IE 11 is not supported. For an optimal experience visit our site on another browser.

Facebook hacked, but says users not affected

facebook logo

Facebook Friday announced that it was the target of a "sophisticated" hacking attempt in January, though the company assured its users that their data was not "compromised."

The information was communicated in a blog post by Facebook Security. The social network's security experts explained that a few employees had visited an infected site, which installed malware on their laptops via a then-unknown bug in Java. The laptops, Facebook noted in its defense, were "fully-patched and running up-to-date anti-virus software."

Suspicious activity was noted on Facebook's internal networks shortly thereafter, tracked to the laptops in question, and remedied; The Java exploit was reported to Oracle (which makes the Web app platform), which issued a patch on Feb. 1.

Facebook's Chief Security Officer, Joe Sullivan, told Ars Technica that the attackers "were trying to move laterally into our production environment," where they would have access to lots of private and proprietary data. They were stopped before that point, but could have collected some non-user data like corporate emails and some code.

"We have found no evidence that Facebook user data was compromised," the company wrote in the blog post.

Kaspersky Lab's Kurt Baumgartner told NBC News this is likely accurate and not just lip service: "They know their network layout, permissions, logging and which systems were hit."

Baumgartner also said it was "clear" that this attack had nothing to do with the recent high-profile attacks on the New York Times, Washington Post, and other news organizations.

A security expert at another company with knowledge of the matter was told the Facebook attack appeared to have originated in China, Reuters reported.

Facebook says it is working with law enforcement and other companies' security teams to analyze and prevent future breaches.

While Facebook said no user data was compromised, the incident could raise consumer concerns about privacy and the vulnerability of personal information stored within the social network.

The social network has made several privacy missteps over the years because of the way it handled user data and it settled a privacy investigation with federal regulators in 2011.

In its statement, Facebook said the attack was launched using a "zero-day," or previously unknown flaw in its software that exploited its Java built-in protections.

"Zero-day" attacks are rarely discovered and even more rarely disclosed. They are costly to launch and often suggest government sponsorship.

In January 2010, Google reported it had been penetrated via a "zero-day" flaw in an older version of the Internet Explorer Web browser. The attackers were seeking source code and were also interested in Chinese dissidents, and Google reduced its operations in the country as a result.

Attention to cyber security has ratcheted up since then and this week President Barack Obama issued an executive order seeking higher safety standards for critical infrastructure.

Other companies stand to benefit more from comprehensive legislation, which has stalled in Congress. Republicans have opposed additional regulations that would come with mandatory security standards.

Devin Coldewey is a contributing writer for NBC News Digital. His personal website is

Reuters also contributed to this report.

This story was updated at 8:25 p.m. ET.