Facebook has revealed 30m accounts were affected in a data breach last month. The company said hackers were able to access personal information for nearly half of those accounts.
That information included name, relationship status, religion, birthdate, workplaces, search activity, and recent location check-ins. The company had initially said 50m accounts were affected.
According to Facebook VP of Product Management Guy Rosen, attackers were able to access name and contact information for half of the hacked accounts. For 14m, the attackers were also able to scrape virtually all the other data available on members’ profile pages. One million victims got away without any information being stolen.
Rosen says the attackers did not access any credit card information associated with members’ accounts, and that the company has not received any reports of stolen information being available on the dark web – portions of the internet requiring special software to reach.
The social network also found no evidence that attackers used the stolen tokens to access any third-party apps, including those that use Facebook’s single-sign-in to log in. It also did not impact users on other Facebook properties such as Messenger, Instagram, WhatsApp, or Oculus.
Facebook plans to notify members over the next few days as to what information may have been taken, and alert them to be on the lookout for suspicious emails, text messages, or calls.
Asked whether Facebook would pay for some kind of identity theft monitoring service for affected users – as breached companies often do – a spokeswoman said: “Not at this time.”
The hackers began by using a series of seed accounts and attacking the accounts of friends, then friends of friends, and so on down the line, eventually amassing a group of 400,000 compromised accounts. Using some of these accounts, they managed to steal access tokens for an additional 30m before they were stopped.
Rosen says Facebook first noticed a spike in unusual activity on 14 September. By the 25th, it had identified that activity as an attack. Two days later, Facebook had plugged the hole and reset users’ tokens, preventing attackers from accessing any further information.
By then, the damage had already been done.
Upon request from the FBI, Facebook declined to offer any information as to who might be behind the attack, or whether users in specific regions were targeted.
Because the vulnerability has existed since July 2017, Facebook has not ruled out the possibility that smaller attacks on its token system went undetected before September. It is currently investigating.