Facebook has shared more details around a security breach two weeks ago that it now says affected about 30 million users.
In a Friday blog post, Guy Rosen, VP of Product Management, said of the 50 million people whose access tokens were compromised when hackers exploited a code vulnerability related to the View As feature, about 30 million actually had their tokens stolen.
Stealing the access tokens, the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password, allowed the attackers to take over people’s accounts.
Rosen said the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and friends of those friends, and so on, totalling about 400,000 people. In the process, the technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes timeline posts, lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in the group was a Page administrator whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.
The attackers used a portion of the 400,000 friend lists to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. Those details included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.
People can check whether they were affected by visiting the Facebook Help Center. In the coming days, the social platform will send customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves.
The attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.
Facebook said as it continues to investigate other ways those behind the breach used Facebook, as well as the possibility of smaller-scale attacks, it’s cooperating with the FBI, U.S. Federal Trade Commission, Irish Data Protection Commission, and other authorities.
Subscribe Now – Free!
Broadcast Dialogue has been required reading in the Canadian broadcast media for 25 years. When you subscribe, you join a community of connected professionals from media and broadcast related sectors from across the country.
The Weekly Briefing from Broadcast Dialogue is delivered exclusively to subscribers by email every Thursday. It’s your link to critical industry news, timely people moves, and excellent career advancement opportunities.
Let’s get started right now.