Last month, Facebook revealed that the accounts of nearly 50 million users had been breached in another security incident at the social network. The company has announced Friday further details about the attack that exploited this vulnerability.
Facebook previously said, the attackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018. The vulnerability was the result of a complex interaction of three distinct software bugs and it impacted “View As,” a feature that lets people see what their own profile looks like to someone else. It allowed attackers to steal Facebook access tokens, which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
Facebook state that “only” 30 million users had their tokens stolen,
We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.
According to Facebook, here’s how it happened:
“First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.”
“The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.”
Users can visit here to find out if they have been directly affected.
Unlike other major hacks involving big companies, Facebook said Friday it had no plans to provide protection services for concerned users.
For the most severely impacted users – a group of around 14 million, Facebook said – the stolen date included “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or pages they follow, and the 15 most recent searches”.
In Europe, the hack means Facebook faces a potential fine of up to $1.63bn (£1.25bn), approximately 4% of its annual global revenue. The breach is being seen as the first major test of the new General Data Protection Regulation (GDPR) which came into force in May.
The Irish Data Protection Commission wrote Friday.
“Today’s update from Facebook is significant now that it is confirmed that the data of millions of users was taken by the perpetrators of the attack,”
“[The] investigation into the breach and Facebook’s compliance with its obligations under GDPR continues.”