Facebook unearths hack of 50 million user profiles
Fifty million Facebook users have been exposed to ID fraud in the biggest cyber attack ever on the social media giant.
The company has revealed hackers were able to access user accounts on an unprecedented scale because of a security hole that had remained open for more than a year.
Facebook in the US said it had alerted the FBI, the Department of Homeland Security and Irish data protection authority over the breach.
Security experts said a rogue state such as Russia may have been responsible.
The cyber defence arm of the UK's GCHQ said it was investigating the hack, which allowed attackers full access to private Facebook profiles, and advised British users to be on the lookout for fraud.
Last night, Facebook was facing questions about why it had taken almost two weeks to shut the security hole after noticing "unusual traffic" on its systems in mid-September. The company said a change to its systems in July of last year had allowed hackers to steal "tokens" - digital keys that let users access Facebook without entering their password - from millions of accounts.
Stealing the tokens allowed the hackers to take over accounts, letting them see photos, messages and other private information.
Facebook's Guy Rosen said it was unclear who was behind the attack, but that it was "broad", suggesting it could be the work of an organised group.
David Atkinson, chief executive of cyber security company Senseon, said the details "indicate the hacker is toward the sophisticated end of the spectrum" and it had the hallmarks of a nation state attack.
It comes just weeks before the crucial US midterm elections, which Russian agents have been trying to disrupt through fake news campaigns.
"Given the proximity to the midterm elections, this could be a gift for hackers," Mr Atkinson said. "Facebook as a source of intelligence for foreign states has already been proven."
A spokesman for GCHQ's National Cyber Security Centre said: "There is no evidence that people have to take action such as changing passwords or deleting their profiles.
"However, users should be particularly vigilant to possible phishing attacks."
The Irish Data Protection Commissioner last night criticised the company for being vague about the attack.
A spokesman said it was worrying "this breach was discovered on Tuesday and affects many millions of accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point".
He added: "The DPC continues to press Facebook to clarify these matters further."