Facebook announced that it was hacked in a blog post today after some of its employees visited an infected mobile developer website in January. The company says it has found no evidence that the breach affected user data.
“They gained limited visibility into our systems,” Fred Wolens, a spokesperson for Facebook, told VentureBeat in an interview, “We’ve accelerated our program to disable Java in our environment.”
The company explained in the blog post that the laptops that were infected were “fully patched” and ran the most up-to-date antivirus software prior to the infection. It is currently working with law enforcement to dig into the hack’s details. The malware came through another issue with Java, the programming language that Oracle recently patched to fix a number of other issues. The Department of Homeland Security even recommended that people uninstall Java since hackers were finding new holes often.
“After analyzing the compromised website where the attack originated, we found it was using a ‘zero-day,’ previously unseen exploit to bypass the Java sandbox (built-in protections) to install the malware,” said Facebook in the blog post. “We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.”
Facebook has not specified who the attackers are, and it very well may not know. The company does, however, say that it was “not alone in this attack” and that it wanted to tell the world about this hack quickly so that others can start their own remediation.
VB’s research team is studying mobile user acquisition... Chime in here, and we’ll share the results.