facebook reveals more details about recent hack that affected 30 million accounts
Now, after further investigation, there is some good news in a mess of bad. Namely, 20 million fewer accounts had their tokens stolen than what Facebook originally projected. Still, that leaves 30 million users out there that potentially have some of their sensitive information in a less-than-secure situation.
Today Facebook has published an update on what happened, what’s happened since, and what’s going to happen next. To start, Facebook recounts the past hack, starting with the code that was available between June 2017 and September 2018. Software bugs impacted the “View As” feature in Facebook, which allowed for hackers to access the secure tokens for Facebook accounts, which allows those individuals to take over Facebook accounts as they see fit and access the data therein.
Facebook says that while they believed 50 million accounts had their access tokens exposed to the breach, only 30 million people “actually had their tokens stolen”. Facebook then goes into some detail on how it all went down, which starts with the attackers already having access to some accounts. From there, they used an automated technique that gave them access to the friend’s list, which allowed them to move from one account to the next and access the tokens, which eventually led to the attackers gaining control of 400,000 accounts.
That access let the attackers see the profile of each account, including the News Feed, what people would post to their timeline, names of recent Messenger conversations, and more. “Message content was not available to the attackers”, unless you are the Admin of a page that had its access token stolen.
As for what was stolen, data-wise, this is the most important part so we’ll let Facebook spell it out:
“For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.“
Some of the alerts you might see in the Facebook app.
Facebook says users can see if they were affected by the attack by accessing the Help Center. And the social network will be sending out personalized messages to those who were affected to explain what information was ascertained by the attackers.
Facebook is quick to point out that this breach did not reach Messenger itself, or Messenger Kids, Instagram, or a plethora of other Facebook-owned platforms and services. The company does note that it is not ruling out “small-scale attacks”, either, and is investigating.
Checking your account’s status
For Facebook users that are concerned that their data isn’t safe, there’s a way to tell if it was stolen in the massive hack. All you have to do is visit this security notice page on Facebook. Scroll down to the bottom of the page and you should see a blue box detailing whether your account was hacked.
Here’s what the message looked like on my account:
Hackers were able to get their hands on “access tokens” in Facebook which allowed them to access compromised users’ accounts and scrape their data. On 14 million of the hacked accounts, attackers had access to name, contact details , gender, locale, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, 15 most recent searches and more.
“We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack,” wrote Facebook exec Guy Rosen in a blog post.
Facebook says the attack didn’t impact Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.