Facebook Promises To Warn Users Against State-Sponsored Attacks

In a recent announcement, Facebook's Chief Security Officer, Alex Stamos, said that his company has taken measures to alert its users when their accounts or computers are under attack by nation-state hackers.

The company wants its users to turn on Login Approvals, which will then ensure that anytime someone is trying to log in to that user's Facebook account from a new browser or device, the company will send a randomly generated code via SMS, which can be used to log in.

Stamos said that this new warning is necessary because of how advanced and dangerous these types of attacks tend to be. In such cases, the company wants its users to take immediate action to secure all of their online accounts.

Stamos also noted that this warning is not about Facebook's servers being compromised, but about the users' PCs or mobile devices becoming infected with malware belonging to a nation-state. Because such attacks are so sophisticated in general, Facebook recommended that users rebuild (reset the operating system) or even replace the devices completely.

Facebook won't reveal how exactly it learns whether there's malware in your system and whether that malware is made by a nation-state. This is to protect the integrity of its methods and processes, so malicious attackers don't know what to avoid when attacking Facebook users' devices.

The company wants to use this warning only when there's strong evidence that points to a nation-state attack. It will also continue to improve its detection methods to protect its users against not just nation-state attacks, but other kinds of attacks as well.

This is one of the latest in a series of strong security measures that Facebook has taken in the recent past. Another measure was to let users add their public PGP keys to their profiles, which could then be used automatically by Facebook to send encrypted notifications. Also, other users could more easily discover who uses PGP and how to send them end-to-end encrypted email.

For a company that has had many privacy missteps, it's good to see that Facebook is at least taking steps to protect the data that it's gathering on over a billion users.


Lucian Armasu has joined Tom’s Hardware since early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware he dreams of becoming an entrepreneur.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • anathema_forever
    Funny thing is I never bother with most of those extra features like please give us your cell number so we can data mine you even more but promising to warn me about government hacking actually makes me want to setup that extra 2 stage security lol. Leave it to the government to get on my bad side enough that I would actually try and make a strong password and use 2 stage authentication. Course since they are supposed to be protecting me its kind of ironic since they did just that by pissing me off.
  • surphninja
    Will they also warn if it looks like the US is trying to gain access to your account (either through your devices or accessing their servers)? Or just if Russia and China are trying to do it?
  • synphul
    Sorry fb, still not getting my cell number despite the elegant attempts at fear mongering. I'd rather just ditch fb. If facebook is recommending the user simply reset their os then obviously fb is just out to harvest phone numbers off users who haven't previously given it to them. According to security experts if this attack is indeed pulled off and resides in your hard drive then a simple format/os reinstall won't solve the issue. A drive replacement is the only effective measure. Due to the complexity of the attacks it would be more likely to be done on fb's own drives rather than individual users.

  • kenjitamura
    Think this measure is more aimed towards Libyan, Syrian, North Korean etc users whose lives are at risk rather than developed countries like the US that are inconvenienced by the thought of NSA data collection.