While the number of victims is lower than previously thought, the data accessed for millions of them is more sensitive than originally believed
Facebook has disclosed that 30 million people had their Facebook access tokens swiped in the breach uncovered and disclosed in late September.
Of the total, 29 million also had at least some of their profile data swiped. The remaining one million users had their access tokens stolen, but their personal information was not accessed, according to the latest update by Facebook’s vice president of product management Guy Rosen.
The latest toll is down from 50 million users who were initially thought to be the victims of a security incident in which attackers exploited three bugs in Facebook’s code to steal the users‘ access tokens. Another 40 million were deemed to be at risk, prompting the social network to force a total of 90 million users to log out by revoking their access tokens.
Rosen shared some additional details concerning the type of information lifted: “For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles”.
This is where it gets especially disconcerting, however, as the data lifted for the 14 million people is rather detailed and diverse.
It includes “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches”.
This is the kind of information that, among other things, can be used by miscreants for a variety of targeted schemes.
As to how the data was stolen, Rosen said that the as-yet unknown attackers used an automated program that moved from one friend to the next over and over again. Using a set of accounts under their control as a launch pad, the attackers leveraged three interconnected bugs in the network’s “View As” feature in order to lift the tokens for the friends of the controlled accounts, as well as for the friends’ friends and so on, “totaling about 400,000 people”. Ultimately, only a portion of the 400,000 users’ lists of friends was enough to plunder access tokens for 30 million people.
Facebook users can check if their data was stolen by visiting this section of the network’s Help Center. Facebook also said that it will notify the victims of the types of information on their profiles, if any, were affected by the incident.
Messenger, Messenger Kids, Instagram, WhatsApp, or third-party apps were not impacted.