75 comments

[ 3.3 ms ] story [ 147 ms ] thread
I would guess the silence is driven by lawyers and PR folk.

We probably won't hear anything until we start getting leaks from the investigations of data protection regulators around the world.

It's mainly driven by investigation I'm guessing, with the FBI in tow too.
This thread is a little pessimistic. Why would facebook suffer any consequences from this whatsoever? When has a data breach actually affected the company?
As I understand it, this wasn't just a simple/typical security breach. The hackers had access to people's accounts and for who knows how long. 50 million people's private conversations and pictures being made public, for example, would be the end of Facebook.
you underestimate the nihilistic attitude towards anything facebook vs privacy related. I don't think there is anyone out there who even remotely thinks their doings on FB is private any more, including PMs.
I think you underestimate the extent to which people think their PM's aren't a big deal, until they get released and a torrent of sexting, gossip, illicit relationships, bullying, and public scandal washes over society as fallout.

"I have nothing to hide" is the mantra of fools and people too domesticated to even imagine the ways that malicious crooks and societal pranksters can have it out for them.

I'd consider myself 'tech savvy' and still expect my conversations on Facebook to remain non-public even in the case of security negligence on my part. If anything private is released through this hack, other than hashed passwords or similar (worst case), I'm absolutely done with Facebook and any similar entity.
Ironic, because that was the beginning of Facebook. Sort of the whole point was to have public conversations and pictures.

Also I think that would be huge and cause some number of people to quit facebook, but I'm confident it wouldn't be the "end".

Which is the simple point I'm making - a worst case scenario here destroys FB's reputation for safely storing your private messages.
By "pessimistic" do you mean unrealistically, naively optimistic? (I agree FB will likely suffer face no consequences)
> Why would facebook suffer any consequences from this whatsoever? When has a data breach actually affected the company?

Facebook is too big. It does not play against its customers or users, but against governments and legislation.

Sooner or later legislation is going to catch up with all the potential risks and abuses that Facebooks facilitates. Each misstep takes it closer to an stronger legislation.

For all the big tech companies it is better for themselves to slap on their own hand than to let the government do it.

If they don't disclose in time, or are found to have been able to have prevented the breach, they could face some serious fines in the EU under GDPR.

At odds with the Armageddon-like comments in the Twitter thread, this is still to be worked out. It is not a certainty.

Facebook, Whatsapp and Instagram went down globally for hours at the start of August. There was no explanation about this major outage as far as I remember.

Does anybody know if it was related to this data breach? If so, why were people only informed of the breach nearly a month later?

No, it wasn't. I was interning there at the time and love to regularly check the current issues page.

Also, they probably did just learn about the breach day of from the person who was going to livestream deleting Zuckerburg's account.

Thanks. Were people as panicked inside Facebook during the outage, as I was as a user trying to browse meme groups?
More exasperated, I think? If I remember correctly, it wasn't too complex to fix (maybe just a rollback), it just took sometime to push to prod.

Mostly my interactions involving the outage were just browsing memes about it in shitposting@

> By company-ending I mean Facebook would never recover from the consequences of so much user data being dumped online for all to see. It would permanently end the company. Shareholders should be worried. We just don't know how much user data was stolen yet.

Exactly. I mean, just look at what happened to Equifax. Oh wait...

The general public don't have a clue what Equifax is and don't know about the hack. Your Grandparent's sexting convos being put online might grab the public's attention a little more.
There is an important distiction: Equifax's data is not voluntarily submitted by the data subjects, while most of Facebook's is.
That sounds worse for Equifax
Although I don't see this having a huge immediate impact on Facebook, the distinction is that if Equifax neglagently releases your PII there is little fallout as you are not the one providing Equifax with that data and cannot simply stop feeding them data, when Facebook does it their data subjects can choose to stop providing the data by exiting the platform. Facebook needs both the user data, and those same users patronizing their service to maintain the existing revenue stream.
Equifax is also not under EU (GDPR) jurisdiction afaik.
The personal communication stored in Messenger is materially different. Affairs, criminal activity, talking about the boss... This has the potential to actually destroy lives.
I've seen several similar threads to this one on Twitter.

"Blah happened at Facebook and it is potentially a company ending event."

This causes me to almost immediately discredit them, as while serious, this is no where near a company ending event for an organization that is headquartered in the US.

Equifax lost the personal data of all Americans and is doing fine.

Facebook might get fined a metric ton of money, people in some portions of the world might leave it, but the company will be just fine. You see, there is no where else for those people to go. Presumably they're on Facebook for some reason so they would want to find an alternative and there isn't an alternative that is as easy to use that their friends and family will migrate to.

Like many other compromises, this one will be forgotten. There is no wordlist that will come out of it, no public artifact that will exist. People have already forgotten about Adobe, LinkedIn is fading, and this one will eventually join their ranks.

I tend to react similarly but this event is the first one that triggered some of my non-tech FB contacts to leave for more geeky alternatives, namely diaspora. The groups of his friends is discussing moving as well.

This is anecdotal but I hope several groups are considering the same now...

I’ll give back another anecdote. This did nothing for anyone I know.
Not only did this not do anything for anyone I know as well, many people I know used complacency language when talking about it; large data breaches seem normalized now, they don't faze the tech-illiterate anymore.

The HN bubble sort of gives us a false sense that this is a Big Fucking Deal, but I didn't get the sense that my friends and cared, or even really knew.

I’m tech literate and they don’t phase me either. Why would they? My business is already in the streets. What does it matter if one more company leaks my personal info?
Unfortunately, this is how I feel at this point too... Though I might be special here, as the group that dumped my data was the US Government, and the data they dumped is ALL of the important stuff, including a photocopy of my DD-214...
I’m not sure they faze much of anyone besides some of Reddit and HN. The tech literate friends I know don’t care much either. There’s a handful of things that both those sites over-do like crazy compared to the norm and this is one of them.
This is what climate change news feels like too.

> "Blah happened at City/Nation and it is potentially a planet ending event."

It's hard to take Chicken Little serious. All of the sensationalism feels like a magician waving a cloth with one hand, to distract the audience from the other hand.

I don't know what to tell you. The sensationalism is there because it's a catastrophic problem that requires major action.

There's consensus that a very bad thing is happening, its effects are already being felt, and they will get much worse over time. Scientists have tried to communicate this in every way, but people have hemmed and hawed or outright denied it for so long that it's going to be bad no matter what at this point. There are still things that can be done to reduce the impact, but the picture isn't good.

Heh, just to clarify, are you referring to climate change, surveillance economy, data breaches or all of the above?

As it applies to all, and yet, they all end up blaming end users in one way or another while patently ignoring the forces that drive public policies... Profit, industry, Guv regs & profit.

I know, I know, profit deserves two mentions.

Everything is a catastrophic problem to someone. Sensationalism is about the worst way to communicate this, and is likely why so many refuse to believe. The reality of climate change is that we're trading inhospitable poles for an inhospitable equator.

Yes, this will be painful to those who have to adapt or relocate. But it is a form of NIMBYism.

There’s a lot more than weather to climate change. What if there were no more fish? What if the ocean didn’t absorb CO2. Read more.
Life is full of scary problems. What if your car catches fire? Life can be made scarier if you pretend that you have to solve all the problems yourself. We can do anything, but we cannot do everything by ourselves.

If fish die, surely some other life form will fill that niche, and we'll eat that. It's not as though humans are the most adaptive life form in existence.

Except one is backed by large amounts of data, and the other is just some guy pontificating.
It’s like people who make those posts didn’t remember that the tobacco industry still exists. Literally killing people and lying about it for profit isn’t “company ending” if you have scads of money and lawyers, and a market eager for your poison.
> It’s like people who make those posts didn’t remember that the tobacco industry still exists

Ah, but at least everyone agrees you should quit smoking cigarettes for your health.

True, but took about much more than a century for that, and for quite a long time tobacco smoke was seen as medicinal!
> Equifax lost the personal data of all Americans and is doing fine.

Because Equifax lost the personal data of _Americans_.

Not all nations/regulators are so hands-off and Facebook is an international company with the vast majority of its users outside the US.

I'm the OP. The data is qualitatively different, but as I repeatedly say in the thread, we know very little so far except that 50m accounts were entirely compromised.
>Like many other compromises, this one will be forgotten.

When people say, "It'll work this way in the future because it worked this way in the past" I tend to discredit them.

I mean I could provide statistical data and show trends etc, but that's a lot of effort. I am presuming that people here will have kept up on major breaches to realize that point. That might be a really bad assumption but I know there are some really smart infosec people on hacker news.

Yes, social events do not always follow the same pattern (see Trump election), but the odds in this case are very much on the side of Facebook's breach being the same as others before it.

The stock is down a measly 1.5%. Nobody gives a fuck.

Compare with TSLA Musk SEC investigation which caused a 10% plunge.

A misleading tweet is considered much more dangerous by the market than a 50 mil account breach. Investors know there are no real world consequences to a massive breach.

We don't know the full extent of the hack yet. As the thread says! It might be not so bad, or it might be awful.
From $219 to $160 thats “measly 1.5%” ? Maybe by Sesame Street’s Yellow Bird math standards.
The closing price on Thursday was $168.84. The close yesterday was $162.44. That's a 3.8% decline.

I'm not sure where you got the $219 price from, but the stock price was nowhere near that before the breach.

$219 is the stock's high price from this summer? The fall from there was totally unrelated.
Is this person trying to dump FB stock for his own benefit? It makes me very skeptic that he had to tweet 11 times in a very alarmist tone. If his opinion is firm on transitioning from FB to a more private and secure alternative why not just say that in 1 or 2 tweets in a tone endorsing other platforms perhaps in a more positive manner?
(comment deleted)
Well, I assume he's out to sell something.

1) He says you should delete your facebook account. It's too late, the data is already there. Deleting does nothing.

2) "By company-ending I mean Facebook would never recover from the consequences of so much user data being dumped online for all to see" utter conjecture. there are petabytes of data, dumping that online is hard. Exfiltrating unnoticed is hard.

3) "This is potentially so bad that it could be called the Great Facebook Hack of 2018. But again, we don't know how much stuff was stolen. Yet." Again conjecture. This could be called the "great facebook spotted a hack on two account and stopped it before it got bad"

This is pointless punditry from someone who literally is nothing to do with facebook, has no contact with people close to the matter, and is just guessing.

yes, that much data in someone's hands is bad, but so is google, and the legion of databrokers and ad spinner.

>1) He says you should delete your facebook account. It's too late, the data is already there. Deleting does nothing.

Prevents being hacked again in the future?

Honestly I'd delete my Facebook if there were anything of value on there, or if I cared about being impersonated on that platform, but neither of those things are true.
Yes but your account can be used maliciously and still impersonate you. Your account can be used to sway elections and so on. I don't feel comfortable with that, but if you do then it's okay.
My account can't be used to sway elections, Facebook can be used to sway elections. I have no Facebook clout upon which a hacker could build anything of value.
>This could be called the "great facebook spotted a hack on two account and stopped it before it got bad"

Pretty sure there is already a floor on the number of accounts higher than 2

1) Clearly this mitigates future risk. Which is obvious.

2) Yes it is conjecture.

3) Yes it is conjecture.

4) I'm basing it on what Facebook has told us so far. They are still investigating. But then I said that in the thread.

5) Saying it's bad because it's also bad elsewhere doesn't negate a single thing.

Thanks for the feedback.

1) no, not effectively. The data still exists, and forms the kernel to link to other systems, ie Instagram, whatsapp and what ever has any sort of Facebook integration.

if you keep any facebook affiliated service active, facebook will still maintain a profile on you.

The only way to stop is to find all your facebook apps, and IDs give formal notice for stopping use, and then issue a request to stop processing your data. They can still hold on to some nuggets of info for "anti-fraud" purposes, for example if you've paid for anything, or used marketplace.

Then you need to change browsers(possibly wipe your computer), change phone, do not import any previous data and start again.

once you've done that, you need to find your newly created unique ID, one for advertising and such and ask to stop processing on that too. Bonus points for using pihole or similar to block facebook owned domains.

so no, its not _obvious_

2 & 3) offering wild conjecture undermines your actual work. its base punditry, you provide a _valuable_ service, but pandering to hyperbole takes away from this. If you have an inside source, then that changes things, I'll sit up and listen.

4) without a source or inside insight, its just noise, again, you provide a _critical_ service, and I want you to continue, but it _must_ be based on fact or credible sources. I moan be cause I care, honest.

5) valid point, logical fallacy on my part.

>1) He says you should delete your facebook account. It's too late, the data is already there. Deleting does nothing.

facebook monetizes data by using it for selling targeted ads. by not using facebook, they can't sell you more targeted ads, which is something.

While true, a vastly more useful approach is to poison the well and give them false data.
I question whether this is really more useful. You'd have to show that advertisers noticed that data was fake, and that they cared, and that they cared enough to pull FB advertising.

To do that, you'd have to get a whole lot of people putting up false data, and to do that, you'd have to make it very easy to do. Which would probably make it detectable (you think your fake data tool will stay off their radar?).

Counterpoint: almost no one will care and nothing of consequence to FB will result from this.
"We don't know anything for certain but I'm double-dog sure you should sell all your shares and delete all your logins." There's even nonsense about GDPR in the comments.

This all stinks of shorting... And even if it's not, it's too sensationalist to take seriously without more data.

This is a great example of a link that should be off-topic for HN.

There’s not one new material fact in the linked tweet, nor does it make an attempt at fair analysis. It instead consists of hyperbole (“company ending”) and unfounded speculation (“I imagine”). It’s just not a good starting point for serious discussion of the breach.

The amount of attention on that Twitter thread makes me think how much people really care about the issue.

Maybe I'm wrong, hoping it gets light later on.

This thread seems to have developed learned helplessness. This reflects very badly of our confidence in the legal system. Equifax and tobacco industry needs to be punished to feel the brunt of their crimes. But we seem to have accepted the fate.
Hey, let's boycott Gavin's Blog! His alarmism is so skewing that it is pretty much fake news. Let's make him pay a bit, teach the lesson that you shouldn't post such drivel on HN.
Simple.

I've done a shit ton of research on Corporate Surveillance in the past and there are a lot of signs of a big discrepancy of what people think what is stored about them in TAO and what is _really_ stored about them in TAO. (For those of you who are not that into Facebook, infrastructure and/or devops: TAO is Facebook's graph database)

One of the keywords here is "shadow profiles" or the nodes and edges within the graph which are actually there but you can't directly influence as a user. A good example would be the former colleague of a close family member who never disclosed their place of work and without a current account whom Facebook decided to recommend as a "friend" to another family member who currently has a Facebook account but without an actual past or live connection between the two -- true story, I shit you not.

So it's better to stay silent than proof yet again that there is a profound case for GDPR-like regulation - like Brandon Eich recently recommended - in the United States.

Why is the silence deafening? And what exactly is expected from Facebook? Today it'd say it was 50 million affected, and in a day change it to up to 90 million, and a week later it'll become 130 million, then it'll be 150 million, and then people will stop caring, as they have before, and move on.

There are three kinds of people — those who stopped using Facebook a long, long time ago when the very first privacy issues came about; those who will never stop using Facebook unless they're moving to Instagram or another hotness of the day; those who may stop using Facebook after hearing about privacy or security issues. The last category is very, very small. So is the first.

The only way to get out of this mess is to have a "new hotness" that's as good as (if not better than) Facebook and is privacy preserving, decentralized, easy to use, etc. We're still a long way away from that.