[johnyzee]

"Meta notified at least 20,225 people that their accounts had been compromised. [...]

The compromises allowed the hackers to take over the person's entire Instagram and any linked accounts, including obtaining contact information, dates of birth, and profile information, as well as the ability to access the person's posts, direct messages, and account activity [...]

the hacks began around April 17 and lasted until this week [...]"

This is staggering.

[smrtinsert]

This could avoid flagging by Meta explicitly allow bot traffic to do stuff with impunity on its services. Don't tell me an army of people went through and compromised acct by acct.

[Lionga]

One can only hope EU gives them a GDPR fine very close to the limit of 4% of global turnover. But when EU is actually need to protect customer I think they will fail.

[mvkel]

Incidents like this show how unenforceable GDPR is, and how it's been a net negative for users since its inception. It's idealogical back-patting, toothless when it matters.

[Gigachad]

After the GDPR every website added an option to export your personal data and to delete your account. Something most were missing at the time. It was an immediate and massive win.

[hn773746483]

Right, but nothing stops companies from refusing SARs on baloney grounds. Complain to a DPA? They tell you to go through ADR or outright ignore you. Complain to Ombudsman? They'll tell you the same. (In my experience, the Dutch do this)

Company ignores ADR? Sure, now you can go through the legal route and spend copious amounts of money all because a multi billion dollar company knows the game and how to navigate the bureaucratic mess better than you.

[zelphirkalt]

Yep, this is how they do it. The domain registrar netcup did something like this to me.I went through their parent company (?) too, without success. They will put forth any reason to not have to delete your data. I suspect, that they either are trying to reduce work for themselves, or their platform is so crap internally, that they would have to get someone coding to delete the data.

[mvkel]

This. In reality, GDPR isn't preventative, nor punitive enough for any meaningful user protection. We get cookie banners everywhere and user data harvesting companies happily pay the negligible fines

[mvkel]

You don't have to have a fb account for meta to fingerprint every little page you visit, perfectly legally.

[dbbk]

How is this unenforceable? If any EU citizens were hacked they're gonna come down like a ton of bricks on Meta Dublin.

[mvkel]

The DPC would disagree. All you need to show is that you took "reasonable steps to protect users," which is trivial to do, and not even a single fine will be levied.

[dbbk]

What reasonable step was made when the exploit was left open for months?

[simpaticoder]

No fan of Meta, but I think "staggering" is properly determined by the percent of users affected rather than the absolute number. It's staggering to an SMB with 100k customers; it's bad, but not "staggering" to an internet juggernaught with 3B MAU.

[Gigachad]

Twenty _thousand_ people had their personal data stolen, many of them relied on these accounts to run their business, many put at risk of hackers impersonating them.

Meta in a fair world should be forced to financially compensate these people. They built a world where many people basically have to use their products for their jobs and then failed to look after the data because they wanted to replace customer support with a vibe coded AI tool.

[simpaticoder]

Over forty _thousand_ people die every year in the US from car accidents. Plenty of other preventable injustices happen in all areas of life. I wonder how many fathers are unjustly taken away from their children by a corrupt family court system, how many people die of treatable diseases denied treatment by insurance companies, how many kids lose interest in school because of bad teachers, how many customer service workers endure daily abuse because they need the job.

It's not that the breach isn't bad, or that Meta is a sympathetic company. It's bad and they're not. I just find it hard to feel outraged about this particular incident affected 1 out of every 10k users of a social media site when we live in a world with citizen's united, qualified immunity, and $300 insulin.

[Gigachad]

The US car deaths stat is also completely insane and way higher than other countries. I can recognize that at scale, securing every account is a very difficult task, but with scale comes responsibility.

Meta plays fast and loose rushing in unsupervised vibeslop agents to save a penny. They should be significantly penalized for such a massive failure, particularly for how long this exploit was live and for how the victims were unable to get in contact with any human at Meta to restore their account.

[reaperducer]

way higher than other countries

You must live in Monaco.

Wikipedia has the United States #80.

https://en.wikipedia.org/wiki/List_of_countries_by_traffic-r...

[frm88]

Wikipedia has the United States #80.

Where do you see that? With 14.2/100K the US comes in at 111/190

[n0on3]

Sure, but #80 out of 190, still not great ain’t it?

[iknowstuff]

1.2M car-related deaths worldwide every year. WW1 worth every decade.

[watwut]

Fathers who ask for custody are massively successfull statistically.

Also, taking kids from father requires quite a lot. And no, actually proven domestic violence issue is not enough if it was not provably against the kid itself.

Familly courts have flaws, but fathers with interest in kids having them stolwn en mass is not one of them.

[me-vs-cat]

> Over forty thousand people die every year in the US from car accidents.

If a single company was solely responsible for car accidents causing that many deaths in as short a time as this, the consequences would be severe.

[eddyfromtheblok]

ok, but we, as engineers, can do better. rather than leaning on lawyers as a crutch to eschew liability.

[onion2k]

Twenty _thousand_ people had their personal data stolen, many of them relied on these accounts to run their business, many put at risk of hackers impersonating them.

It only worked for accounts that didn't have 2FA switched on. If your livelihood depends on your account and you're risking not turning on some pretty basic security features then you should accept partial responsibility.

[hilariously]

Did they partially hack their accounts? No, why would you be saying its partially the victim's fault when the billion dollar corporation doesn't secure their shit?

[tjpnz]

If you're relying on Meta to operate your business you're on shaky ground and it's a strong hint it was never viable to begin with.

[latexr]

> Meta in a fair world should be forced to financially compensate these people.

In a fair world, Meta and companies like it wouldn’t exist.

[ShinyLeftPad]

It's not staggering. I fully expect thousands of people to lose their IG accounts per day to other hacks before this bug. That's like 0.000001 percent of active users. It's a big platform with many people.

But totally Meta should pay. There's not many people to pay. They should sue.

[ShinyLeftPad]

Here are some sources that show the amount of hacked accounts, daily, before this bug is thousands or even tens of thousands. Apparently 30%+ of all social media account takeovers happen on instagram and it's not even the largest platform.

I didn't verify the sources, just searched how many.

https://www.hackingloops.com/social-media-hacking-statistics...

https://www.zerofox.com/blog/often-social-media-accounts-hac...

Downvotes are welcome to share their sources

[madeofpalk]

No. Percentages allow them to hide in the law of averages. Go tell those twenty thousand people that it's banal that Meta fucked up like this.

[sandcat_]

Worth noting that Meta has a track record of revising breach numbers upwards. We may find out it’s a lot higher than this in the coming weeks.

[gaiagraphia]

Why does scale absolve you of crime?

If you or me hacked 20,000 people and potentially fucked over their lives, what'd be the consequences?

Who's going to attach their name to this negligent act and do time?