Facebook apologises for data breach

Hackers exploited vulnerability to gain access to nearly 50m accounts on social media platform, says top exec

Facebook vice-president Dan Neary (left) receiving a T-shirt from EDB managing director Chng Kai Fong during the opening of Facebook's new office and launch of several new programmes at Marina One, on Oct 2, 2018. ST PHOTO: KUA CHEE SIONG

A senior Facebook executive has apologised for a data breach that allowed hackers to access nearly 50 million user accounts in what is believed to be the social media platform's worst security breach.

At the opening of Facebook's new Singapore office yesterday, Facebook's vice-president of Asia-Pacific Dan Neary said: "We are excited about the fact that we actually discovered it and we are able to shut it down but it should not happen in the first place. And so we apologise for that; we think we can do better."

Last Friday, Facebook revealed that attackers had exploited a previously unknown vulnerability found on its "view as" feature, which allows users to see what their Facebook profiles look like to others.

This vulnerability allowed attackers to steal users' access tokens, which they could use to gain access to the Facebook account and other third-party websites that the user had logged into using his or her Facebook credentials, like Instagram, Spotify and Airbnb.

Attackers could then access personal information stored in users' Facebook accounts, and use such information in scams and phishing attempts.

The use of such information could make these scams and phishing attempts look more credible, said the Singapore Computer Emergency Response Team (SingCERT), which issued an advisory for Facebook users last Saturday.

Yesterday, Mr Neary said the company is in the midst of getting to the bottom of the incident and finding out who the culprits are. "We are partnering with law enforcement to do deep investigations," he said at the opening of Facebook's new office in Marina One in the Marina Bay area.

The event was attended by Minister for Trade and Industry Chan Chun Sing as well as Mayor of Central Singapore Community Development Council Denise Phua. Close to 100 of Facebook's government, business and community partners were at the event too.

After the latest breach, Facebook has reset the access tokens of the 50 million affected accounts.

As a precaution, it has also temporarily disabled the "view as" function and reset access tokens for another 40 million accounts that had been looked up through "view as" over the last year.

These 90 million people will not have to change their passwords to have their access tokens changed, but will have to log back into Facebook or any of their apps that use a Facebook login, the company said.

Facebook made headlines earlier this year after the data of 87 million users was improperly accessed by Cambridge Analytica, a political consultancy.

This led to government inquiries into the company's privacy practices around the world.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on October 03, 2018, with the headline Facebook apologises for data breach. Subscribe