On Friday morning, Facebook executives faced yet another painful news cycle. Three days earlier, the engineering team discovered a security issue affecting roughly 50 million user accounts. Out of an abundance of caution, the company said on Friday as it revealed the hack, Facebook took action to shore up security not only for those accounts but 40 million others as well.
The issue at hand: attackers exploited a feature known as “View As,” which lets Facebook users see what their profiles look like to others, in a way that allowed them to take over people’s accounts. “People’s privacy and security is incredibly important,” Guy Rosen, an executive who oversees security and safety, said in a post revealing the breach, “and we’re sorry this happened.”
On a call with reporters Friday, Facebook CEO Mark Zuckerberg and Rosen said the company had fixed the vulnerability and temporarily disabled the “View As” feature amid an investigation into exactly what happened. While their review had not yet shown that the attackers leveraged the access for nefarious purposes — such as posting to people’s accounts or accessing their private messages — the company couldn’t say who the attackers were, what motivated them or what might be uncovered down the line. Facebook, they said, had alerted and was working with the FBI.
As he fielded questions, Zuckerberg went into detail about the steps the company is taking in the wake of this particular snafu, but he struggled to provide fresh perspective on the big picture. Why, he was asked multiple times, should users should continue to trust Facebook, in the wake of another breach of trust?
“Security, it’s an arms race,” the CEO said, as he has many times before. “We’re continuing to improve our defenses, and I think this also underscores that there are just constant attacks from people who are trying to take over accounts or steal information from people in our community.”
The news comes as Facebook struggles with a growing list of problems. In recent months, as the company has worked to overcome the fallout from the Cambridge Analytica debacle, Facebook has multiple times revealed evidence of ongoing foreign influence campaigns on the platform, connected to actors in both Iran and Russia. On Monday, news broke that the founders of Instagram, a bright spot in the parent company’s empire, are leaving. They follow leaders from WhatsApp, who quit earlier this year, adding to an image of instability.
Even the solutions Facebook is working to put in place are generating new headaches. Zuckerberg has repeatedly touted the promise that the company will increase the number of employees working on security and safety from 10,000 to 20,000 by the end of the year. Thousands of those people are content reviewers, crucial employees who help keep everything from hate speech to terrorist propaganda off the platform. Yet one recently filed a lawsuit, seeking class-action status and saying that the “disturbing” images she had to look at as part of the job had given her post-traumatic stress disorder.
The fact that Facebook quickly revealed the breach is evidence of its ongoing commitment to be more transparent with users and the press. And the fact that the company included an apology in that news release shows humility in the face of the gigantic task the company confronts in attempting to protect — and still delight — the community of more than 2 billion users Zuckerberg has put under one roof. On the call, the executives explained that the attackers leveraged a complex series of bugs in order to compromise the accounts, one of which stemmed from Facebook encouraging users to wish one another a happy birthday.
Zuckerberg and Rosen sounded a determined tone on Friday, even as they prepared users for the fact that more bad news may be coming, should the investigation reveal a “broader mission.” Though it is unclear how or if private data was used, the attackers apparently had access to users’ personal information, including fields like their name, gender and hometown.
Regulators and lawmakers, from the Federal Trade Commission to Congress, have already been warning the company that stricter oversight will be coming if Facebook does not prove more capable of protecting consumers on its own. “I want answers,” FTC Commissioner Rohit Chopra tweeted on Friday after news of the breach broke.
For now, roughly 90 million users will at least face the small inconvenience of being logged out of Facebook and other apps that depend on the site for sign-ins. An alert will appear at the top of their News Feed explaining what occurred, the executives said. “We need to do more,” Zuckerberg said on the call, “to prevent this from happening in the first place.”