Facebook has
now detailed what data was scraped and stolen in the breach it revealed two
weeks ago. 30 million users, not 50 million as it initially estimated, had
their access tokens stolen by hackers.
Users can check Facebook’s Help Center
to find out if their information was accessed, and Facebook will send
customized alerts to those impacted detailing what was accessed from their
account and what they can do to recover. It’s currently not clear if all the
information accessed was necessarily scraped.
Facebook’s
VP of product managment Guy Rosen told reporters on a press call that “We are
cooperating with the FBI on this matter” and that “the FBI have asked us not to
discuss who may be behind this attack” as its own investigation is ongoing.
Disclosing anything about perpetrator now could cause them to cover tracks.
15 million
of the 30 million users had their name plus phone number and/or email accessed.
14 million had that info plus potentially more biographical info accessed,
including “username, gender, locale/language, relationship status, religion,
hometown, self-reported current city, birthdate, device types used to access
Facebook, education, work, the last 10 places they checked into or were tagged
in, website, people or Pages they follow, and the 15 most recent searches”. The
remaining 1 million users’ information wasn’t accessed.
Facebook’s
other apps including Messenger, Messenger Kids, Instagram, WhatsApp, Workplace,
and Pages, as well as its features for payments, third-party apps, advertisers,
and developers were not accessed. Facebook says that law enforcement has asked
it not to discuss evidence regarding who committed the attack as the FBI
continues its investigation.
Facebook
says the breach started when hackers with some access tokens exploited a
combination of three bugs related to its “View As” privacy feature for seeing
your profile from the perspective of someone else. This let them gain access to
those accounts’ friends leading them to steal access tokens 400,000 accounts,
and used a different method to then grab tokens from 30 million of their
friends.
Unlike most
breaches, this one appears to have turned out to be less severe then initially
expected. Users seem to already be forgetting about the breach after a short
hiccup where they had to log back in to Facebook. It’s possible that that could
impact Facebook’s user counts slightly in its Q3 earnings report. But unless a
truly nefarious use case for the accessed data is revealed, the breach could
fade into the noise of non-stop cybersecurity failures across the web,
including Google+’s breach that was covered up and has now prompted the
Facebook competitor’s shut down.
Comments