The data breach which rocked Facebook is not relatively new, as the first announcement dates back to 28 September 2018. Over the weeks, new information has been released, new facts have been uncovered and old statistics have been updated. Now, it is time to sift through the noise and tell you everything you should know about the Facebook breach, summarized.
What exactly happened?
Avid users of Facebook must be familiar with its “View as” feature that lets people see what their own profile looks like to someone else. Attackers exploited a bug in this feature which permitted them to steal Facebook access tokens which could be later used to take over the accounts of others. What are access tokens, you may wonder. These are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the platform.
How did Facebook react?
Facebook claims to have identified the issue on September 25 2018 and investigations begun. The “View as” feature was turned off during the investigative procedure. At this point, the company said 50 million users were allegedly affected, and their access tokens were reset. For the other 40 million users whose accounts that have been subject to a “View As” look-up in the last year, they went through the same access token reset treatment. About 90 million users were forcefully logged out of their accounts.
Who carried out the attack?
Facebook is collaborating with the FBI to investigate who did it. As of now, the public has been left in the dark.
What attack tactic was used?
The attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. This included posts on their timelines, their lists of friends, groups they are members of, and the names of recent Messenger conversations. The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people.
How many users were affected?
In the initial stages, Facebook claimed 90 million users were affected; 50 million with stolen access tokens and 40 million who were subjected to the “View As” feature. Later on, Facebook backpedaled and revealed only 30 million had their access tokens stolen.
From the 30 million, accessed information was distributed as follows:
For 15 million people, attackers accessed name and contact details. Contact details entail phone number, email, or both, depending on what people had on their profiles.
For 14 million people, the attackers accessed the name and contact details, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
For 1 million people, the attackers did not access any information.
How can you know if you were affected?
Check Facebook’s help center to see if your data was leaked. The company also plans to contact anyone who may have lost data, offering advice on dealing with things like suspicious e-mails.
What should you do?
About 90 million users were forcefully logged out of their accounts, and had to log in again. If you were one of those who were logged out, you will have to log in again. Changing your password as a precautionary measure is not necessary in this situation.
What else?
To those seeking any consolation, the company says its other apps and services, including Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts were not affected by this hack.