Facebook is releasing new details of an attack that gave hackers access to tens of millions of individuals’ Facebook accounts. At the same time, it revised downward the number of users affected, from nearly 50 million to about 30 million.
In a blog post Friday, the company revealed attackers stole the access tokens — digital keys that keep people logged into Facebook so they don’t have to re-enter a password — to millions of accounts by exploiting previously disclosed “View As” bugs and used a technique to automatically jump from friends list to friends list. “View As” is a feature that allows Facebook users to see their profiles as other people do.
The company says it first became aware of an unusual spike of activity on Sept. 14, determined it was an attack on Sept. 25, and closed the vulnerability within two days.
Not all of the roughly 30 million affected had the same potentially sensitive information accessed by the attackers. Guy Rose, Facebook’s vice president of product management, said 15 million had their name and contact details exposed, such as phone number, email, or both. Another 14 million had additional information accessed, including username, gender, relationship status, religion, hometown, birthdate, education, work, and several other details. The company says the remaining 1 million did not have any information accessed.
“People can check whether they were affected by visiting our Help Center,” Rose said. “In the coming days, we’ll send customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls.”
Facebook said its other services and apps, including Messenger, Messenger Kids, Instagram, and WhatsApp, were not affected by the attack.
The original disclosure of the attack came on Sept. 28. At the time, Facebook said it reset access tokens for nearly 90 million accounts, many as a “precautionary step.” The total included 50 million accounts suspected to be directly affected, plus an additional 40 million accounts subject to a “View As” lookup in the previous year. The “View As” feature was also disabled.
“As we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks, we’ll continue to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities,” Rose said. The company said the FBI has asked it not to discuss who might be behind the attack.
