Facebook has issued an update following the breach last month that allowed attackers to access the ‘View As’ feature. According to the social networking giant, 30 million accounts were potentially accessed by hackers, rather than the 50 million figure originally stated.
In an update, Guy Rosen, Facebook’s VP of product management, said the firm had been “working around the clock” to investigate the security issue it discovered and fixed two weeks ago to help people understand the information attackers may have accessed.
Rosen said the firm has not ruled out the possibility of smaller-scale attacks, which it is continuing to investigate.
Facebook said it had seen an “unusual spike of activity” starting on September 14 2018. After starting an investigation, the firm identified this was actually an attack on September 25. Once the social network identified the vulnerability, it stopped the attack and secured people’s accounts by resetting the access tokens for people who were potentially exposed, also turning off the ‘View As’ feature.
“We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack,” said Rosen.
How did the attack happen and who was affected?
The social network said attackers controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from one account to another so they could steal the access tokens of those friends, and for friends of friends, totaling about 400,000 people.
But during the process, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own page. It included posts on their timelines, lists of friends, groups they are members of, and the names of recent Messenger conversations.
Facebook claims that Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content was available to the attackers.
The attackers used a portion of the 400,000 people’s lists of friends to steal access tokens for about 30 million people. Of those, 15 million people’s name and contact details were accessed. Attackers also accessed the username, gender, language, relationship status, religion, hometown, self-reported current city, birth date, device types used to access Facebook, education, work, the last 10 places checked into or were tagged in, website, people or Pages followed, and the 15 most recent searches of another other 14 million people.
How do I know which category I fall into?
People can check whether they were affected by visiting the Facebook Help Center. Over the coming days, the social network will send customized messages to the 30 million people affected to explain which information the attackers might have accessed, as well as advising people of the steps they can take to help protect themselves from suspicious emails, text messages, or calls.
What wasn’t impacted?
This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.
What are the implications?
Facebook has taken two weeks to reveal information relating to this massive breach. It did report the incident quickly, but the firm was slow to inform users about what to do next. It comes after Google admitted the information of Google Plus users was potentially exposed earlier this year. As people continue to entrust their data to technology firms, security needs to be razor sharp. As these incidents prove, more needs to be done to protect information and react quickly when the worst does happen.