Facebook Eyes Spammers for Mega-BreachSocial Network Reportedly Sees No Signs of Nation-State Hackers
Facebook is eyeing spammers as being the culprits behind its recently disclosed mega-breach, The Wall Street Journal reports.
See Also: 2021 Cyberthreat Defense Report
Preliminary findings from Facebook's internal investigation suggest that the attackers were not affiliated with a nation-state, but rather part of a known spam ring, the newspaper reports.
"Internal researchers now believe that the people behind the attack are a group of Facebook and Instagram spammers that present themselves as a digital marketing company, and whose activities were previously known to Facebook's security team," the newspaper reports, citing unnamed individuals with knowledge of the investigation.
If that is true, it would mean that unlike many previous mega-breaches - including a massive 2013 data breach at Yahoo - this Facebook breach was not intended as an espionage information-gathering exercise, but rather had a purely financial impetus.
Facebook didn't immediately respond to a request for comment on the report. It had previously declined to speculate as to potential culprits behind its breach, although it has said that it's working with the FBI as part of its criminal probe into the breach.
If Facebook's breach turns out to have been the work of a spam ring, it wouldn't be the first time such a group had taken down such a big target. For example, U.S. prosecutors tied the massive breach of JP Morgan Chase in 2014 to a group of U.S., Israeli and Russian nationals that it accused of illegally trading in pharmaceutical products and counterfeit and malicious software, running illegal online internet gambling operations as well as running pump-and-dump stock schemes (see Russian Charged in JPMorgan Chase Hack Extradited to US).
Facebook's investigation is continuing since its security team first detected the breach on Sept. 25.
On Sept. 28, Facebook issued its first alert about the breach, saying it suspected that attackers had hacked into 50 million accounts by exploiting its "view as" privacy feature, which its security team first detected on Sept. 25.
Many organizations, as they investigate data breaches, find that their initial estimate of breach victims changes as they uncover more details (see Equifax Breach Victims: UK Count Goes Up).
Indeed, on Friday, Facebook revised its estimate of the number of breach victims downward. It now believes that 30 million accounts were breached. For 14 million users, it said that attackers accessed extensive details, including their 15 most recent searches, the last 10 places they checked into or were tagged in and the device types they used to access Facebook. For another 15 million account holders, meanwhile, hackers accessed only name and contact details - phone number, email address or both.
Access Tokens Stolen
Facebook has warned that attackers had obtained access tokens for all of the breached accounts, which it has since invalidated. As an extra safeguard, it invalidated tokens for all 90 million - requiring users to log back in to Facebook online or on their mobile device - that had ever used the "view as" feature.
Those access tokens would give attackers full access to any account.
After Facebook invalidated the tokens, it admitted that it could not ensure that all third-party services that allow access via Facebook's single sign-on system, called Facebook Social Login, would have honored the token-reset request (see Experts' View: Avoid Social Networks' Single Sign-On).
As a result, one ongoing concern has been attackers' ability to potentially access Facebook users' accounts on other services, including Instagram, Tinder, Expedia and others, even after Facebook reset the tokens on its end (see Facebook Breach: Single Sign-On of Doom).