New York, Oct 13 (AP/UNB) — Facebook says hackers accessed data from 29 million accounts as part of the security breach disclosed two weeks ago, fewer than the 50 million it initially believed were affected.
The hackers accessed name, email addresses or phone numbers from these accounts, according to Facebook. For 14 million of them, hackers got even more data, such as hometown, birthdate, the last 10 places they checked into or the 15 most recent searches.
An additional 1 million accounts were affected, but hackers didn't get any information from them.
Facebook isn't giving a breakdown of where these users are, but says the breach was "fairly broad." It plans to send messages to people whose accounts were hacked.
Facebook said third-party apps and Facebook apps like WhatsApp and Instagram were unaffected by the breach.
Facebook said the FBI is investigating, but asked the company not to discuss who may be behind the attack. The company said it hasn't ruled out the possibility of smaller-scale attacks that used the same vulnerability.
Facebook has said the attackers gained the ability to "seize control" of those user accounts by stealing digital keys the company uses to keep users logged in. They could do so by exploiting three distinct bugs in Facebook's code. The company said it has fixed the bugs and logged out affected users to reset those digital keys.
At the time, CEO Mark Zuckerberg — whose own account was compromised — said attackers would have had the ability to view private messages or post on someone's account, but there's no sign that they did.
New York, Oct 12 (AP/UNB) — Facebook said it has purged more than 800 U.S. pages and accounts for spamming users with politically-tinged garbage links and clickbait just weeks ahead of the U.S. midterm elections.
The banned accounts and Facebook sites exhibited "coordinated inauthentic behavior" such as working together to make the pages appear more popular than they actually are. This, Facebook said, was designed to mislead users about who they are and what they're doing.
The social network said these accounts spread "sensational political content" designed to drive people to ad-laden websites outside Facebook. In the past, such spammers have often focused on celebrity gossip, weight loss remedies and fake iPhones.
Pages Facebook removed fell on both sides on the political spectrum, Facebook said, although it declined to say if there were more on the right or the left. The removed pages included the conservative "Nation in Distress" and the left-wing "Snowflakes," among others with names such as "Reasonable People Unite," ''The Resistance" and "Right Wing News."
Facebook said it doesn't look at the content of the posts and photos that the accounts are spreading, but rather, the "behavior" of the pages — such as whether they are using fake accounts or sending spam — when deciding whether to remove them.
The turn toward politics suggests that spammers are learning from the Russian playbook on how to get people riled up and clicking. Facebook has been working to weed out misinformation and election meddling since it acknowledged that Russian agents abused its service in 2016.
But while those actors seemed intent on disrupting elections, Facebook says its latest purge was about accounts trying to make money.
San Francisco, Oct 9 (AP/UNB) — Google is shutting down its long-shunned Plus social network for consumers, following its disclosure of a flaw discovered in March that could have exposed some personal information of up to 500,000 people.
The announcement came in a Monday blog post , which marked Google's first public description of the privacy bug.
Google deliberately avoided disclosing the problem at the time, in part to avoid drawing regulatory scrutiny and damaging its reputation, according to a Wall Street Journal story that cited anonymous individuals and documents.
The Mountain View, California, company declined to comment on the Journal's report, and didn't fully explain in its blog post why it held off on revealing the bug until Monday.
The Google Plus flaw could have allowed up to 438 external apps to scoop up user names, email addresses, occupations, genders and ages without authorization. The company didn't find any evidence that any of the personal information affected by the Plus breach was misused.
The timeline laid out by Google indicates the company discovered the privacy lapse around the same time that Facebook was under fire for a leak in its far more popular social network. Facebooks' breakdown exposed the personal information of as many as 87 million of its users to Cambridge Analytica, a data mining firm affiliated with President Donald Trump's 2016 campaign.
Congress summoned CEO Facebook CEO Mark Zuckerberg to be grilled about his company's privacy issues in April.
Google CEO Sundar Pichai recently declined to an invitation to travel to Washington to testify before the Senate about foreign governments' manipulation of online services to sway U.S. political elections. His absence incensed some lawmakers, who left an empty chair for Google alongside the Twitter and Facebook executives who appeared before the Senate committee in September.
"With this breach announcement, the empty seat bearing Google's name just became a lot hotter," said Mike Chapple, an associate professor of information technology, analytics and operations at the University of Notre Dame.
Pichai went to Washington to mend political fences with lawmakers in late September and agreed to participate in a White House roundtable on technology that President Trump intends to attend. He also will appear in House hearings after the midterm elections in November.
Google has a strong incentive to position itself as a trustworthy guardian of personal information because, like Facebook, its financial success hinges on its success to learn about the interests, habits and location of its users in order to sell targeted ads.
The desire to peer into people's lives is one of the reasons that Google launched Plus in 2011. It was supposed to be a challenger to Facebook's social network, which now has more than 2 billion users. But Plus flopped and quickly turned into a digital ghost town, prompting Google to start de-emphasizing it several years ago.
But the company kept it open long enough to cause an embarrassing privacy gaffe that could give Congress an excuse to enact tighter controls on data collection.
"Every data mishap strengthens the bipartisan case for Congress to take action on data protection," said Jonathan Mayer, an assistant professor at Princeton University who formerly worked in the Federal Communications Commission's enforcement bureau.
Europe began to impose tougher online privacy regulations in May. Those rules also include disclosure requirements for data breaches. Those rules don't apply to the Plus problem because Google discovered it before they took effect.
Houston, Oct 3 (AP/UNB) — A human trafficking survivor from Texas sued Facebook this week, alleging the social media platform provides human traffickers an unrestricted way to "stalk, exploit, recruit, groom ... and extort children into the sex trade."
The lawsuit was filed Monday in Houston against Facebook, the shuttered classifieds site Backpage.com and the owners of two Houston hotels.
The suit seeks at least $1 million in damages on behalf of a woman identified as "Jane Doe," who was 15 years old when she was sexually assaulted in 2012 after being allegedly targeted and recruited by a sex trafficker on Facebook.
Facebook did not immediately return an email seeking comment on Tuesday. An attorney for Dallas-based Backpage.com didn't immediately return a phone call.
According to the lawsuit, Facebook should be held liable for the conduct of sex traffickers because the social media site has become the "first point of contact between sex traffickers and these children. Facebook not only provides an unrestricted platform for these sex traffickers to target children, but it also cloaks the traffickers with credibility."
Annie McAdams, an attorney for the woman who filed the suit, said her client was befriended by another Facebook user who gained her trust and promised her a job as a model.
But, McAdams said, the other person forced her into sex trafficking within hours of meeting her. She was raped and beaten by people who had paid the trafficker, the attorney said.
McAdams alleged Facebook has not done enough to ensure that users aren't able to hide their identities from unsuspecting minors who may be targets of traffickers or to warn minors of the dangers posed by traffickers and how they can operate online.
"It was not just because a pimp did something that Jane Doe was trafficked. That pimp is not able to traffic Jane Doe unless Facebook allowed him access to her," McAdams said.
The lawsuit comes after President Donald Trump in April signed a new law aimed at curbing sex trafficking. The law weakens a legal shield for online services that host abusive content, including sex trafficking.
The legislation was focused more on classified-ad sites like Backpage.com, which had claimed they aren't the publisher of questionable content but are merely transmitting posts by others.
Backpage.com was shut down by federal authorities earlier this year after the company's co-founders and other employees were arrested in what authorities say was a scheme to publish ads for sexual services, some of which involved children.
"Facebook has the technology to be able to potentially develop algorithms to look for the indicators and the red flags of potential (trafficking) exploitation and abuse," said Tony Talbott, director of Abolition Ohio, a University of Dayton group that works to combat human trafficking.
Maya Simek, co-director of the Human Trafficking Law Clinic and a lecturer at Case Western Reserve University's School of Law in Cleveland, points to a lack of ID verification and a lack of advertisements or other outreach efforts to offer help for victims as some of the problems social media sites face in combating human trafficking.
"I don't think they're doing as much as could be done," Simek said.
Talbott said he thinks the Houston lawsuit will have a difficult time proving that Facebook knowingly facilitated sex trafficking, as the company could show that traffickers are simply exploiting the site.
New York, Sep 29 (AP/UNB) — For users, Facebook's revelation of a data breach that gave attackers access to 50 million accounts raises an important question: What happens next?
For the owners of the affected accounts, and of another 40 million that Facebook considered at risk, the first order of business may be a simple one: sign back into the app. Facebook logged everyone out of all 90 million accounts in order to reset digital keys the hackers had stolen — keys normally used to keep users logged in, but which could also give outsiders full control of the compromised accounts.
Next up is the waiting game, as Facebook continues its investigation and users scan for notifications that their accounts were targeted by the hackers.
What Facebook knows so far is that hackers got access to the 50 million accounts by exploiting three distinct bugs in Facebook's code that allowed them to steal those digital keys, technically known as "access tokens." The company says it has fixed the bugs.
Users don't need to change their Facebook passwords, it said, although security experts say it couldn't hurt to do so.
Facebook, however, doesn't know who was behind the attacks or where they're based. In a call with reporters on Friday, CEO Mark Zuckerberg — whose own account was compromised — said that attackers would have had the ability to view private messages or post on someone's account, but there's no sign that they did.
"We do not yet know if any of the accounts were actually misused," Zuckerberg said.
The hack is the latest setback for Facebook during a tumultuous year of security problems and privacy issues . So far, though, none of these issues have significantly shaken the confidence of the company's 2 billion global users.
This latest hack involved bugs in Facebook's "View As" feature, which lets people see how their profiles appear to others. The attackers used that vulnerability to steal access tokens from the accounts of people whose profiles came up in searches using the "View As" feature. The attack then moved along from one user's Facebook friend to another. Possession of those tokens would allow attackers to control those accounts.
One of the bugs was more than a year old and affected how the "View As" feature interacted with Facebook's video uploading feature for posting "happy birthday" messages, said Guy Rosen, Facebook's vice president of product management. But it wasn't until mid-September that Facebook noticed an uptick in unusual activity, and not until this week that it learned of the attack, Rosen said.
"We haven't yet been able to determine if there was specific targeting" of particular accounts, Rosen said in a call with reporters. "It does seem broad. And we don't yet know who was behind these attacks and where they might be based."
Neither passwords nor credit card data was stolen, Rosen said. He said the company has alerted the FBI and regulators in the United States and Europe.
Jake Williams, a security expert at Rendition Infosec, said he is concerned that the hack could have affected third party applications.
Williams noted that the company's "Facebook Login" feature lets users log into other apps and websites with their Facebook credentials. "These access tokens that were stolen show when a user is logged into Facebook and that may be enough to access a user's account on a third party site," he said.
Facebook confirmed late Friday that third party apps, including its own Instagram app, could have been affected.
"The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account-holder themselves," Rosen said.
News broke early this year that a data analytics firm once employed by the Trump campaign, Cambridge Analytica, had improperly gained access to personal data from millions of user profiles. Then a congressional investigation found that agents from Russia and other countries have been posting fake political ads since at least 2016. In April, Zuckerberg appeared at a congressional hearing focused on Facebook's privacy practices.
The Facebook bug is reminiscent of a much larger attack on Yahoo in which attackers compromised 3 billion accounts — enough for half of the world's entire population. In the case of Yahoo, information stolen included names, email addresses, phone numbers, birthdates and security questions and answers. It was among a series of Yahoo hacks over several years.
U.S. prosecutors later blamed Russian agents for using the information they stole from Yahoo to spy on Russian journalists, U.S. and Russian government officials and employees of financial services and other private businesses.
In Facebook's case, it may be too early to know how sophisticated the attackers were and if they were connected to a nation state, said Thomas Rid, a professor at the Johns Hopkins University. Rid said it could also be spammers or criminals.
"Nothing we've seen here is so sophisticated that it requires a state actor," Rid said. "Fifty million random Facebook accounts are not interesting for any intelligence agency."