It was late September, when Facebook said that it has been hit by the worst-ever data breach. The hackers taking the advantage of the site’s ‘view as’ feature, they gained access to tens of millions of user’s accounts. The earlier estimate was of 50 million Facebook users, which now has been now come down to ‘only’ 30 million users.
From this 30 million, facebook belives that about 15 million users’ names, phone numbers, email addresses and other sensitive information was visible to the attackers.
Below is the list of some of the things that might have been stolen from 14 million user accounts by hackers:
- Email address
- Phone number
- Types of devices used to access Facebook
- Relationship status
- Current City
- 10 most recent locations checked into or tagged in
- 15 most recent searches entered in Facebook search bar
- People or Pages followed on Facebook
A remaining 1 million users didn’t have any personal information accessed as a result of the attack.
However Facebook has determined that no credit card numbers were exposed. Whereas, the identity of the hackers continues to remain unclear.
In a call with reporters, Facebook gave scant details about the hack beyond who was affected, citing the fact that it remains an open investigation by the FBI and others.
Guy Rosen, Facebook’s vice president of product management, apologized for the hack, saying: ‘People’s privacy and security are important to us, and we are sorry this happened. When Facebook disclosed the breach two weeks ago, company officials said they didn’t know who was behind the attacks or where they might be based. Since then, it has been ‘working around the clock’ to get to the bottom of the breach. We now know that fewer people were impacted than we originally thought,’ Rosen said in a statement.
‘Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.’
Access tokens work as digital keys, letting those who hold them log into Facebook accounts without entering a password.
In the call with reporters, Rosen was asked whether the information obtained by hackers was used on the Dark Web, or for any other purposes.
‘We haven’t seen any evidence of this being used yet,’ Rosen explained.
Shedding new light on the hack, he said the attackers used an ‘automated technique’ to move from account to account stealing tokens of friends-of-friends, ‘totalling about 400,000 people’.
This pool of 400,000 users allowed them to steal access tokens from the full 30 million, he continued
He wrote: ‘For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles).
‘For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles.
‘This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birth-date, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
‘For 1 million people, the attackers did not access any information.’