Two weeks back, Facebook said it had discovered a data breach affecting 50 million users and had informed local law enforcement.
Here’s a recap:
- There was a loophole in Facebook’s code for a feature called “View As” that lets people see what their account looks like to someone else.
- This allowed the hackers to steal access tokens – digital keys that keep people logged into Facebook so they don’t need to re-enter passwords.
- The hack affected all apps that use Facebook to sign in.
At the time, Facebook still did NOT know whether any personal information was gathered or misused from those accounts.
Now, two weeks later:
There’s new information.
First, a few clarifications:
- The hack actually affected 30 million people – NOT 50 million as originally stated.
- No third-party apps were breached as part of this attack. There had been concerns about whether hackers could access outside apps that use Facebook login credentials, but that turns out not to have been the case, says Facebook.
Second, more clarity:
This is the bad part.
Of the 30 million hacked, only 1 million remained immune to the hacker’s data prying.
The worst: About 400,000 people served as the hackers’ entry point to the 30 million others on Facebook. For those 400,000, the attackers could see what the users see as they look at their own profiles. That included posts on their Facebook timelines and names of recent Facebook Messenger conversations.
The worse: Hackers accessed intimate information of about 14 million accounts, such as the last ten places that person checked into, their current city and their 15 most-recent searches.
The bad: For the other 15 million, the cyberthieves only accessed name and contact information.
It’s not over yet
The attackers wrote a computer code that crawled the compromised pages and copied information, which is known as “scraping”. That could leave victims vulnerable to further fraud attempts if the hackers still have their contact information and personal details.
Facebook did not reveal whether there was any specific group targeted by the hackers, the geographic location of the victims, or any potential motive. Facebook said the Federal Bureau of Investigation is investigating and asked for some details to remain confidential.