Mark Zuckerberg fan page hacked on Facebook: What really happened?

Filed Under: Facebook, Social networks, Vulnerability

There was a lot of hoo-ha and speculation yesterday after Mark Zuckerberg's official Facebook fan page was updated with an unauthorised post.

Mark Zuckerberg hacked

Initially, Facebook declined to comment on what - at first glance - appeared to be an embarrassing security faux pas by Zuckerberg or one of his staff authorised to update the page. Understandably there was speculation that Zuckerberg or one of his colleagues might have had their passwords guessed or stolen, or perhaps had been 'sidejacked' by a tool such as FireSheep while using an unencrypted free WiFi hotspot.

Those were certainly our first thoughts, but now new information shared by Facebook's security team with the press tells a different story.

Squiggly imageFor instance, CNET's Elinor Mills reports that Facebook discovered that an API bug allowed unauthorised parties to post status updates to public Facebook fan pages.

This meant that personal information wasn't stolen from anyone's Facebook account - which is a very good thing.

So, it wasn't a story of a 26-year-old logging in at Starbucks and not realising that someone could be intercepting the communications. And it wasn't a tale of a junior member of staff being given the keys to administer a page with 2.8 million fans, only to choose a weak password like "123456789".

Those kind of mistakes aren't uncommon, of course, and are security issues which you should be mindful of if you are responsible for the protection of computers and online activity inside your own organisation.

Instead, it turns out that the true story of the Zuckerberg fan page hack is much worse. Because a vulnerability in Facebook's code allowed unauthorised parties to post updates to pages, which could have potentially been used for the purposes of phishing, spam and even malicious attack.

And it wasn't just Zuckerberg's fan page which was affected. Facebook declined to say which other pages had been hit by hackers exploiting the vulnerability - but it appears that other "high-profile" pages were also impacted.

Facebook has not revealed whether they believed that French President Nicolas Sarkozy's fan page (which was also breached earlier this week) had been affected by the same bug, but the suspicion must be there.

So, what does this mean for you if you're a sysadmin responsible for securing your company's Facebook presence?

Well, the good news is that Facebook says the API bug has now been fixed. They haven't, however, said if they have informed the owners of any other Facebook fan pages or removed posts which may have been published via the flaw.

So, if you are the administrator of a popular page on Facebook, it wouldn't do any harm to check that all is in order. You may also want to ensure that your public forums are regularly monitored just in case a similar incident occurs in the future, which might result in your Facebook fans receiving unauthorised updates.

After all, one wonders whether the API vulnerability would have been found so promptly if it hadn't impacted the official fan page of Facebook's CEO.

Furthermore, now would be a good time to audit your Facebook page administrators - ask yourself who has access to post to your company's pages and are they following sensible security practices (such as unique, hard-to-crack passwords and use of https when accessing the site).

Accessing Facebook via https

This may not have been the issue that caused the Zuckerberg fan page defacement, but it still makes a lot of good sense to follow these guidelines inside your company.

If you want to keep abreast of the latest Facebook security news, why not join our Sophos Facebook page where a community of over 100,000 users regularly discuss the threats.

, , , ,

You might like

5 Responses to Mark Zuckerberg fan page hacked on Facebook: What really happened?

  1. mugabo · 1678 days ago

    Deal breaker, am deleting my Facebook now.

  2. I think this look like it was shorta reflect about The Social Networking movie, but the so-called-hacker tried to take advantage and take over... this is more likely a cracker.

  3. Shaam-Z · 1675 days ago

    Geez, who has time to read this all b/s about zukerberg?

  4. adentice · 1330 days ago

    I recently read some other negative security stuff about Facebook, which lead me to disengage with facebook immediately I have now completely got rid of this from my life,
    however I am intrigued to find that virtually every time I read any publication online or off there seems to be one looming disaster or another hanging around Facebook, so I am glad that I took the action that I did and got rid of what was for me a waste of time.

  5. Dawna · 1253 days ago

    It's never a disaster if you don't publish anything you don't want anyone to know.. Plain and simple.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley