By Erika Icon

YNOT – Late Friday, Facebook admitted the massive social network fell under what security staff called a sophisticated hacking attack in January. According to a spokesperson, no user data was compromised. Facebook users were not alerted because the attack “didn’t reach the legal threshold for user notification.”

Security experts and law enforcement have begun asking whether Facebook was targeted as part of a months-long cyber-espionage campaign that so far has struck The New York Times, The Wall Street Journal and Twitter, among other high-profile, U.S.-based sites.

In Facebook’s case, the attack was discovered when employees routinely clicking through links on timelines were surreptitiously redirected to a compromised website belonging to a developer of mobile apps. Malware hidden on the site bombarded the employees’ laptops, even though their antivirus software was up-to-date. Facebook did not disclose the name of the mobile developer involved.

“As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement and began a significant investigation that continues to this day,” a member of Facebook Security posted to the company’s blog.

“Facebook was not alone in this attack,” the post continued. “It is clear that others were attacked and infiltrated recently, as well. As one of the first companies to discover this malware, we immediately took steps to start sharing details about the infiltration with the other companies and entities that were affected. We plan to continue collaborating on this incident through an informal working group and other means.”

Particularly alarming to Facbook engineers: The malware had never been encountered before, so no existing security tools would have been able to stop it. Ironically, Facebook pays security researchers and hackers to find code flaws that might be exploited.

According to the blog post, the most recent attack on Facebook may have exploited a flaw in a Java-based browser plug-in. Twitter also experienced a Java-based attack this month, leaving 250,000 Twitter accounts compromised.

Java has become a primary vector for malware in recent months, playing a role in half the cyber attacks during 2012, according to Kaspersky Lab. Security experts advise end-users to disable Java in their browsers.