Facebook has come up with more information about the September data breach that affected some 50 million users, according to estimations. The information includes the total number of users actually involved, the type of information stolen, and a help service for individuals whose accounts were compromised.
Guy Rosen, Facebook’s vice president of product management, disclosed that the attackers abused a Facebook feature “view as,” which enables users to view their own profile like others. That allowed them to steal Facebook access tokens – digital keys that allows you to frequently access your account without having to enter your password each time you open the Facebook app. The attackers used an automated technique to move from one Facebook account to another by stealing access tokens of friends of those they have access and so on to a total of 400,000 users. Mirroring what these users would have seen which include their timelines, posts, friend’s list, names of recent conversations (without the content), and the groups they are members of.
The attackers were able to steal access tokens for about 30 million accounts in total, reports Facebook. From the total figure, attackers were able to retrieve name and contact details; email and phone number of about 15 million Facebook users. The username, gender, relationship status, hometown, language, religion, birth date, self-reported current city, device type, website, and 15 most recent searches of some 14 million Facebook users were acquired by the attackers. For the remaining hacked users, no information was accessed by the attackers.
How to know if your Facebook account was hacked?
To check whether your account was affected by the security issue, Facebook advised users to visit its Help Center and log on to their accounts to learn if their data was stolen, including the type of data.
Rosen also said that the attack “did not include Messenger, WhatsApp, Instagram, Messenger Kids, Workplace, Oculus, payments, developer accounts, advertising, third-party apps or pages.” And while the social media giant is on alert to prevent further attacks, it is also cooperating with security agencies on the matter.
Facebook also said it would reach out to the 30 million people affected through customized messages “to explain what information the attackers might have accessed” and the measures they need to take in order to protect themselves from further attacks.
TechCrunch reports that Facebook said the FBI advised it “not to discuss who may be behind the attack” as such speculations may force them to cover tracks that would be useful in locating them.
This attack could possibly impact on Facebook’s Q3 earnings report despite launching its first push into the hardware market – AI video calling device, earlier this week.
While the affected Facebook users may be able to change some of the hacked information such as current city of residence, password, friends, telephone number, devices, etc, they have to accept a permanent disclosure of permanent details such as their date of birth, work history, and education.