Before the end of September this year, Facebook confirmed that a major security breach impacted the social network and upwards of 50 million accounts.
Now, weeks later, Facebook has published another update on the matter, trimming the number of accounts that were apparently affected by the security breach, and saying at length that they not only patched the initial threat, but continue to investigate what happened to avoid any future issues. To start, Facebook now says that only “30 million accounts actually had their tokens stolen”.
The public post breaks down what happened, which starts with the attackers already having control of a set number of accounts, and then accessing the friends list of people, moving from one account to the next. This automated technique allowed the attackers to move from and secure upwards of 400,000 separate accounts. That technique also allowed the attackers to see a person’s profile page as they’d see it, including their News Feed, Messenger conversations, friends lists, and more:
“In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.”
Facebook says the access to 400,000 accounts then led to the ability to steal the tokens for up to 30 million accounts on the social network. That number is still remarkably high, but it’s down from the initial 50 million that Facebook originally stated back in September. Here’s the most important bit, though:
“For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.”
Facebook states that if you want to see if your account was vandalized by the attackers, you can visit the social network’s Help Center, through this link. The platform is also going to send personalized messages to individuals who had their tokens stolen, and explain what information from their accounts might have been breached and accessed.
Finally, Facebook says it is not ruling out “small-scale attacks” at this point, and they are investigating:
“This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts. As we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks, we’ll continue to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities.”
So, that’s a pretty lengthy update, but should be par for the course at this point as this situation develops. It’s great that Facebook is still working out the details and explaining what they discover to those interested in keeping up with what’s going on, at least.
[via Facebook Newsroom]