BENGALURU, INDIA – Facebook has tentatively concluded that spammers looking to make money, and not a nation-state, were behind the largest-ever data theft at the social media company, the Wall Street Journal reported on Wednesday.
The people behind the attack were a group of Facebook and Instagram spammers who present themselves as a digital marketing company and whose activities were previously known to Facebook’s security team, the Journal reported, citing people familiar with the company’s internal investigation.
Last week, Facebook said attackers had stolen data from 29 million Facebook accounts using an automated program that moved from one friend to the next. It said the data theft had hit fewer than the 50 million profiles it initially reported.
Facebook said in an email that it was cooperating with the Federal Bureau of Investigation on this matter. It has also notified the FBI, Department of Homeland Security, congressional aides and the Data Protection Commission in Ireland, where the company has its European headquarters.
The breach has left users more vulnerable to targeted phishing attacks and could deepen unease about posting to a service whose privacy, moderation and security practices have been called into question by a number of scandals, cybersecurity experts and financial analysts have said.
Facebook first disclosed the breach in late September and said it had fixed the issue soon after discovering it on Sept. 25.
The company says hackers weren’t able to access sensitive information like passwords and financial information. Still, for users already uneasy about the privacy and security of their Facebook accounts, the details that hackers did gain access to — gender, relationship status, hometown and other info — might be even more unsettling.
Facebook has been quick to let users check exactly what was accessed. But beyond learning what information the attackers accessed, there is relatively little that users can do beyond watching out for suspicious emails or texts.
Facebook has come under further scrutiny due to a lawsuit that alleges it lied about misleading advertisers about the average time users spent viewing online video clips.
Facebook acknowledged in September 2016 that it had inflated the viewing number for marketers, and said had it fixed its calculations.
The online marketing agency that sued over the misrepresentations, Crowd Siren, now claims that Facebook knew as early as 2015 that it was overreporting the figures. Although Facebook told some advertisers it had overestimated average time spent watching videos by 60 to 80 percent, the plaintiffs believe that average viewership metrics had been inflated by up to 10 times.
Crowd Siren added fraud claims and a request for punitive damages against the company in an amended complaint filed Tuesday in federal court in Oakland, California.
Facebook didn’t correct the inflated metrics, according to the filing. Instead, the company engaged in a public relations campaign to deflect attention to the errors, Crowd Siren said, citing internal company documents and email exchanges.