Facebook was hit with a “sophisticated” hacking attack in January that compromised the systems of a “handful” of engineers in an attempt to break into the site’s servers.
In an announcement posted to its security blog earlier today, the company said it had found “no evidence” Facebook user data was compromised.
The attack happened after Facebook employees visited the website for a mobile developer, which hackers had previously loaded with malware. The employees’ laptops were up-to-date with virus protection software, but that didn’t matter. The hackers took advantage of a previously unknown Java vulnerability—what’s known as a “zero-day” attack—to bypass the security software.
Joe Sullivan, Facebook’s chief of security, revealed the details of the attack to Ars Technica earlier today:
An analysis of the activity of the malware showed that ‘they were trying to move laterally into our production environment,’ Sullivan said. The attackers gained ‘some limited visibility” into production systems, but a forensic review found no evidence that data was exfiltrated from that. However, some of the information on the laptops themselves—’what you typically find on an engineer’s laptop,’ Sullivan said—was harvested by the hackers, including corporate data, e-mail, and some software code.’
After discovering the hack, Facebook said it immediately reported it to Oracle, the company that owns Java, as well as law enforcement agencies. The blog post warned that the hackers likely infiltrated other targets, but it did not elaborate.
Perhaps coincidentally, at the same time as hackers were trying to worm their way into Facebook servers, others had breached Twitter’s defenses, gaining access to the data—including encrypted password information and login tokens—of 250,000 users. Other recent high-profile victims of hacking attacks include The New York Times and The Washington Post. In those cases, both the Times and the Post claimed agents of the Chinese government were behind the attacks.