In its earlier disclosure about the breach, Facebook said as many as 50 million could have been exposed. In a blog post today and a briefing with reporters, executives said fewer users were impacted. The social network also offered more details about how the hackers pulled it off.
Guy Rosen, VP of product management, said Facebook is working with the FBI, the Federal Trade Commission and the Irish Data Protection Commission, as well as other authorities, to identify the attackers and suss out their motives.
“The FBI is actively investigating this with us,” said Rosen. “They asked us not to discuss who might be behind the attack and what their intentions might be.”
Malicious actors were able to exploit three distinct software bugs that impacted Facebook’s “View As” feature, which allows users to see how their profile information appears to others. This vulnerability allowed attackers to steal users’ access tokens — basically, the digital keys that keep people logged in to Facebook so they don’t need to re-enter their passwords every time they use the app — to take over other people’s accounts.
Rosen said hackers mounted the attack from 400,000 accounts they controlled, to begin harvesting data. They used an automated process to move from account to account, stealing access to friends’ accounts and then to friends of friends.
Facebook discovered an unusual spike in activity on Sept. 14 and began an internal investigation. On Sept. 25 the company determined it was under attack, identified the vulnerability and, within two days, halted the attack and secured users’ accounts by issuing new access tokens.
In all, about 30 million users were affected. For 15 million Facebook users, hackers accessed their names and contact information (including phone numbers and/or email address). For another 14 million people, the hackers pilfered even more details, including gender, relationship status, religion, current address, birthdate, education, work and the last 10 places they checked into or were tagged in.
The remaining 1 million people had their “access tokens” compromised, but not their personal information.
People can see if they were affected by the hack by visiting Facebook’s help center.
Facebook stock, which took a major hit earlier this year after the Cambridge Analytica scandal and founder-CEO Mark Zuckerberg’s apology tour, has since recovered. It isn’t showing major ill effects today, trading down a fraction at $152.95.
Rosen extended apology to users, in what has become an increasingly common ritual from Facebook.
“People’s privacy and security is incredibly important and we’re sorry this happened,” said Rosen. “We know that we will always face threats from those who want to steal information. That is why we continue to invest so heavily in security and focus on more pro-active ways to protect people.”