A major breach announced by Facebook last month affected 20 million fewer customers than at first predicted, but for 14 million unlucky users hackers managed to access virtually all their profile info.
The social network’s VP of product management, Guy Rosen, explained in an update on Friday that of the 50 million people whose access tokens were thought to be affected, 30 million actually had the tokens stolen.
“For 15 million people, attackers accessed two sets of information — name and contact details (phone number, email, or both, depending on what people had on their profiles),” he said.
“For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For one million people, the attackers did not access any information.”
So far, there’s no sign that the attackers accessed third-party apps, Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, or advertising/developer accounts.
There was also more info on exactly how the attackers managed to carry out the attack.
According to Rosen, they “already controlled” a set of accounts, and had developed an automated technique to move from one to another, stealing access tokens for the friends of those accounts, and the friends of these friends etc.
By doing this, they obtained access tokens for around 400,000 users. Then “the attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people,” said Rosen.
Customized messages will be sent to those affected over the next few days with advice on how to protect themselves from follow-on scams. Users can also check here to see if they were affected.