You are here
Facebook's worst security breach batters user trust once again
FACEBOOK Inc's worst security breach is a major blow to the company's effort to rebuild trust with users after a privacy scandal in March.
A hacker - or hackers, as Facebook does not know the number - exploited several software bugs at once to obtain login access to as many as 50 million accounts.
That access let the intruder act like users on their profiles, or on any applications where they signed in using Facebook.
Facebook has since solved the vulnerability, but it does not yet have answers to crucial questions. It is unclear what the hackers did with the access. Were they looking for private data, or were they trying to impersonate real users and post misleading information? Was this another instance of election interference, like the kind that Russia and Iran have staged? Was there any sign of who the attackers were or whom they were trying to target?
Either way, it will now be harder for the public to believe that the company has made progress since chief executive officer Mark Zuckerberg pledged in April during congressional hearings to protect user data above all else and invest more in security.
If people lose confidence in Facebook's handling of their personal information, they may spend less time or share less on the social network, limiting the company's ability to make money from their activity.
In the incident disclosed last Friday, the Menlo Park, California-based company said that it started investigating suspicious activity on Sept 16. A few days before that, Mr Zuckerberg wrote that the company was better prepared for attacks by foreign actors spreading division and misinformation ahead of elections in the United States, France and other countries.
The prospect of hackers taking control of almost 50 million Facebook accounts may undermine those assertions. The breach is very different from the crisis earlier this year that forced Mr Zuckerberg to testify in Congress.
In that case, the maker of a personality quiz app on Facebook transferred his database of profile information to a third party, Cambridge Analytica. That political consulting firm told Facebook that it had deleted the information, but it had not.
One Facebook defence at the time was that there was no technical security problem - it was a human error and a lie. The data transfer also happened several years earlier, and Facebook had scrapped ties with developers that allowed it to happen.
This time, Facebook can give no such reassurances. Regulators were quick to criticise the company, demand more information and call for an investigation. There are signs that Facebook has learnt from its past crises, however.
After the Cambridge Analytica news broke, Mr Zuckerberg did not address the public for days. This time, he got on a call with the media right away to try to explain what happened. "This is a very serious issue," he said. BLOOMBERG