to work through all of the changes we need to make,” Zuckerberg added. “But I’m committed to getting it right.”

This article tagged under: Cyber Security

Facebook

Data