Facebook on Friday revealed the devastating extent of a data breach that allowed hackers to access the sensitive personal information of millions of Facebook users.
On Sept. 29, Facebook announced that hackers had exploited a vulnerability in the “View As” feature and acquired access tokens that could have allowed them to access 50 million accounts.
Access tokens allow account holders to avoid having to type passwords. Access tokens for about 400,000 accounts were stolen in the breach, which exploited a vulnerability that existed from July 2017 through September. The attack began Sept. 14 and lasted through Sept. 25, Facebook said.
On Friday, Facebook announced that the overall number of accounts accessed was lower than its initial estimate, but also revealed the damage done by the attackers.
Facebook said 30 million accounts overall were compromised. In 15 million of them, attackers grabbed a name and either an email or phone number, Facebook said in a blog post from vice president of product management, Guy Rosen.
Fourteen million people suffered a more serious breach.
In addition to the name and contact email or phone number, Facebook said that for these 14 million accounts, hackers grabbed “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”
Facebook said one million accounts only had their access tokens stolen.
“People’s privacy and security are incredibly important, and we are sorry this happened,” Rosen said, according to CNBC.
Although the attack was not as vast as Facebook initially feared it could be, one expert said the information stolen could lead to more trouble for those affected.
“Hackers have some sort of a goal,” said Oren J. Falkowitz, chief executive of the cybersecurity company Area 1 Security, according to The New York Times. “It’s not that their motivation is to attack Facebook, but to use Facebook as a lily pad to conduct other attacks.”
As an example, he said the information might be used in “phishing attacks,” to access financial accounts, health records or other personal information.
“Once you’ve become a target, it never ends,” he said.
Another said the 14 million accounts that suffered the worst breach are in the cross-hairs of those who attacked Facebook.
“The truth is that, as a result of this news, millions of phishing attacks will now be launched, pretending to be from Facebook. Up to 20 percent of recipients will click and a large number of those will be successfully attacked, many of them using work computers and mobile devices,” said Colin Bastable, CEO of Lucy Security, according to USA Today.
“Businesses and governments will lose money, ransomware attacks will result from this leak, and the attack will reverberate over many months,” he said.
Facebook said in the blog post that announced the impact of the breach that it was “cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack.”
Facebook also said that individuals who wonder if they were hacked should go to a help center.
“In the coming days, we’ll send customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls,” the blog post from Facebook said.
Truth and Accuracy
We are committed to truth and accuracy in all of our journalism. Read our editorial standards.