Facebook Just Shared New Disturbing Details About its Massive Data Breach

“We have no reason to believe this attack was related to the midterms.”

Alexander Pohl/NurPhoto via ZUMA Press

Two weeks ago, Facebook warned that attackers may have accessed the accounts of up to 50 million users. Today, the company provided an update reporting that instead of 50 million accounts, only 30 million were accessed. But that the breach exposed a mass of private information including phone numbers, email addresses, and even recent location check-ins. 

Initially, the attackers were able to control 400,000 accounts through a vulnerability in Facebook’s “view as” feature, which allows users to see how their profile looks to other members. They quickly moved from account to account using automated script to collect the “access tokens”—which allow users to login on trusted devices without entering their password—for 30 million users. Attackers then accessed the name and either the phone numbers or email contacts (sometimes both) for 15 million users. For 14 million others, attackers accessed that basic information as well as ten most recent check-ins, gender, location, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, people or pages they follow, and 15 of the most recent searches.

The initial attack was discovered on September 21, when the company noticed a suspicious uptick in user login activity. They found that a breach was made possible by a vulnerability introduced in July 2017 through a video upload feature. Guy Rosen, vice president of product at Facebook, emphasized on a press call Friday that the exposed accounts were secured on September 27, when Facebook went public with the security breach. From now on, users would not have to log out and log back in again. 

The company also verified Friday that the “attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.” There was a possibility that administrators of groups had their messages viewed, but messages of no individual users were exposed. Credit card numbers were also not compromised.

Facebook users will see messages like these in the coming days

But many questions still remain, the most important being who was behind the attack and what was the intended use of the breached information. “We have no reason to believe this attack was related to the midterms,” Rosen told reporters. He also stated that the company hasn’t ruled out “smaller scale” attacks that might have taken place in addition to the unusual behavior discovered in September. (A spokesperson for Facebook tells Mother Jones that the company is still investigating the initial vulnerability.) Rosen added that the FBI “asked them not to share any information that could compromise their investigation.” 

The company confirmed that it is cooperating with the US Federal Trade Commission and the Irish Data Protection Commission but declined to share a breakdown of affected users by country. The company assured its more than 2 billion users that it continues to invest in its security infrastructure, hiring 20,000 new employees this year for the task. 

Those who want to see if and how their accounts might have been affected can go to Facebook’s Help Center. The site will also be sending out customized notifications to users in the coming days.

DOES IT FEEL LIKE POLITICS IS AT A BREAKING POINT?

Headshot of Editor in Chief of Mother Jones, Clara Jeffery

It sure feels that way to me, and here at Mother Jones, we’ve been thinking a lot about what journalism needs to do differently, and how we can have the biggest impact.

We kept coming back to one word: corruption. Democracy and the rule of law being undermined by those with wealth and power for their own gain. So we're launching an ambitious Mother Jones Corruption Project to do deep, time-intensive reporting on systemic corruption, and asking the MoJo community to help crowdfund it.

We aim to hire, build a team, and give them the time and space needed to understand how we got here and how we might get out. We want to dig into the forces and decisions that have allowed massive conflicts of interest, influence peddling, and win-at-all-costs politics to flourish.

It's unlike anything we've done, and we have seed funding to get started, but we're looking to raise $500,000 from readers by July when we'll be making key budgeting decisions—and the more resources we have by then, the deeper we can dig. If our plan sounds good to you, please help kickstart it with a tax-deductible donation today.

Thanks for reading—whether or not you can pitch in today, or ever, I'm glad you're with us.

Signed by Clara Jeffery

Clara Jeffery, Editor-in-Chief

We Recommend

Latest

Sign up for our newsletters

Subscribe and we'll send Mother Jones straight to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate

Share your feedback: We’re planning to launch a new version of the comments section. Help us test it.