Now, after further investigation, there is some good news in a mess of bad. Namely, 20 million fewer accounts had their tokens stolen than what Facebook originally projected. Still, that leaves 30 million users out there that potentially have some of their sensitive information in a less-than-secure situation.
Today Facebook has published an update on what happened, what’s happened since, and what’s going to happen next. To start, Facebook recounts the past hack, starting with the code that was available between June 2017 and September 2018. Software bugs impacted the “View As” feature in Facebook, which allowed for hackers to access the secure tokens for Facebook accounts, which allows those individuals to take over Facebook accounts as they see fit and access the data therein.
Facebook says that while they believed 50 million accounts had their access tokens exposed to the breach, only 30 million people “actually had their tokens stolen”. Facebook then goes into some detail on how it all went down, which starts with the attackers already having access to some accounts. From there, they used an automated technique that gave them access to the friend’s list, which allowed them to move from one account to the next and access the tokens, which eventually led to the attackers gaining control of 400,000 accounts.
That access let the attackers see the profile of each account, including the News Feed, what people would post to their timeline, names of recent Messenger conversations, and more. “Message content was not available to the attackers”, unless you are the Admin of a page that had its access token stolen.
As for what was stolen, data-wise, this is the most important part so we’ll let Facebook spell it out:
“For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.“
Facebook says users can see if they were affected by the attack by accessing the Help Center. And the social network will be sending out personalized messages to those who were affected to explain what information was ascertained by the attackers.
Facebook is quick to point out that this breach did not reach Messenger itself, or Messenger Kids, Instagram, or a plethora of other Facebook-owned platforms and services. The company does note that it is not ruling out “small-scale attacks”, either, and is investigating.