Facebook's recent breach compromises 30m accounts' personal data

Gladys Abbott
October 14, 2018

Rosen said Facebook is cooperating with the ongoing FBI investigation into the breach, but would not give any details on who the hackers were or where they were based.

And in addition to saying the breach ultimately affected about 30 million users instead of the 50 million it first reported, Facebook said the hack started among 400,000 people closest to the attackers. The contact information included a mix of phone numbers and email addresses.

On Friday, Facebook said the hackers used friends lists of about 4,00,000 people to steal access tokens for 30 million individuals.

Rosen said that other Facebook services like Instagram, Oculus, WhatsApp, or Workplace were not impacted via the attack, nor were third-party apps that allow people use their Facebook accounts to log in. While they procured access tokens for another one million Facebook users, the hackers did not steal any data in this case. Hackers got even more data from 14 million of them, such as hometown, birthdate, the last 10 places they checked into, or the 15 most recent searches.

Earlier, Facebook had said that a security breach had affected the accounts of as many as 50 million people. Facebook says that it isn't sure whether other, "smaller-scale attacks" are involved with this breach.

These access tokens are like digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use Facebook.

"For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles". The vulnerability enabled the attackers to get an access token for Tom's account as well, and the attack spread from there.

More news: Palestinians killed by Israeli forces at Gaza border: health ministry

It will also provide information specific to your account if you're logged into Facebook.

This action triggered a massive traffic spike, which Facebook engineers detected on September 16, and following investigations into the source of the traffic concluded it was a coordinated attack on September 26, patched the View As vulnerability on September 27, and went public with the breach on September 28. Scroll down to a light blue box with the title "Is my Facebook account impacted by this security issue?". On Thursday, Facebook disclosed that it had removed hundreds of accounts and pages used to spread disinformation in the United States.

Additionally, Facebook advises people to be wary of unwanted phone calls, text messages and emails.

The synergy between three separate software bugs allowed the miscreants to misuse Facebook's View As feature - which lets users to see their accounts as someone else would - to steal the access tokens associated with the viewed account.

The remaining one million whose tokens were stolen lost no data, Mr Rosen said.

"This doesn't sound very targeted at all", he said.

This sort of personal detail can help identity thieves accomplish hacks for years into the future.

Other reports by LeisureTravelAid

Discuss This Article