The hackers used the “View As” vulnerability to steal access tokens from their own friends, and then repeated that process for friends of those compromised friends.
The company had initially said 50m accounts were affected but now revised it “only” 30 million. The attackers then obtained access tokens for about 29 million users who were friends, or friends of friends, of these 400,000 seed accounts.
Attackers did not access any information for the remaining one million users. On the Facebook Help Center users can check if they have been affected and what information may have been accessed.
This was clearly an intentional, malicious theft of user data from Facebook, and some of that data is very granular.
In addition, affected users will receive messages in the coming days with details on what information may have been accessed, as well as steps to take to protect themselves. The contact information included a mix of phone numbers and email addresses. Facebook users should also be wary of messages or emails claiming to be from Facebook, the company said. It also did not affect payments, advertising or third-party apps as had previously been reported by some outlets. “Message content was not available to the attackers”, unless you are the Admin of a page that had its access token stolen. “Businesses and governments will lose money, ransomware attacks will result from this leak and the attack will reverberate over many months”.
Facebook said the FBI is investigating, but asked the company not to discuss who may be behind the attack. On Thursday, Facebook disclosed that it had removed hundreds of accounts and pages used to spread disinformation in the United States.
But Facebook is also describing some of the data that was accessed, and it’s truly exhaustive.
Facebook is already sending customised messages to the 30 million affected users to explain what has happened.
Isn’t that great? Only 30 million. The admission prompted lawmakers to call for an FTC investigation. For now, the company is working with both United States and worldwide authorities to identify the hackers and take necessary steps.
“These companies have a staggering amount of information about Americans”.
Though they were friends on Facebook, it’s unclear how close the attackers were to their first set of victims. “The cost of inaction is growing and we need answers”. On Sept. 28, it went public with news of the incident, logging out about 90 million users as a precaution. It would be nearly two weeks before the activity was determined to be a legitimate attack, and the exploit patched. A spike in traffic triggered an internal investigation.
Facebook said it is working with the FBI to investigate the biggest hack in its history.
He said Facebook should perhaps offer free premium access to password managers and other similar software. From there, they used an automated technique that gave them access to the friend’s list, which allowed them to move from one account to the next and access the tokens, which eventually led to the attackers gaining control of 400,000 accounts. There are a series of different variations depending on how much data was taken from your account when it is accessed. Facebook says the problem has been fixed. This is lower than the original estimate, which was 50 million.