Facebook published an update on the security breach that impacted millions of users two weeks ago.
The company downgraded the user impact to 30 million users from 50 million users and also shared the details of the attacks that exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018.
“The vulnerability was the result of a complex interaction of three distinct software bugs and it impacted ‘View As,’ a feature that lets people see what their own profile looks like to someone else. It allowed attackers to steal Facebook access tokens, which they could then use to take over people’s accounts,” Facebook stated in the security update on Friday.
According to Facebook, the attackers first controlled a set of accounts that were connected to Facebook friends.
The attackers then “used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people,” Facebook said.
The attackers leveraged a portion of the 400,000 user’s lists of friend to then steal access tokens on 30 million people.
The breakdown of what the attackers accessed:
- For 15 million people — name and contact details (i.e., phone number, email, or both, depending on what people had on their profiles).
- For 14 million people — the same two sets of data (from above), in addition to other sensitive details people had on their profiles. This data included “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”
- For remaining 1 million people — no information was accessed.
“We saw an unusual spike of activity that began on September 14, 2018, and we started an investigation,” Facebook said. On the 25th of September, Facebook confirmed the activity was a cyber attack and discovered the vulnerability being exploited.
Within two days of the discovery, Facebook then closed the vulnerability, stopped the cyber attack and quickly reset access tokens for users who were potentially exposed.
Facebook said they are continuing to work with the FBI to analyze and investigate the breach. The company has also been asked by law enforcement not to disclose information on the possible attackers as the investigation continues.
Facebook users can check whether they were impacted by the breach by visiting the Facebook Help Center.