Two weeks ago, Facebook warned that attackers may have accessed the accounts of up to 50 million users. Today, the company provided an update reporting that instead of 50 million accounts, only 30 million were accessed. But that the breach exposed a mass of private information including phone numbers, email addresses, and even recent location check-ins.
Initially, the attackers were able to control 400,000 accounts through a vulnerability in Facebook’s “view as” feature, which allows users to see how their profile looks to other members. They quickly moved from account to account using automated script to collect the “access tokens”—which allow users to login on trusted devices without entering their password—for 30 million users. Attackers then accessed the name and either the phone numbers or email contacts (sometimes both) for 15 million users. For 14 million others, attackers accessed that basic information as well as ten most recent check-ins, gender, location, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, people or pages they follow, and 15 of the most recent searches.
The initial attack was discovered on September 21, when the company noticed a suspicious uptick in user login activity. They found that a breach was made possible by a vulnerability introduced in July 2017 through a video upload feature. Guy Rosen, vice president of product at Facebook, emphasized on a press call Friday that the exposed accounts were secured on September 27, when Facebook went public with the security breach. From now on, users would not have to log out and log back in again.
The company also verified Friday that the “attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.” There was a possibility that administrators of groups had their messages viewed, but messages of no individual users were exposed. Credit card numbers were also not compromised.
But many questions still remain, the most important being who was behind the attack and what was the intended use of the breached information. “We have no reason to believe this attack was related to the midterms,” Rosen told reporters. He also stated that the company hasn’t ruled out “smaller scale” attacks that might have taken place in addition to the unusual behavior discovered in September. (A spokesperson for Facebook tells Mother Jones that the company is still investigating the initial vulnerability.) Rosen added that the FBI “asked them not to share any information that could compromise their investigation.”
The company confirmed that it is cooperating with the US Federal Trade Commission and the Irish Data Protection Commission but declined to share a breakdown of affected users by country. The company assured its more than 2 billion users that it continues to invest in its security infrastructure, hiring 20,000 new employees this year for the task.
Those who want to see if and how their accounts might have been affected can go to Facebook’s Help Center. The site will also be sending out customized notifications to users in the coming days.