SAN FRANCISCO – Facebook says fewer accounts were breached than originally thought in one of the worst security incidents at the giant social network – 30 million instead of 50 million – but attackers made off with sensitive personal information from nearly half of those users such as phone number and email address, recent searches on Facebook, location history and the types of devices people used to access the service.
Hackers got their hands on data from 29 million accounts as part of last month’s attack, Facebook disclosed Friday. Facebook originally estimated that 50 million accounts could have been affected but the company didn’t know if they had been compromised. Attackers didn’t take any information from about 1 million people whose accounts were affected.
For about half of those whose accounts were broken into – some 14 million people – the hackers accessed extensive personal information such as the last 10 places that Facebook user checked into, their current city and their 15 most recent searches. For the other 15 million, hackers accessed name and contact details, according to Facebook.
Facebook users can check if their data was stolen by visiting the company’s Help Center. Facebook says it will advise affected users on how they can protect themselves from suspicious emails and other attempts to exploit the stolen data. Guy Rosen, Facebook’s vice president of product management, said the company hasn’t seen any evidence of attackers exploiting the stolen data or that it had been posted on the dark Web.
Third-party apps and Facebook apps such as Instagram and WhatsApp were not compromised, according to Facebook. Hackers were not able to access any private messages but messages received or exchanged by Facebook page administrators may have been exposed.
The latest disclosure, another in a series of security lapses that have shaken public confidence in Facebook, may intensify political heat on the company. An investigation is underway by the Irish Data Protection Commission and Rosen said Facebook is also cooperating with the Federal Trade Commission and other authorities.
The extent of the personal information compromised by attackers delivered a blow to the public relations campaign Facebook has been waging to convince the more than 2 billion people who regularly use the service that it’s serious about protecting their personal information after the Cambridge Analytica scandal and the unchecked spread of Russian propaganda during and after the 2016 presidential election.
Facebook said Friday it has “no reason to believe” the attack was related to the November midterm elections.
The culprits behind the massive hack have not been publicly identified. The FBI is actively investigating the hack and asked Facebook not to disclose any information about the potential perpetrators, Rosen said.
“They have asked us not to discuss who may be behind this attack,” he said. When they disclosed the breach two weeks ago, Facebook officials said they didn’t know who was behind the attacks.
After the accounts were compromised last month, more than 90 million users were forced to log out of their accounts as a security measure.
Facebook says attackers exploited a feature in its code that allowed them to commandeer users’ accounts. Those accounts included Facebook CEO Mark Zuckerberg and his second-in-command, Sheryl Sandberg.
Facebook estimated two weeks ago that nearly 50 million accounts were compromised. The attack began on Sept. 14. A spike in traffic triggered an internal investigation two days later. The breach was quickly discovered and fixed.
Facebook is already being investigated by the FTC and other agencies over revelations that political targeting firm Cambridge Analytica accessed the accounts of 87 million users without their consent.
“These companies have a staggering amount of information about Americans. Breaches don’t just violate our privacy, they create enormous risks for our economy and national security,” Federal Trade Commission Commissioner Rohit Chopra Chopra told USA TODAY last month. “The cost of inaction is growing and we need answers.”
The vulnerability was introduced in July 2017 when a feature was added that allows users to upload happy birthday videos.
Attackers exploited a vulnerability in Facebook’s code that affected “View As,” a feature that lets people see what their own profile looks like to someone else. The feature was built to give users more control over their privacy. Three software bugs in Facebook’s code connected to this feature allowed attackers to steal Facebook access tokens they could then use to take over people’s accounts.
These access tokens are like digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use Facebook.
Here’s how it worked: Once the attackers had access to a token for one account, call it Jane’s, they could then use “View As” to see what another account, say Tom’s, could see about Jane’s account. The vulnerability enabled the attackers to get an access token for Tom’s account as well, and the attack spread from there. Facebook said it has turned off the “View As” feature as a security precaution.
Last month, Facebook reset the tokens of nearly 50 million accounts that it believed were affected and, as a precaution, also reset the tokens for another 40 million accounts that had used “View As” in the past year. Resetting the tokens logged the affected Facebook users out of the service.
Read or Share this story: https://www.usatoday.com/story/tech/2018/10/12/facebook-hack-update-30-million-users-personal-information-stolen/1614394002/