Facebook has put out more details about the data breach that exploited a vulnerability in its code between July 2017 and September 2018. The breach is worse than previously thought. While Facebook has claimed that fewer users — 30 million, not 50 million — had their access tokens stolen by exploiting 400,000 accounts, the new revelation is that the attackers accessed name and contact details of 15 of the 30 million, and everything from gender to relationship status for another 14 million. Just 1 million of the 30 had none of their data compromised. “Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts” have not been affected.
How it happened
In a press call, Guy Rosen, Facebook’s VP of Product Management, said the attackers “moved from account to account using an automated script collecting tokens, repeatedly exploiting the vulnerability using access tokens for about 400,000 people”. The attackers then used the list of friends they collected to “eventually steal access tokens for about 30 million people”. So they accessed 400,000 accounts using the vulnerability in the “View As” feature. Starting with the accounts they controlled directly, the attackers moved to their friends and to their friends’ friends, and so forth – each time by stealing the access tokens, Rosen explained.
What was compromised
-The attackers could see “things like posts on their Timelines, their list of Friends, Groups they’re members of, and the names of some recent Messenger conversations”. While Facebook claims message content was not available to attackers, even this could have been seen if the person was Page admin and had received a message from someone.
-15 million people had their name and contact details – phone numbers or e-mails, depending on what people had on their profiles – stolen.
-Another group, about 14 million, had details like “gender, relationship status, their birth date, recent searches, and the last 10 places the person had checked into or were tagged in” stolen along with name and contact details like others.
What to do
Facebook is sending customised messages to the 30 million users, suggesting steps to protect themselves. On the Facebook Help Center, users can check if they have been affected and what information may have been accessed. Rosen reiterates that accounts “have already been secured” by what Facebook did two weeks ago when they prompted millions of users to reset the access tokens. So no one needs to log out again or change passwords.
The risk is that stolen data could be used to target phishing mails etc to you, knowing your preferences. Users have to careful if suspicious e-mails, text messages or calls that could be using this information.