Facebook revealed that a previously announced security breach on its platform had a wide impact for some users, and it confirmed that the hack compromised personal and contact information. The company said the FBI is actively investigating the hack and asked Facebook not to disclose any potential culprits.
The attack, detected in late September, exposed some users’ emails and phone numbers, as well as profile information including gender, location, birth date, and recent search history. In a blog post on Friday, Facebook did not apologize for exposing its users’ information but noted that it was cooperating with the FBI, the US Federal Trade Commission, the Irish Data Protection Commission, and other authorities on the issue.
The attack involved the capturing of Facebook “access tokens,” or digital keys that allow websites to recognize who someone is and keep them logged in. Using accounts they already controlled, the attackers used an “automated technique” to exploit Facebook’s “View As” functionality and steal access tokens for some 400,000 people. Hackers than used friend lists from a portion of those 400,000 affected accounts to obtain access tokens for another 30 million people. (Here’s how to find out if you were hacked.)
“For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles),” the company said in its release. “For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”
The company said for about a million people, attackers did not access any information.
An FBI spokesperson acknowledged that the agency had been in touch with Facebook, but declined comment.
When Facebook first announced the breach last month, it noted that 50 million accounts had been affected, but that it was unclear what those accounts were used for or what exact information had been accessed. Facebook also said in its initial statement that it was investigating whether an additional 40 million accounts had been affected. While it pared that number down on Friday, the company revealed that a wide swath of information was available to attackers of affected accounts, including private messages in specific cases.
“Message content was not available to the attackers, with one exception,” Facebook said in its blog post. “If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.”
In a call with reporters on Friday, the company did little to divulge anything beyond its blog post, citing the ongoing FBI investigation. Guy Rosen, vice president of product management, noted that affected users would be notified through the platform in the coming days, and that the company would find ways to contact those who had their personal information compromised and had already deleted their accounts.
For the time being, Facebook also shut down the “View As” functionality, which allowed users to see how their profiles appeared to other accounts. Facebook confirmed that the attack did not affect Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.