Meta (formerly named Facebook) reportedly fired “more than a dozen security guards and workers” in the past year after user information and logins were being sold to people up to no good, a reminder that insider threats can impact even the biggest organizations around.

Insider threats are people in an organization who decide to pull a heel turn and work against the best interests of their colleagues and employer. This can have devastating effects on a business. Alongside the hit to reputation when the story inevitably comes to light, they can also cause a chilling effect on employees, too. Is everyone really on the same side here, or is it only a matter of time before person X in department Y accesses all of your data and siphons it off for profit? 

Oops: you're logged out

Some time ago, Meta reportedly developed an online tool called Online Operations (Oops). Its original intent, according to reporting from The Wall Street Journal, was to provide extra help to users who were having trouble logging in. But, according to additional reporting from Gizmodo, Oops was also only reserved for a select number of people; specifically, users that made Oops reports were also required to "state whether they are on CEO Mark Zuckerberg’s team, a celebrity, or a Meta partner or family member." 

But a problem arose when Oops, which had both a niche use and user base, became accessible to a group of security guards that were contracted by Meta. Some of those security contractors were using their Oops access for illicit means, as was reportedly uncovered in an internal investigation. According to Gizmodo:

"The internal probe revealed security guards had been able to access Oops on Facebook’s intranet, and one security contractor was reportedly fired for assisting third parties in taking over accounts in 2021. The report shows another security contractor was fired when the probe found they allegedly reset several accounts for hackers in exchange for Bitcoin."

CNBC reported that “thousands of dollars in bribes” changed hands in return for illicit access to account credentials.

You may be wondering why security guards had access to such a tool. Given that the primary use for Oops is supposed to be for employees, family, and friends of Meta staff, it wouldn’t be that usual for them to have access in order to assist with certain forms of on-site verification.

Whatever the reason, the unauthorized trade in logins continued until the internal investigation weeded out the bad actors, who were then removed from their positions.

Why stolen accounts belonging to employees and family are a risk

When you stop to consider the traffic and visibility Meta still commands, how many celebrity and staff accounts exist on the site, this is all very bad news. The chaos which could have ensued from such accounts being hijacked and used for all manner of scams doesn’t bear thinking about. However, I’m definitely going to think about it so with that in mind:

  • Verification / identity scams. These are a big and easy way to get your fingers burnt on social media. Lots of people want that tick (or similar) above all else, and it’s partially responsible for the circus which recently played out on Twitter. Stolen accounts belonging to Meta employees could get up to all sorts of mischief.

  • General data harvesting. Depending on the accounts collected, you may not even have to do very much with them in terms of making fake posts or pulling a scam. You may be in it for the juicy data hidden under the hood. Connections between different individuals. Private messages. All of this and more can be very useful for a scammer, and not so great for the person whose account is most definitely in a post Oops wasteland.

  • Phishing your way up the social graph. You could cause lots of trouble on a social engineering/phishing expedition, with the latter providing the added bonus of yet more compromised accounts…many of which could be related to Meta employees or celebrities. This would just further compound the problem the longer it’s left unchecked.

All's well that ends well?

Meta has addressed the issue and informed CNBC that their approach to these tactics has changed, altering their security measures to account for insider threats along similar lines. While Meta isn’t about to reveal to the whole world what those measures will look like, we can only hope that a closer eye is kept on the threat to profiles managed by the Oops tool. 

A lot of the accounts formerly under threat may not necessarily be high profile, but that’s not really the biggest problem. These types of hijacks do afford an attacker with official forms of credibility inherent to the platform they’re on, baked into stolen accounts tied to the parent company. When you have this kind of leverage to play with, an attacker is potentially only a few short direct messages away from scoring another big heist.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.