Hot Topics
Analytics & Intelligence Application Security CISO Suite CISO Talk Cloud Security Cyberlaw Cybersecurity Data Security DevOps Featured Governance, Risk & Compliance Identity & Access Incident Response Industry Spotlight Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

Oops! Meta Security Guards Hacked Facebook Users

by Richi Jennings on November 18, 2022

Facebook parent Meta has disciplined or fired at least 25 workers for allegedly hacking into user accounts. Some of the workers were contract security guards, we’re told.

Wait … disciplined or fired? How were they not all fired? And prosecuted? And how come security guards have access to Facebook’s internal account-recovery tools?

All these questions and more will be asked in today’s SB Blogwatch. Please tell me it’s the weekend tomorrow.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Hello there.

‘Oops’ not Even the Half of It

What’s the craic? Kirsten Grind, Robert McMillan, Salvador Rodriguez and Jim Oberman tag team to report—“Employees, Security Guards Fired for Hijacking User Accounts”:

Workers accepted thousands of dollars in bribes
Meta … has fired or disciplined more than two dozen employees and contractors over the last year whom it accused of improperly taking over user accounts, in some cases allegedly for bribes. … Some of those fired were contractors who worked as security guards [who] were given access to the Facebook parent’s internal mechanism for employees to help users having trouble with their accounts … known internally as “Oops.”

Oops, an acronym for Online Operations, is supposed to be fairly limited to special cases, like friends, family, business partners and public figures, but its usage has climbed. … In 2020, the channel serviced about 50,270 tasks, up from 22,000 three years earlier.

In some cases workers accepted thousands of dollars in bribes from outside hackers to access user accounts. … Because so many people depend on social media for their businesses, or to manage critically important aspects of their lives, gaining illicit control of an account can be lucrative.

And Aaron Mok runs amok—“Meta reportedly accused dozens of workers”:

Some of the fired workers denied the accusations
As part of an internal investigation, Meta executives reportedly found that some employees were abusing Oops by working with third parties to gain unauthorized access to accounts in exchange for tens of thousands of dollars. … Meta fired dozens of workers.

Some of the fired workers denied the accusations on the basis of coercion and lack of awareness. … The firings were reported at a moment when Meta laid off 11,000 employees across the company to cut costs.

Also Jon Fingas gets some super spokesbabble—“Meta reportedly fired staff”:

Take ‘appropriate action’
The perpetrators included Allied Universal’s contracted security guards at Meta locations, according to the sources. … Allied Universal said it always “seriously” responds to conduct violation reports.

The firings are small compared to Meta’s overall (if now greatly reduced) headcount. However … it comes roughly a year after allegations that Meta let VIPs break the rules, and three years after the company discovered that employees had access to exposed user passwords.

[I] asked Meta for comment. … Spokesperson Andy Stone said the company would continue to take “appropriate action” against anyone selling fraudulent services.

“Appropriate action”? helsinkiandrew decodes thuswise:

The only situation when that shouldn’t be “fired and reported to the police and prosecuted to the full extent of the law,” is when you care more about saving face and not making bad publicity.

Right on. Geoffrey.landis agrees:

They were merely fired? … They should be arrested. Breaking into somebody’s account is a crime under the Computer Fraud and Abuse Act.

Does this report give you a warm feeling inside? jqpabc123 sounds slightly sarcastic:

Wow! Knowing that security guards have access to user accounts certainly instills a lot of confidence in their privacy policies and protections.

But this Anonymous Coward is confused:

It makes no sense. Why in the hell would you even give a security guard access to those tools?

No, you don’t need to be on Facebook. Go walk around the property and roust homeless people trying to get into the cafeteria.

As Zuck used to joke, “They ‘trust me.’ Tonya Riley—@TonyaJoRiley—isn’t joking:

One of the best arguments for zero trust.

Meanwhile, Chelloveck channels Captain Renault:

I’m shocked, shocked to find that humans are the weakest link in a security system.

And Finally:

This lived rent free in Jim’s head for years

Hat tip: Jimvin

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Jack Finnigan (via Unsplash; leveled and cropped)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 605 posts and counting.See all posts by richi