After initially announcing that it had encountered a "security issue" which it will be investigating, Facebook has now confirmed that it was hacked and that the attackers had access to and controlled about 30 million accounts. According to Guy Rosen, VP of Product Management at Facebook, the hackers initially only had access to a small set of user accounts but they used an automated technique to steal user tokens of of users' friends and friends of friends and in the process managing to control 30 million Facebook accounts.

The attack was discovered after Facebook observed an nusual spike of activity on their platform that is reported to have started on 14 September 2018.

"On September 25, we determined this was actually an attack and identified the vulnerability. Within two days, we closed the vulnerability, stopped the attack, and secured people’s accounts by restoring the access tokens for people who were potentially exposed. As a precaution, we also turned off “View As.” We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack," said Rosen.

How the hack happened

Initially, Facebook reported that 50 million users were affected by the attack but Rosen is now reporting that, after investigation, only approximately 30 million user accounts were hacked. According to Facebook's investigation, the hackers only had access to 400,000 user accounts.

Facebook customized messages that people will see depending on how they were impacted.

"They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers."

Among the list of data that the hackers were able to access is Facebook users' username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. It goes without saying that this information could be abused if in the wrong hands, not to mention the issues around privacy.

Going forward

Facebook will be notifying users who were impacted by the hack with different notification messages depending on how they were hacked and what information was accessed. The company, however, has still not disclosed statistics (eg. geography) of the type of users affected.

There was also a concern that because the hack centered on access tokens, it could have impacted 3rd party apps that use the "Log in with Facebook" feature. This is not the case according to Rosen.

"This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts. As we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks, we’ll continue to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities," concluded Rosen.

To see if you were one of the affected Facebook users, visit this page.


Cover image credit:

Photo by Glen Carrie on Unsplash