Facebook Data Breach: Facebook’s latest data breach just got worse. The social network has put out more details about the attack which exploited a vulnerability in Facebook’s code between July 2017 and September 2018 impacting the view as feature that lets people preview how their profile appears for others. While Facebook claimed that fewer users — 30 million and not 50 million as originally thought — had their access tokens stolen by exploiting 400,000 accounts.
But if you thought that was good, comes the revelation that the attackers accessed name and contact details of 15 of the 30 million, and everything from gender to relationship status for another 14 million. Just 1 million of the 30 were lucky enough to not have any of their data compromised.
Facebook is already sending customised messages to the 30 million affected users to explain what has happened. It will also suggest steps to protect themselves. The only silver lining to this really dark cloud is that “Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts” have not been affected by this specific attack.
Facebook is not releasing country-specific data on who has been affected where. All the company is saying is that they are taking it seriously and working with the FBI and other agencies to investigate.
In a press call, Guy Rosen, Facebook’s VP of Product Management, said the attackers “moved from account to account using an automated script collecting tokens, repeatedly exploiting the vulnerability using access tokens for about 400,000 people”. The attackers then used the list of friends they collected to “eventually steal access tokens for about 30 million people”.
So they accessed 400,000 accounts using the vulnerability in the View As feature. Starting with the accounts they controlled directly, the attackers moved to their friends and to their friends’ friends, and so forth — each time by stealing the access tokens, Rosen explained. “The 400,000 accounts are the ones where their script loaded the View As view that actually loads the Facebook profile for that person,” he said on the call.
Rosen said this will fall into three groups.
• As the attackers could use the vulnerability in View As they could see “things like posts on their Timelines, their list of Friends, Groups they’re members of, and the names of some recent Messenger conversations”. While Facebook claims the message content was not available to attackers, even this could have been seen if the person was Page admin and had received a message from someone. This is the first set of those hit.
• Then in the second set of users, 15 million people, had their name and contact details — phone numbers or e-mails, depending on what people had on their profiles — stolen.
• The third group, about 14 million people, had details like “gender, relationship status, their birth date, recent searches, and the last 10 places the person had checked into or were tagged in” stolen along with name and contact details like others.
Rosen reiterates that people’s accounts “have already been secured” by what Facebook did two weeks back when they prompted millions of users to reset the access tokens. So no one needs to log out again and no one needs to change their passwords. On the Facebook Help Center users can check if they have been affected and what information may have been accessed. They will get a customised message anyway. Additionally, Rosen said, Facebook has also built a tool “to enable developers to manually identify any users of their apps who may have been exposed, so that they can conduct their own investigations”.
The stolen data could be used to target phishing mails etc to you knowing your preferences. Users have to careful if suspicious e-mails or text messages or calls that could be using this information.