On February 15, Facebook Security posted a public notice that the company “discovered that our systems had been targeted in a sophisticated attack.” Facebook Security was unusually frank about the details of the attack, including the revelation of how the compromise happened. (Facebook employees’ computers were infected with drive-by malware when the workers visited a mobile developer’s website that had been compromised.)
In its announcement of the attack, Facebook Security boldly proclaimed, “We have found no evidence that Facebook user data was compromised.” (The emphasis is theirs, not mine.)
“Finding no evidence” that data was compromised is certainly not the same as saying “No user data was compromised.” The following comments from real Facebook users might be the evidence of compromise that the social networking site apparently hasn’t found yet:
Your systems sent me information about my roommates account to my email about 3 weeks ago. We often use the same devices but nothing more. So I'm not so sure that user info has not been compromised.
My wife is unable to logon to her Facebook account - She receives a massage that claims our computer has been compromised and she has to download Macafee software to clear away viruses before it will allow her to use Facebook - is this the hackers who broke into your network trying to download their software on our comptuer [sic]?
I just received 15 friend requests! I think something is going on here. There is no way I could have that many in a matter of hours!
Facebook Security might be putting on a happy face in order to allay the public’s concerns, but I am very unnerved by this attack. With more than one billion users worldwide, Facebook is sitting on a treasure trove of personal information that scammers and other cyber criminals would love to tap. It’s not hard to imagine what could happen if cyber thieves gain unfettered access to Facebook’s stored user data:
- Scammers harvest personal information about individuals from their Facebook pages. This information is used to create spear phishing attacks that look like legitimate messages because there is relevant personal information in the message.
- A targeted individual clicks an embedded link that leads him to a compromised website that surreptitiously loads drive-by malware on his PC or smart phone.
- The malware steals login credentials for all types of personal and corporate accounts—online banking, corporate applications, etc.
- From here a cyber thief has clear access to all sorts of digital riches.
Now take that scenario and multiply it by a billion and you see why Facebook is a big target for advanced persistent threats that will not let up until the goal of getting to user data is achieved.
Digital assets aren’t the only riches at risk. Many Facebook users share too much personal information with the thought that who sees the information can really be controlled. Consider the person who tells her friends that she’s going on a business trip. She has just “advertised” that her home will be vacant for a few days. This gives a thief who is privy to the private information an opportunity to ransack her house during her absence. Scenarios like this could be common if cyber invaders are able to peruse Facebook user data at will.
Facebook may have dodged a bullet this time with the attack that it discovered in January, but I can’t help but have this sense that another and much heavier shoe is about to drop.