This time Facebook can’t blame a third party for last week’s major hacking of some 50m accounts, nor its seemingly scandalous use of cellphone details for marketing purposes when they were logged as security backup numbers.
When the Cambridge Analytica scandal broke, Facebook tried desperately to paint itself as the victim by an outside party that said it would delete user details but didn’t. Actually, the personality quiz app that scraped all that data – an estimated 87m users – was just using the extraordinarily lax privacy controls Facebook itself allowed such apps.
This time there can be no excuses.
Facebook spotted last Tuesday that a hack was possible using its “view as” feature, which lets people view their profile as someone else would see it. It said 50m people were “directly affected” and logged 90m users out as a security measure, the other 40m who had used the feature since it was introduced in July 2017.
“Security is an arms race,” Zuckerberg later said, one Facebook appears to be losing.
It’s the third major security problem since June, after Facebook unblocked people who had been blocked (for some this could be life threatening) and changed their sharing settings without permission.
It doesn’t help that last month Facebook’s chief security officer CSO Alex Stamos departed, and the company said it would not be replacing him, instead reorganising itself to have security specialists throughout the company. That doesn’t appear to be working out for the world’s largest social network, with some 2.2bn users.
There has been a string of bad news for Facebook. Last week, the high-profile departure of Instagram co-founders Kevin Systrom and Mike Krieger over clashes about the future of the picture-sharing app caused a $11bn sell-off in shares. Bought for the then eye-watering $1bn in 2012, Instagram now has over 1bn users and is Facebook’s fastest-growing source of revenue. It’s also the net to catch the youth market who are not using Facebook itself. But more of that in another column.
Last week Gizmodo’s Kashmir Hill revealed that Facebook uses cellphone numbers given for security purposes (for two-factor authentication, where an SMS with a numerical code is sent as well as entering your password) as part of the data it uses for advertising, the so-called “shadow contact information”.
There are also rumours swirling that messaging app WhatsApp will start showing adverts in its Status section, similar to those in Instagram’s Stories.
The news on Friday coincided with a strange publicity stunt last week by a well-known Taiwanese hacker called Chang Chi-yuan who claimed they would delete Zuckerberg’s personal Facebook page last Sunday to show a security flaw, but it never happened. There’s speculation that this was the flaw, but you never can tell.
Another inexplicable side event was that Facebook appeared to block people from posting The Guardian newspaper’s and The Associated Press reports on the attack, which it later explained was because the story was being shared so much it thought it was spam.
Zuckerberg said Facebook’s security “is going to be an ongoing effort and we’re going to need to keep on focusing on this over time” – a rehash of his apology tour and testimony to US lawmakers after the Cambridge Analytica scandal that “we need to do better”.
And then some. But when?
This column first appeared in Financial Mail