After analyzing the compromised website where the attack originated, we found it was using a "zero-day" (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.
Facebook was not alone in this attack. It is clear that others were attacked and infiltrated recently as well. As one of the first companies to discover this malware, we immediately took steps to start sharing details about the infiltration with the other companies and entities that were affected. We plan to continue collaborating on this incident through an informal working group and other means.
There are a few important points that people on Facebook should understand about this attack:
- Foremost, we have found no evidence that Facebook user data was compromised.
- We will continue to work with law enforcement and the other organizations and entities affected by this attack. It is in everyone’s interests for our industry to work together to prevent attacks such as these in the future.
It looks like a "zero day" Java exploit is being blamed so Java's rep takes another beating and by sophisticated they mean they didn't target Facebook directly, they targeted employee laptops and used those to gain access instead.
A company is only as strong as the weakest link in their chain when it comes to hacking.