Its Big Thing To See
said fewer users than it initially thought were exposed to hackers two weeks ago in the largest-ever security breach at the social-media giant—and the company detailed for the first time the extent of personal information that was accessed.
In a blog post Friday, Facebook said 30 million users had their access tokens stolen, as opposed to the original estimate of 50 million. The tokens are digital keys that keep people logged into social-media site.
The company said hackers “exploited a vulnerability” in its computer code between July 2017 and September 2018. Facebook discovered the attack Sept. 25 and stopped it two days later.
“We now know that fewer people were impacted than we originally thought,” Guy Rosen, vice president of product management, said in the blog post.
Of the 30 million involved, Facebook said 14 million were the most affected. They had their names and contact details—including phone numbers and email addresses—accessed, along with such data as their gender and relationship status, as well as the last 10 places they checked into and 15 most recent searches. Fifteen million others had their names and contacts accessed. The attackers didn’t get any information from the million remaining users who were vulnerable in the security breach.
In some cases, it is possible private messages of users were compromised if they were acting as an administrator on any of the pages that were targeted, Mr. Rosen said. He said the breach didn’t affect Facebook’s Instagram, WhatsApp or Facebook Messenger units.
In a call with reporters Friday, Mr. Rosen declined to say who might have been behind the attack. He said the company is working with the Federal Bureau of Investigation and that the agency has asked Facebook not to discuss the identity of the perpetrators.
Facebook also declined to give a geographic breakdown of users who were affected.
It is not clear how the stolen data may have been used. Mr. Rosen said he hasn’t seen any evidence of the data on the “dark web”—a network of websites used by hackers and others to share information and where stolen information often changes hands.
Facebook’s security breach comes as the social network is still trying to win back the trust of its 2 billion users after a series of missteps in the last year. Earlier this year, the company said the data of millions of users was improperly shared with Cambridge Analytica, an analytics firm with ties to President Trump’s 2016 campaign.
Facebook on Friday gave more detail on how hackers were able to carry out the attack. It said they started with a smaller set of accounts that they controlled and were connected to Facebook friends. Then they moved from account to account through those friends, stealing the access tokens as they fanned out.
Facebook said it would be notifying the 30 million users whose accounts were affected, including those who may have since shut down their Facebook accounts.
Mr. Rosen said Facebook is “working around the clock” on the security breach and “we have not ruled out the possibility of smaller, lower level access attempts during the time of the exposure.”
Corrections & Amplifications Facebook originally estimated that 50 million users were impacted by the cyberattack. An earlier version of this article incorrectly stated 50 billion. (Oct. 12)
Write to Kirsten Grind at [email protected]
Jake Paul responds to his ex Alissa Violet appearing in Shane Dawson’s series
2018 Audi R8 V10 RWS review: Even better than the real thing