In a late-Friday release of bad news, Facebook disclosed this afternoon that it was hacked last month.
The company said it found “no evidence” that user data had been affected, but with the amount of private data Facebook stores on its servers, the hack delivered a stark reminder of how vulnerable user privacy is.
“The reality is our data is not that safe. Millions and millions of machines are infected everyday,” said Chester Wisniewski, a security researcher at Sophos.
Still, Wisniewski pointed out that, while several staffers’ machines were infected, it would take significantly more to open up Facebook’s treasure trove of data.
“They take security very seriously. They have a large professional security team, and they know how valuable that data is,” said Wisniewski. Facebook has been a client of Sophos’s in the past, he said.
Aleecia McDonald, director of privacy at the Center for Internet and Society at Stanford, agreed that Facebook had apparently handled the incident responsibly.
“This appears to be a story about how Facebook’s people caught a possible problem before it could hurt their customers, stopped bad things from happening to other companies, and handled reporting the issue admirably. I am only working from information Facebook provided, but it looks like they are to be congratulated on a job well done,” she said.
The staffers’ machines were infected when they visited a website on mobile development. There, an exploit that targets Java, a susceptible and widely used bit of software, was buried in the HTML.
“The attack was injected into the site’s HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected, regardless of how patched their machine was,” Facebook’s chief security officer, Joe Sullivan, said in an exclusive interview with Ars Technica.
The exploit was effective on Mac and PC operating systems.
But even with the hackers inside several machines at Facebook’s Palo Alto headquarters, they likely couldn’t infect the social network’s codebase or its user databases without bypassing further layers of security.
“Fortunately, to compromise Facebook itself would probably require a lot more steps than simply infecting an employee’s computer,” Wisniewski said.
He described common practices such as two-factor authentication, or requiring multiple machines to sign off to grant any one user access to the most protected databases.
“Think about the number of employees they have who might just be interested in snooping on someone — they’ve got to stop that,” Wisniewski said.
In other words, user data likely wasn’t sitting on digital equivalent of the kitchen counter when the hackers broke in. But the incident shows that even sophisticated security defenses can be breached.
If the news were all good, Facebook wouldn’t have released it late on a Friday.