Facebook Inc.’s worst security breach ever is a major blow to the company’s effort to rebuild trust with users of the social network after a privacy scandal in March.
A hacker — or hackers, as Facebook doesn’t know the number — exploited several software bugs at once to obtain login access to as many as 50 million accounts. That access let the intruder act like users on their profiles, or on any applications where they signed in using Facebook.
Facebook has since solved the vulnerability, but it doesn’t yet have answers to crucial questions. It’s unclear what the hackers did with the access. Were they looking for private data, or were they trying to impersonate real users and post misleading information? Was this another instance of election interference, like the kind Russia and Iran have staged? Was there any sign of who the attackers were or whom they were trying to target?
Either way, it will now be harder for the public to believe the company has made progress since Chief Executive Officer Mark Zuckerberg pledged in April congressional hearings to protect user data above all else and invest more in security. If people lose confidence in Facebook’s handling of their personal information, they may spend less time or share less on the social network, limiting the company’s ability to make money from their activity.
In the incident disclosed Friday, the Menlo Park, California-based company said it started investigating suspicious activity on Sept. 16. A few days before that, Zuckerberg wrote that the company was better prepared for attacks by foreign actors spreading division and misinformation ahead of elections in the U.S., France and other countries. The prospect of hackers taking control of almost 50 million Facebook accounts may undermine those assertions.
The breach is very different than the crisis earlier this year that forced Zuckerberg to testify in Congress. In that case, the maker of a personality quiz app on Facebook transferred his database of profile information to a third party, Cambridge Analytica. That political consulting firm told Facebook it had deleted the information, but it hadn’t.
One Facebook defense at the time was that there was no technical security problem — it was a human error and a lie. The data transfer also happened several years earlier, and Facebook had scrapped ties with developers that allowed it to happen. This time, Facebook can give no such reassurances. Regulators were quick to criticize the company, demand more information and call for an investigation.
There are signs Facebook has learned from its past crises, however. After the Cambridge Analytica news broke, Zuckerberg didn’t address the public for days. And this time, he got on a call with the media right away to try to explain what happened. “This is a very serious issue,’’ he said.