Last month Facebook found out and patched a vulnerability that affected 50 million accounts on the social networking website and their latest investigation reveals that 30 million of them were hacked.
The vulnerability, which lasted 14 months, was discovered by Facebook on September 25 and fixed in the next two days by resetting access tokens of a total of 90 million user accounts.
The unfortunate series of events and information stolen
“We saw an unusual spike of activity that began on September 14, 2018, and we started an investigation. On September 25, we determined this was actually an attack and identified the vulnerability,” Guy Rosen, VP of Product Management stated.
The company says that about 30 million accounts were affected. The attackers used an automated technique so that they could steal access tokens of more accounts connected to the accounts that they already controlled.
The attackers stole access tokens of friends, and of friends of those friends and so on. The automated technique loaded the accounts’ Facebook profiles as they would see for themselves.
The information accessed included posts on the profile’s timeline, their lists of friends, groups that they were members of, names of recent Messenger conversations.
None of the message content was available to the attackers, except if the attacked profile was a page admin then the content of the messages received was also available.
The first attack stole information from about 400,000 user profiles and then from their list of friends, they got were able to gain access tokens for about 30 million accounts.
Out of those 30 million, the attackers accessed name and contact details (including phone number and email) of 15 million people.
The attackers accessed name, contact details, username, gender, relationship status, region, language, education, hometown, current city, religion, birthdate, work, last 10 places they checked into or were tagged in, 15 most recent searches, device types used to access Facebook and pages followed of 14 million people.
For 1 million out of the 30 million, no information was accessed.
How to check if your data was stolen?
Facebook will be sending customised messages to the 30 million people who were affected to explain what all information the attackers might have accessed from their account. They will also lay down steps to better protect yourselves. You can also check if you were affected by visiting the Facebook Help Center.
Facebook will be notifying you with one of the following three messages.
The company also mentions that these attacks only affected Facebook users directly and did not affect profiles on Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising and developer accounts.
The breach is currently being investigated by the FBI and has been directed not to disclose the identity of the attackers.
Facebook needs to take user security and privacy seriously
The information leaked, especially for the 14 million people (as disclosed by the company) is a serious matter and shouldn’t be taken lightly.
While the magnitude of the attack might be dwarfed by the total number of users of the social networking platform, its dwindling popularity might take another hit. And that might be for the better because until Facebook can take up the responsibility to protect the data of its two billion-plus users more seriously — including from their own vested interest — it might just go the MySpace way.
Writes news mostly and edits almost everything at Candid.Technology. He loves taking trips on his bikes or chugging beers as Manchester United battle rivals.
Contact Prayank via email: [email protected]