Buried underneath reports of midterm election tensions and the White House’s racist ads, news broke late last week that an unknown number of Facebook users had their private messages hacked and put up for sale.
Anonymous hackers claimed they had successfully stolen the private messages of some 120 million Facebook users, BBC first reported Friday. While that number hasn’t yet been confirmed, private messages from at least 80,000 accounts have already been published, with communications ranging from holiday photos to intimate exchanges. The hacking victims identified thus far have been centered mainly in Ukraine and Russia, although the hack has reportedly reached Facebook users in places like the U.S. and Brazil.
While the hackers selling the private information — each account’s messages were going for only 10 cents apiece before they were pulled down — haven’t yet been identified, Facebook has blamed malicious browser extensions rather than their own security issues. (The specific extensions haven’t yet been identified, and BBC hasn’t identified the forum on which the stolen messages first appeared.) As Gizmodo noted, Facebook VP of Product Management Guy Rosen said that the stolen information was obtained via “malicious browser extensions installed off of Facebook.”
Be that as it may, it’s not as if the hack took place within the past few days, and Facebook is just now issuing a response. The messages from the hacked accounts were published as early as September, when an account named “FBSaler” first started hawking the messages to prospective buyers. It’s unclear if Facebook didn’t know about the hack, or if they were simply ignoring the theft. Either way, it’s a terrible look for the company.
After all, it’s not as if tech giants aren’t already aware that malicious browser extensions exist. In fact, “last year, Google caught three malicious extensions masquerading as AdBlock Plus, one of which had been downloaded tens of thousands of times before it was removed,” Wired reported.
In a chorus that’s been repeated many times over the past few months, the revelations are the latest blow to Facebook’s claims of user security and privacy. From the Cambridge Analytica scandal, in which tens of millions of users had their data unknowingly accessed, to Russia’s massive social media interference operations, Facebook’s reputation has taken beating after beating over the past 15 months.
And with each successive revelation, Facebook has ignored calls for increased transparency. For instance, while Twitter last month dumped everything it knew about fake Russian accounts, Facebook has still refused to release the content of fake Russian posts on its platform, or even just the names of all of the accounts identified.
Moreover, the latest hacking scandal comes only a week after Facebook’s largest security breach to date, which compromised the accounts of tens of millions of users. Like the private messaging hack, the September security breach was trans-Atlantic, with millions of users in the U.S. and Europe affected. Most concerning? Facebook still has not idea who was behind the breach — and is now facing a class-action lawsuit for failing to protect users’ data.
All of the security-related revelations — hacks, breaches, lawsuits — have helped send Facebook’s stock price spiraling. As of Monday afternoon, Facebook’s stock price had bottomed to about $148, nearly 30 percent lower than its post-2016 high.
And it’s not just stock prices. A Pew poll from two months ago found that a whopping 44 percent of 18 to 29-year-old American Facebook users had deleted the Facebook app from their phone. And that was before the company came clean about its biggest security breach and private message hack to date.