Facebook Says Hackers Accessed Sensitive Personal Information on 29 Million Users

[steven36]

Late last month, Facebook disclosed a massive security vulnerability that it claimed affected some 50 million login tokens, but details were somewhat thin on its impact pending further investigation. In a blog post today, the results are in some ways better and worse.

 

 

The company believes its initial estimate of 50 million compromised login tokens—it reset 90 million in total as a cautionary measure—was generous, and Facebook now believes the number of accounts impacted to be closer to 30 million. That’s the good news, if you can call it that.

 

For 400,000 of the accounts, which these attackers used to seed the process of gathering login tokens, personal information, such as “posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations” and, in one instance, actual message content, were compromised. Of the 30 million ensnared in the attack, Facebook believes that for around half, names and contact information—meaning phone numbers, email addresses, or both—were visible to the attackers; 14 million of that pool had that same information scraped as well as myriad other personal details, which Facebook believes could contain any of the following:

 

Quote

sername, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches

 

Facebook believes only 1 million of the total compromised accounts had no personal information accessed whatsoever.

 

Beginning with a set of accounts controlled by the attackers, the exploit jumped from friends of those users to friends of friends, ballooning to the eventual total of 30 million accounts via an automated script. Facebook reaffirmed that third-party apps were not accessed using the stolen tokens, and that the vulnerability did not affect other services the company owns, like WhatsApp or Instagram.

 

The vulnerability had existed in Facebook’s code since July of 2017, and resulted in “an unusual spike of activity” September 14 of this year. It would be almost two weeks before the activity was determined to be a legitimate attack, and to have the exploit patched. Facebook is working alongside the FBI, and according to remarks by Vice President of Product Management Guy Rosen this afternoon, the agency’s investigation appears to be ongoing. When asked if any pattern exists among the victims or who might have been behind the attack, Facebook cited an FBI request not to disclose such information. Rosen did state the company does not believe the attack was directly related to the upcoming U.S. midterm elections.

 

According to Rosen, a tool in Facebook’s help center will now show users if they were affected and what information may have been exposed. Users will also see a “customized message” in the coming days to assist in preventative measures.

 

Source

 

[nir]

The Latest: Facebook isn't ruling out smaller-scale breaches

 

Facebook says it has gotten a handle on a security breach affecting nearly 30 million accounts, but it hasn't ruled out the possibility of smaller-scale efforts to exploit the same vulnerability.

 

Facebook is offering a website for people to check if their accounts have been accessed, and if so, exactly what information was stolen. It will also provide guidance on how to spot and deal with suspicious emails or texts. Facebook will also send messages directly to those people.

 

Facebook says it has already fixed the vulnerability, which stemmed from three distinct bugs in Facebook's code.

On Friday, Facebook pinned the number of accounts accessed at 29 million, fewer than the 50 million it initially believed were affected when it disclosed the breach two weeks ago. [...]

 

Source