The bad news: Private data was stolen. The good: Fewer accounts were affected.
The attackers who carried out the mass hack that Facebook disclosed two weeks ago obtained user account data belonging to as many as 30 million users, the social network said on Friday. Some of that data—including phone numbers, email addresses, birth dates, searches, location check-ins, and the types of devices used to access the site—came from private accounts or was supposed to be restricted only to friends.
The revelation is the latest black eye for Facebook as it tries to recover from the scandal that came to light earlier this year in which Cambridge Analytica funneled highly personal details of more than 80 million users to an organization supporting then-presidential candidate Donald Trump. When Facebook disclosed the latest breach two weeks ago, CEO Mark Zuckerberg said he didn’t know if it allowed attackers to steal users’ private data. Friday’s update made clear that it did, although the 30 million people affected was less than the 50 million estimate previously given. Readers can check this link to see what, if any, data was obtained by the attackers.
On a conference call with reporters, Vice President of Product Management Guy Rosen said that at the request of the FBI, which is investigating the hack, Facebook isn’t providing any information about who the attackers are or their motivations or intentions. That means that for now, affected users should be extra vigilant when reading emails, taking calls, and receiving other types of communications. The ability to know the search queries, location check-ins, phone numbers, email addresses, and other personal details of so many people gives the attackers the ability to send highly customized emails, texts, and voice calls that may try to trick people into turning over money, passwords, or other high-value information.
New York Times reporter Mike Isaac summed up the feeling of many affected Facebook users when he tweeted a screenshot of his stolen personal information.
“The fact that they’ve accessed my location history and search bar searches is particularly screwed up to me,” he wrote. “Excited for hackers to blackmail me with the data on how often i namesearch high school ex girlfriends.”
Rosen said the breach started on September 14 and was active for 13 days until Facebook engineers fixed three security bugs that attackers had exploited in unison to obtain access tokens that keep users logged in to their accounts without requiring them to re-enter their passwords. The hack involved the “view as” feature that allows users to see how their account profiles look to others. It also involved a video upload feature. In all, the three-bug vulnerability that they exploited was active for more than two years. Rosen said he can’t rule out that the different campaigns exploited the same vulnerability during that time.
The attackers, he said, began the attack by obtaining the access tokens of 400,000 seed accounts. The attackers were able to view largely the same information the users of the 400,000 compromised accounts could when viewing their own profiles, including timeline posts, a list of friends, groups the users belonged to, and the names of messenger conversations. The message content wasn’t exposed except if the compromised account belonged to a page admin. The attackers then obtained access tokens for about 29 million users who were friends, or friends of friends, of these 400,000 seed accounts.
For a second group of about 15 million users, attackers stole names and contact details such as phone numbers and email addresses. The attackers stole the same names and contact information from a third group of about 14 million compromised accounts, along with additional details such as gender, relationship status, connected devices, and birthdates.
Rosen declined to say how the attackers went undetected for almost two weeks as they accessed 30 million accounts. Typically, large websites have measures in place to flag when a single person or a group of people with common or related IP addresses are logging in to a suspiciously large number of accounts. It’s possible the attackers used VPNs or a botnet of infected computers to disguise their activity.
Rosen said the 30 million affected accounts were broadly distributed around the world, but he declined to give a breakdown. While he declined to say what Facebook officials know about the attackers or their motivations for stealing the data, he said Facebook has no reason to believe the hack had any connection to the midterm elections scheduled for next month.