This thread is a little pessimistic. Why would facebook suffer any consequences from this whatsoever? When has a data breach actually affected the company?
As I understand it, this wasn't just a simple/typical security breach. The hackers had access to people's accounts and for who knows how long. 50 million people's private conversations and pictures being made public, for example, would be the end of Facebook.
you underestimate the nihilistic attitude towards anything facebook vs privacy related. I don't think there is anyone out there who even remotely thinks their doings on FB is private any more, including PMs.
I think you underestimate the extent to which people think their PM's aren't a big deal, until they get released and a torrent of sexting, gossip, illicit relationships, bullying, and public scandal washes over society as fallout.
"I have nothing to hide" is the mantra of fools and people too domesticated to even imagine the ways that malicious crooks and societal pranksters can have it out for them.
I'd consider myself 'tech savvy' and still expect my conversations on Facebook to remain non-public even in the case of security negligence on my part. If anything private is released through this hack, other than hashed passwords or similar (worst case), I'm absolutely done with Facebook and any similar entity.
> Why would facebook suffer any consequences from this whatsoever? When has a data breach actually affected the company?
Facebook is too big. It does not play against its customers or users, but against governments and legislation.
Sooner or later legislation is going to catch up with all the potential risks and abuses that Facebooks facilitates. Each misstep takes it closer to an stronger legislation.
For all the big tech companies it is better for themselves to slap on their own hand than to let the government do it.
Facebook, Whatsapp and Instagram went down globally for hours at the start of August. There was no explanation about this major outage as far as I remember.
Does anybody know if it was related to this data breach? If so, why were people only informed of the breach nearly a month later?
> By company-ending I mean Facebook would never recover from the consequences of so much user data being dumped online for all to see. It would permanently end the company. Shareholders should be worried. We just don't know how much user data was stolen yet.
Exactly. I mean, just look at what happened to Equifax. Oh wait...
The general public don't have a clue what Equifax is and don't know about the hack. Your Grandparent's sexting convos being put online might grab the public's attention a little more.
Although I don't see this having a huge immediate impact on Facebook, the distinction is that if Equifax neglagently releases your PII there is little fallout as you are not the one providing Equifax with that data and cannot simply stop feeding them data, when Facebook does it their data subjects can choose to stop providing the data by exiting the platform. Facebook needs both the user data, and those same users patronizing their service to maintain the existing revenue stream.
The personal communication stored in Messenger is materially different. Affairs, criminal activity, talking about the boss... This has the potential to actually destroy lives.
I've seen several similar threads to this one on Twitter.
"Blah happened at Facebook and it is potentially a company ending event."
This causes me to almost immediately discredit them, as while serious, this is no where near a company ending event for an organization that is headquartered in the US.
Equifax lost the personal data of all Americans and is doing fine.
Facebook might get fined a metric ton of money, people in some portions of the world might leave it, but the company will be just fine. You see, there is no where else for those people to go. Presumably they're on Facebook for some reason so they would want to find an alternative and there isn't an alternative that is as easy to use that their friends and family will migrate to.
Like many other compromises, this one will be forgotten. There is no wordlist that will come out of it, no public artifact that will exist. People have already forgotten about Adobe, LinkedIn is fading, and this one will eventually join their ranks.
I tend to react similarly but this event is the first one that triggered some of my non-tech FB contacts to leave for more geeky alternatives, namely diaspora. The groups of his friends is discussing moving as well.
This is anecdotal but I hope several groups are considering the same now...
Not only did this not do anything for anyone I know as well, many people I know used complacency language when talking about it; large data breaches seem normalized now, they don't faze the tech-illiterate anymore.
The HN bubble sort of gives us a false sense that this is a Big Fucking Deal, but I didn't get the sense that my friends and cared, or even really knew.
I’m tech literate and they don’t phase me either. Why would they? My business is already in the streets. What does it matter if one more company leaks my personal info?
Unfortunately, this is how I feel at this point too... Though I might be special here, as the group that dumped my data was the US Government, and the data they dumped is ALL of the important stuff, including a photocopy of my DD-214...
I’m not sure they faze much of anyone besides some of Reddit and HN. The tech literate friends I know don’t care much either. There’s a handful of things that both those sites over-do like crazy compared to the norm and this is one of them.
> "Blah happened at City/Nation and it is potentially a planet ending event."
It's hard to take Chicken Little serious. All of the sensationalism feels like a magician waving a cloth with one hand, to distract the audience from the other hand.
I don't know what to tell you. The sensationalism is there because it's a catastrophic problem that requires major action.
There's consensus that a very bad thing is happening, its effects are already being felt, and they will get much worse over time. Scientists have tried to communicate this in every way, but people have hemmed and hawed or outright denied it for so long that it's going to be bad no matter what at this point. There are still things that can be done to reduce the impact, but the picture isn't good.
Heh, just to clarify, are you referring to climate change, surveillance economy, data breaches or all of the above?
As it applies to all, and yet, they all end up blaming end users in one way or another while patently ignoring the forces that drive public policies... Profit, industry, Guv regs & profit.
Everything is a catastrophic problem to someone. Sensationalism is about the worst way to communicate this, and is likely why so many refuse to believe. The reality of climate change is that we're trading inhospitable poles for an inhospitable equator.
Yes, this will be painful to those who have to adapt or relocate. But it is a form of NIMBYism.
Life is full of scary problems. What if your car catches fire? Life can be made scarier if you pretend that you have to solve all the problems yourself. We can do anything, but we cannot do everything by ourselves.
If fish die, surely some other life form will fill that niche, and we'll eat that. It's not as though humans are the most adaptive life form in existence.
It’s like people who make those posts didn’t remember that the tobacco industry still exists. Literally killing people and lying about it for profit isn’t “company ending” if you have scads of money and lawyers, and a market eager for your poison.
I'm the OP. The data is qualitatively different, but as I repeatedly say in the thread, we know very little so far except that 50m accounts were entirely compromised.
I mean I could provide statistical data and show trends etc, but that's a lot of effort. I am presuming that people here will have kept up on major breaches to realize that point. That might be a really bad assumption but I know there are some really smart infosec people on hacker news.
Yes, social events do not always follow the same pattern (see Trump election), but the odds in this case are very much on the side of Facebook's breach being the same as others before it.
The stock is down a measly 1.5%. Nobody gives a fuck.
Compare with TSLA Musk SEC investigation which caused a 10% plunge.
A misleading tweet is considered much more dangerous by the market than a 50 mil account breach. Investors know there are no real world consequences to a massive breach.
Is this person trying to dump FB stock for his own benefit? It makes me very skeptic that he had to tweet 11 times in a very alarmist tone. If his opinion is firm on transitioning from FB to a more private and secure alternative why not just say that in 1 or 2 tweets in a tone endorsing other platforms perhaps in a more positive manner?
> "And is up there with the biggest (if not the biggest) hacks of all time."
In what world is this even remotely the case? OPM, Equifax, etc are far more serious hacks than this. Yahoo's multiple breaches dwarf the Facebook hack. 3 billion vs 50 or 90 million:
1) He says you should delete your facebook account. It's too late, the data is already there. Deleting does nothing.
2) "By company-ending I mean Facebook would never recover from the consequences of so much user data being dumped online for all to see" utter conjecture. there are petabytes of data, dumping that online is hard. Exfiltrating unnoticed is hard.
3) "This is potentially so bad that it could be called the Great Facebook Hack of 2018. But again, we don't know how much stuff was stolen. Yet." Again conjecture. This could be called the "great facebook spotted a hack on two account and stopped it before it got bad"
This is pointless punditry from someone who literally is nothing to do with facebook, has no contact with people close to the matter, and is just guessing.
yes, that much data in someone's hands is bad, but so is google, and the legion of databrokers and ad spinner.
Honestly I'd delete my Facebook if there were anything of value on there, or if I cared about being impersonated on that platform, but neither of those things are true.
Yes but your account can be used maliciously and still impersonate you. Your account can be used to sway elections and so on. I don't feel comfortable with that, but if you do then it's okay.
My account can't be used to sway elections, Facebook can be used to sway elections. I have no Facebook clout upon which a hacker could build anything of value.
1) no, not effectively. The data still exists, and forms the kernel to link to other systems, ie Instagram, whatsapp and what ever has any sort of Facebook integration.
if you keep any facebook affiliated service active, facebook will still maintain a profile on you.
The only way to stop is to find all your facebook apps, and IDs give formal notice for stopping use, and then issue a request to stop processing your data. They can still hold on to some nuggets of info for "anti-fraud" purposes, for example if you've paid for anything, or used marketplace.
Then you need to change browsers(possibly wipe your computer), change phone, do not import any previous data and start again.
once you've done that, you need to find your newly created unique ID, one for advertising and such and ask to stop processing on that too. Bonus points for using pihole or similar to block facebook owned domains.
so no, its not _obvious_
2 & 3) offering wild conjecture undermines your actual work. its base punditry, you provide a _valuable_ service, but pandering to hyperbole takes away from this. If you have an inside source, then that changes things, I'll sit up and listen.
4) without a source or inside insight, its just noise, again, you provide a _critical_ service, and I want you to continue, but it _must_ be based on fact or credible sources. I moan be cause I care, honest.
I question whether this is really more useful. You'd have to show that advertisers noticed that data was fake, and that they cared, and that they cared enough to pull FB advertising.
To do that, you'd have to get a whole lot of people putting up false data, and to do that, you'd have to make it very easy to do. Which would probably make it detectable (you think your fake data tool will stay off their radar?).
"We don't know anything for certain but I'm double-dog sure you should sell all your shares and delete all your logins." There's even nonsense about GDPR in the comments.
This all stinks of shorting... And even if it's not, it's too sensationalist to take seriously without more data.
This is a great example of a link that should be off-topic for HN.
There’s not one new material fact in the linked tweet, nor does it make an attempt at fair analysis. It instead consists of hyperbole (“company ending”) and unfounded speculation (“I imagine”). It’s just not a good starting point for serious discussion of the breach.
This thread seems to have developed learned helplessness. This reflects very badly of our confidence in the legal system. Equifax and tobacco industry needs to be punished to feel the brunt of their crimes. But we seem to have accepted the fate.
Hey, let's boycott Gavin's Blog! His alarmism is so skewing that it is pretty much fake news. Let's make him pay a bit, teach the lesson that you shouldn't post such drivel on HN.
I've done a shit ton of research on Corporate Surveillance in the past and there are a lot of signs of a big discrepancy of what people think what is stored about them in TAO and what is _really_ stored about them in TAO. (For those of you who are not that into Facebook, infrastructure and/or devops: TAO is Facebook's graph database)
One of the keywords here is "shadow profiles" or the nodes and edges within the graph which are actually there but you can't directly influence as a user. A good example would be the former colleague of a close family member who never disclosed their place of work and without a current account whom Facebook decided to recommend as a "friend" to another family member who currently has a Facebook account but without an actual past or live connection between the two -- true story, I shit you not.
So it's better to stay silent than proof yet again that there is a profound case for GDPR-like regulation - like Brandon Eich recently recommended - in the United States.
Why is the silence deafening? And what exactly is expected from Facebook? Today it'd say it was 50 million affected, and in a day change it to up to 90 million, and a week later it'll become 130 million, then it'll be 150 million, and then people will stop caring, as they have before, and move on.
There are three kinds of people — those who stopped using Facebook a long, long time ago when the very first privacy issues came about; those who will never stop using Facebook unless they're moving to Instagram or another hotness of the day; those who may stop using Facebook after hearing about privacy or security issues. The last category is very, very small. So is the first.
The only way to get out of this mess is to have a "new hotness" that's as good as (if not better than) Facebook and is privacy preserving, decentralized, easy to use, etc. We're still a long way away from that.
75 comments
[ 3.3 ms ] story [ 147 ms ] threadWe probably won't hear anything until we start getting leaks from the investigations of data protection regulators around the world.
"I have nothing to hide" is the mantra of fools and people too domesticated to even imagine the ways that malicious crooks and societal pranksters can have it out for them.
Also I think that would be huge and cause some number of people to quit facebook, but I'm confident it wouldn't be the "end".
Facebook is too big. It does not play against its customers or users, but against governments and legislation.
Sooner or later legislation is going to catch up with all the potential risks and abuses that Facebooks facilitates. Each misstep takes it closer to an stronger legislation.
For all the big tech companies it is better for themselves to slap on their own hand than to let the government do it.
At odds with the Armageddon-like comments in the Twitter thread, this is still to be worked out. It is not a certainty.
Does anybody know if it was related to this data breach? If so, why were people only informed of the breach nearly a month later?
Also, they probably did just learn about the breach day of from the person who was going to livestream deleting Zuckerburg's account.
Mostly my interactions involving the outage were just browsing memes about it in shitposting@
Exactly. I mean, just look at what happened to Equifax. Oh wait...
"Blah happened at Facebook and it is potentially a company ending event."
This causes me to almost immediately discredit them, as while serious, this is no where near a company ending event for an organization that is headquartered in the US.
Equifax lost the personal data of all Americans and is doing fine.
Facebook might get fined a metric ton of money, people in some portions of the world might leave it, but the company will be just fine. You see, there is no where else for those people to go. Presumably they're on Facebook for some reason so they would want to find an alternative and there isn't an alternative that is as easy to use that their friends and family will migrate to.
Like many other compromises, this one will be forgotten. There is no wordlist that will come out of it, no public artifact that will exist. People have already forgotten about Adobe, LinkedIn is fading, and this one will eventually join their ranks.
This is anecdotal but I hope several groups are considering the same now...
The HN bubble sort of gives us a false sense that this is a Big Fucking Deal, but I didn't get the sense that my friends and cared, or even really knew.
> "Blah happened at City/Nation and it is potentially a planet ending event."
It's hard to take Chicken Little serious. All of the sensationalism feels like a magician waving a cloth with one hand, to distract the audience from the other hand.
There's consensus that a very bad thing is happening, its effects are already being felt, and they will get much worse over time. Scientists have tried to communicate this in every way, but people have hemmed and hawed or outright denied it for so long that it's going to be bad no matter what at this point. There are still things that can be done to reduce the impact, but the picture isn't good.
As it applies to all, and yet, they all end up blaming end users in one way or another while patently ignoring the forces that drive public policies... Profit, industry, Guv regs & profit.
I know, I know, profit deserves two mentions.
Yes, this will be painful to those who have to adapt or relocate. But it is a form of NIMBYism.
If fish die, surely some other life form will fill that niche, and we'll eat that. It's not as though humans are the most adaptive life form in existence.
Ah, but at least everyone agrees you should quit smoking cigarettes for your health.
1 - http://www.xenu.net/archive/multimedia.html#smoking
Because Equifax lost the personal data of _Americans_.
Not all nations/regulators are so hands-off and Facebook is an international company with the vast majority of its users outside the US.
When people say, "It'll work this way in the future because it worked this way in the past" I tend to discredit them.
Yes, social events do not always follow the same pattern (see Trump election), but the odds in this case are very much on the side of Facebook's breach being the same as others before it.
Compare with TSLA Musk SEC investigation which caused a 10% plunge.
A misleading tweet is considered much more dangerous by the market than a 50 mil account breach. Investors know there are no real world consequences to a massive breach.
I'm not sure where you got the $219 price from, but the stock price was nowhere near that before the breach.
In what world is this even remotely the case? OPM, Equifax, etc are far more serious hacks than this. Yahoo's multiple breaches dwarf the Facebook hack. 3 billion vs 50 or 90 million:
https://money.cnn.com/2017/10/03/technology/business/yahoo-b...
1) He says you should delete your facebook account. It's too late, the data is already there. Deleting does nothing.
2) "By company-ending I mean Facebook would never recover from the consequences of so much user data being dumped online for all to see" utter conjecture. there are petabytes of data, dumping that online is hard. Exfiltrating unnoticed is hard.
3) "This is potentially so bad that it could be called the Great Facebook Hack of 2018. But again, we don't know how much stuff was stolen. Yet." Again conjecture. This could be called the "great facebook spotted a hack on two account and stopped it before it got bad"
This is pointless punditry from someone who literally is nothing to do with facebook, has no contact with people close to the matter, and is just guessing.
yes, that much data in someone's hands is bad, but so is google, and the legion of databrokers and ad spinner.
Prevents being hacked again in the future?
Pretty sure there is already a floor on the number of accounts higher than 2
2) Yes it is conjecture.
3) Yes it is conjecture.
4) I'm basing it on what Facebook has told us so far. They are still investigating. But then I said that in the thread.
5) Saying it's bad because it's also bad elsewhere doesn't negate a single thing.
Thanks for the feedback.
if you keep any facebook affiliated service active, facebook will still maintain a profile on you.
The only way to stop is to find all your facebook apps, and IDs give formal notice for stopping use, and then issue a request to stop processing your data. They can still hold on to some nuggets of info for "anti-fraud" purposes, for example if you've paid for anything, or used marketplace.
Then you need to change browsers(possibly wipe your computer), change phone, do not import any previous data and start again.
once you've done that, you need to find your newly created unique ID, one for advertising and such and ask to stop processing on that too. Bonus points for using pihole or similar to block facebook owned domains.
so no, its not _obvious_
2 & 3) offering wild conjecture undermines your actual work. its base punditry, you provide a _valuable_ service, but pandering to hyperbole takes away from this. If you have an inside source, then that changes things, I'll sit up and listen.
4) without a source or inside insight, its just noise, again, you provide a _critical_ service, and I want you to continue, but it _must_ be based on fact or credible sources. I moan be cause I care, honest.
5) valid point, logical fallacy on my part.
facebook monetizes data by using it for selling targeted ads. by not using facebook, they can't sell you more targeted ads, which is something.
To do that, you'd have to get a whole lot of people putting up false data, and to do that, you'd have to make it very easy to do. Which would probably make it detectable (you think your fake data tool will stay off their radar?).
This all stinks of shorting... And even if it's not, it's too sensationalist to take seriously without more data.
There’s not one new material fact in the linked tweet, nor does it make an attempt at fair analysis. It instead consists of hyperbole (“company ending”) and unfounded speculation (“I imagine”). It’s just not a good starting point for serious discussion of the breach.
Maybe I'm wrong, hoping it gets light later on.
I've done a shit ton of research on Corporate Surveillance in the past and there are a lot of signs of a big discrepancy of what people think what is stored about them in TAO and what is _really_ stored about them in TAO. (For those of you who are not that into Facebook, infrastructure and/or devops: TAO is Facebook's graph database)
One of the keywords here is "shadow profiles" or the nodes and edges within the graph which are actually there but you can't directly influence as a user. A good example would be the former colleague of a close family member who never disclosed their place of work and without a current account whom Facebook decided to recommend as a "friend" to another family member who currently has a Facebook account but without an actual past or live connection between the two -- true story, I shit you not.
So it's better to stay silent than proof yet again that there is a profound case for GDPR-like regulation - like Brandon Eich recently recommended - in the United States.
There are three kinds of people — those who stopped using Facebook a long, long time ago when the very first privacy issues came about; those who will never stop using Facebook unless they're moving to Instagram or another hotness of the day; those who may stop using Facebook after hearing about privacy or security issues. The last category is very, very small. So is the first.
The only way to get out of this mess is to have a "new hotness" that's as good as (if not better than) Facebook and is privacy preserving, decentralized, easy to use, etc. We're still a long way away from that.