Today, Facebook gave users an update on a recent data breach that allowed hackers to steal users’ access tokens — the tokens that allow users to login to Facebook.
Facebook now says that 30 million users had their access tokens stolen — initially, Facebook said that up to 50 million users could have been affected, with another 40 million “at risk.” 15 million users had their name, email, and/or phone number stolen. For 14 million users, the hackers also accessed details like their gender, language, relationship status, device types used to access Facebook, places they checked into, and recent searches — all depending on what that person had displayed on their profile and what they used Facebook to do.
Users can check if they were affected by logging into the Help Center. Facebook also said it will send customized messages to the 30 million people affected in the “coming days,” explaining what the hackers specifically accessed, and how to protect themselves from any suspicious emails or calls that might result from this information being stolen.
At the end of September, Facebook revealed that it had found a flaw in its “view as” feature, which allows users to see what their profile looks like to others. That flaw — which existed between July 2017 and September 2018 — allowed hackers to post and view information from that Facebook account as if they were that person.
Facebook said that it first noticed a spike in the number of people using the “view as” feature on September 14. On September 25, it determined that it was hackers exploiting a vulnerability, and shut down that vulnerability two days later. Facebook then had to reset the access tokens for 90 million users.
VP of product management Guy Rosen gave more details today on how the hackers were able to access these accounts.
“First, the attackers already controlled a set of accounts, which were connected to Facebook friends,” Rosen wrote in a blog post. “They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profile … the attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people.”
In theory, the hackers could have used the access tokens to log into other third-party sites that the affected users logged into using their Facebook account. However, Facebook said last week that it has not found evidence that hackers have done so.
Rosen wrote that the “attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.”
Facebook said that it’s cooperating with FBI, the U.S. Federal Trade Commission, the Irish Data Protection Commission, and other groups as it continues investigating the attacks. Rosen said on a conference call with reporters that the “FBI is actively investigating [this] and asked us not to discuss who may have been behind these attacks.”