SINGAPORE – A senior Facebook executive has apologised for a recent data breach that allowed hackers to gain access to nearly 50 million user accounts, in what is believed to be the social media platform’s worst security breach.
At the opening of Facebook’s new Singapore office on Tuesday (Oct 2), Facebook’s vice-president of Asia Pacific Dan Neary said: “We are deeply apologetic for this. We are excited about the fact that we actually discovered it and we are able to shut it down, but it should not happen in the first place. And so we apologise for that, we think we can do better.”
Last Friday, Facebook revealed that attackers had exploited a previously unknown vulnerability found on its “view as” feature, which allows users to see what their Facebook profiles look like to others.
This vulnerability allowed attackers to steal users’ access tokens, which they could then use to gain access to the Facebook account and other third-party websites that the user had logged into using his or her Facebook credentials, like Instagram, Spotify and Airbnb.
Attackers could then access personal information stored in users’ Facebook accounts, and use such information in scams and phishing attempts.
The use of such information could make these scams and phishing attempts look more credible, said the Singapore Computer Emergency Response Team (SingCERT), which issued an advisory for Facebook users last Saturday.
On Tuesday, Mr Neary said the company is in the midst of getting to the bottom of the incident and finding out who the culprits are.
“We are partnering with law enforcement to do deep investigations and hopefully we are able to identify who the attackers are. More of that to come, we are in the process of investigating it,” he said at the opening of Facebook’s new office in Marina One in the Marina Bay area.
The event was attended by Minister for Trade and Industry Chan Chun Sing, as well as Mayor of Central Singapore Community Development Council Denise Phua. Close to 100 of Facebook’s government, business and community partners were at the event too.
After the latest breach, Facebook has reset the access tokens of the 50 million affected accounts. As a precaution, it has also temporarily disabled the “view as” function and reset access tokens for another 40 million accounts that have been looked up through “view as” over the last year.
These 90 million people will not have to change their passwords to have their access tokens changed, but they will have to log back into Facebook or any of their apps that use a Facebook login, the company said.
Facebook made headlines earlier this year after the data of 87 million users was improperly accessed by Cambridge Analytica, a political consultancy.