Facebook has issued an update following the breach last month that allowed attackers to access the ‘View As’ feature. According to the social networking giant, 30 million accounts were potentially accessed by hackers, rather than the 50 million figure originally stated.
Facebook admitted that sensitive information such as names and dates of birth was available during the cyber-assault in September.
In an update, Guy Rosen, Facebook’s VP of product management, said the firm had been “working around the clock” to investigate the security issue it discovered and fixed two weeks ago.
Rosen said the firm has not ruled out the possibility of more smaller-scale attacks, which it is continuing to investigate. The social network did not reveal who the perpetrator was, but says it is working with the FBI on the matter. “We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack,” said Rosen.
How did the attack happen and who was affected?
Facebook saw an "unusual spike of activity" starting on September 14 2018. After an investigation, the firm identified this was a cyber-attack on September 25. Once the social network identified the vulnerability, it stopped the attack and secured people’s accounts by resetting the access tokens for people who were potentially exposed, also turning off the ‘View As’ feature.
The social network said attackers controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from one account to another so they could steal access tokens from friends, and friends of friends, totaling about 400,000 people.
During the process, this technique automatically loaded those accounts’ Facebook profiles, mirroring what they would have seen when looking at their own page. It included posts on their timelines, lists of friends, groups, and the names of recent Messenger conversations.
Facebook claims Message content was not available to the attackers, with one exception: If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content was available to the attackers.
The adversaries used a portion of the 400,000 people’s lists of friends to steal access tokens for about 30 million people. Of those, 15 million people’s name and contact details were accessed. Another 14 million people were worse affected: Attackers could also see their username, gender, language, relationship status, religion, hometown, current city, birth date, device types used to access Facebook, education, work, the last 10 places checked into, website, people or Pages followed, and 15 most recent searches.
How do I know which category I fall into?
People can check whether they were affected by visiting the Facebook Help Center. Over the coming days, the social network will send customized messages to the 30 million affected to explain which information the attackers might have accessed, as well as advising people of the steps they can take to help protect themselves from suspicious emails, text messages, or calls.
What wasn’t impacted?
This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.
What are the implications?
Facebook has taken two weeks to reveal information relating to this massive breach. It did report the incident quickly, but the firm was slow to inform users about what to do next. It comes after Google admitted the information of Google Plus users was potentially exposed earlier this year. As people continue to entrust their data to technology firms, security needs to be razor sharp. As these incidents prove, more needs to be done to protect information and react quickly when the worst does happen.
