Facebook hacked by Java Zero Day exploit

Facebook - a social networking giant with one billion active users said on Friday that it has been attacked by an unidentified group of hackers in January, fortunately no user information was compromised during the attack.
What is really interesting is the level of sophistication of the malware based attack that eluded security defense, it compromised the developer’s website and infected the employee’s machine when visited it.
The laptops infected were fully-patched and running up-to-date anti-virus software occurrence that suggests attacker have exploited zero day vulnerabilities hosting an exploit on the web site.
The official statement reports:

“Facebook, like every significant internet service, is frequently targeted by those who want to disrupt or access our data and infrastructure. As such, we invest heavily in preventing, detecting, and responding to threats that target our infrastructure, and we never stop working to protect the people who use our service. The vast majority of the time, we are successful in preventing harm before it happens, and our security team works to quickly and effectively investigate and stop abuse.

Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.”

Facebook confirmed no user data was compromised.

We have found no evidence that Facebook user data was compromised.

Facebook advisory confirmed that security teams of the company are very active in the fight to cyber threats thanks to an intense collaboration with law enforcement and security teams of other companies. The attacks seem to have exploited a zero-day Java software vulnerability well before the official announcement provided by Oracle company.
“After analyzing the compromised website where the attack originated, we found it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.”
The investigation are still ongoing as confirmed by Facebook

“We will continue to work with law enforcement and the other organizations and entities affected by this attack. It is in everyone’s interests for our industry to work together to prevent attacks such as these in the future.”

Facebook has a very managed bug bounty program which attracts Bug Bounty Hunter to participate in it and report vulnerabilities to facebook.