Facebook has claimed that no user data was compromised in an attack on its systems in January, but security experts say this is difficult to guarantee.
The social networking firm said the attack occurred when a “handful of employees” visited a mobile developer site that was compromised.
Facebook said the laptops were fully patched and running up-to-date antivirus software.
We have found no evidence that Facebook user data was compromised
“As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation,” the company said in a statement.
Initial investigations have revealed that the attack used a zero-day exploit to bypass the Java sandbox to install the malware.
Oracle issued a security patch for the vulnerability on 1 February 2013.
More on zero-day exploits
- Private market growing for zero-day exploits and vulnerabilities
- Oracle rushes out patches for Java zero-days
- Zero-day exploit for Yahoo Mail goes on sale
- Adobe investigates zero-day that bypasses Reader X sandbox
- Java zero-day vulnerability hits Metasploit and Blackhole
- Aurora attackers target defence firms, use flurry of zero-days
- European aeronautical supplier hit by Microsoft zero-day exploit
- Despite Windows 8 zero-day, vendors laud security of new Microsoft OS
“We have found no evidence that Facebook user data was compromised,” the blog post said.
But this is difficult to guarantee, unless data access is regulated with proper controls, according to Barry Shteiman, senior security strategist at security firm Imperva.
“Controlling data access in your organisation ensures that incidents such as this do not result in data loss – even when malware zero-day attacks cannot be prevented, you can prevent data loss,” he said.
In a blog post, Shteiman said he was surprised that a technology-driven company such as Facebook had fallen prey to a malware drive-by attack.