Facebook Just Shared New Disturbing Details About its Massive Data Breach

“We have no reason to believe this attack was related to the midterms.”

Alexander Pohl/NurPhoto via ZUMA Press

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.

Two weeks ago, Facebook warned that attackers may have accessed the accounts of up to 50 million users. Today, the company provided an update reporting that instead of 50 million accounts, only 30 million were accessed. But that the breach exposed a mass of private information including phone numbers, email addresses, and even recent location check-ins. 

Initially, the attackers were able to control 400,000 accounts through a vulnerability in Facebook’s “view as” feature, which allows users to see how their profile looks to other members. They quickly moved from account to account using automated script to collect the “access tokens”—which allow users to login on trusted devices without entering their password—for 30 million users. Attackers then accessed the name and either the phone numbers or email contacts (sometimes both) for 15 million users. For 14 million others, attackers accessed that basic information as well as ten most recent check-ins, gender, location, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, people or pages they follow, and 15 of the most recent searches.

The initial attack was discovered on September 21, when the company noticed a suspicious uptick in user login activity. They found that a breach was made possible by a vulnerability introduced in July 2017 through a video upload feature. Guy Rosen, vice president of product at Facebook, emphasized on a press call Friday that the exposed accounts were secured on September 27, when Facebook went public with the security breach. From now on, users would not have to log out and log back in again. 

The company also verified Friday that the “attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.” There was a possibility that administrators of groups had their messages viewed, but messages of no individual users were exposed. Credit card numbers were also not compromised.

Facebook users will see messages like these in the coming days

But many questions still remain, the most important being who was behind the attack and what was the intended use of the breached information. “We have no reason to believe this attack was related to the midterms,” Rosen told reporters. He also stated that the company hasn’t ruled out “smaller scale” attacks that might have taken place in addition to the unusual behavior discovered in September. (A spokesperson for Facebook tells Mother Jones that the company is still investigating the initial vulnerability.) Rosen added that the FBI “asked them not to share any information that could compromise their investigation.” 

The company confirmed that it is cooperating with the US Federal Trade Commission and the Irish Data Protection Commission but declined to share a breakdown of affected users by country. The company assured its more than 2 billion users that it continues to invest in its security infrastructure, hiring 20,000 new employees this year for the task. 

Those who want to see if and how their accounts might have been affected can go to Facebook’s Help Center. The site will also be sending out customized notifications to users in the coming days.

DONALD TRUMP & DEMOCRACY

Mother Jones was founded to do journalism differently. We stand for justice and democracy. We reject false equivalence. We go after stories others don’t. We’re a nonprofit newsroom, because the kind of truth-telling investigations we do doesn’t happen under corporate ownership.

And we need your support like never before, to fight back against the existential threats American democracy faces. Fundraising for nonprofit media is always a challenge, and we need all hands on deck right now. We have no cushion; we leave it all on the field.

It’s reader support that enables Mother Jones to report the facts that are too difficult, expensive, or inconvenient for other news outlets to uncover. Please help with a donation today if you can—even a few bucks will make a real difference. A monthly gift would be incredible.

payment methods

DONALD TRUMP & DEMOCRACY

Mother Jones was founded to do journalism differently. We stand for justice and democracy. We reject false equivalence. We go after stories others don’t. We’re a nonprofit newsroom, because the kind of truth-telling investigations we do doesn’t happen under corporate ownership.

And we need your support like never before, to fight back against the existential threats American democracy faces. Fundraising for nonprofit media is always a challenge, and we need all hands on deck right now. We have no cushion; we leave it all on the field.

It’s reader support that enables Mother Jones to report the facts that are too difficult, expensive, or inconvenient for other news outlets to uncover. Please help with a donation today if you can—even a few bucks will make a real difference. A monthly gift would be incredible.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate