No user data compromised in hack, claims Facebook

Facebook has claimed that no user data was compromised in an attack on its systems in January, but security experts say this is difficult to guarantee.

The social networking firm said the attack occurred when a “handful of employees” visited a mobile developer site that was compromised.

The compromised website hosted an exploit, which then allowed malware to be installed on these employees' laptops, according to a blog post.

Facebook said the laptops were fully patched and running up-to-date antivirus software.

The attack was identified only when its security team found a suspicious domain within the company's corporate DNS logs that was tracked back to a company laptop.

We have found no evidence that Facebook user data was compromised

Facebook blog

“As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation,” the company said in a statement.

Initial investigations have revealed that the attack used a zero-day exploit to bypass the Java sandbox to install the malware.

Oracle issued a security patch for the vulnerability on 1 February 2013.

“We have found no evidence that Facebook user data was compromised,” the blog post said.

But this is difficult to guarantee, unless data access is regulated with proper controls, according to Barry Shteiman, senior security strategist at security firm Imperva.

“Controlling data access in your organisation ensures that incidents such as this do not result in data loss – even when malware zero-day attacks cannot be prevented, you can prevent data loss,” he said.

In a blog post, Shteiman said he was surprised that a technology-driven company such as Facebook had fallen prey to a malware drive-by attack.