The update on the original notification provided by the social network in September, which advised of a vulnerability where attackers could acquire access tokens used to authenticate a user’s token, advises the breach in fact affected just 30 million people, with the effects of the breach split roughly in half across the group.
Approximately 15 million people had their name and contact details, including phone number and email, accessible by the attackers. For 14 million people, the attackers were able to access a considerable amount of other data on top, all listed in their profiles.
The list of extra data includes usernames, genders, locale and language, relationship status, religion, hometown, self-reported current city, date of birth, device types used to access Facebook, education, work, the last 10 places the user was checked into or tagged in, website address, people or pages they follow, and the last 15 recent searches on the service.
For the remaining 1 million users whose tokens were acquired, the attackers apparently did not access the accounts at all.
Examples of customized messages Facebook will send out to affected users
Facebook is now advising concerned users to check the site’s Help Center to see if they were affected. In the coming days, users within the 30 million people identified by Facebook will be sent a customized message advising of what the attackers could have accessed, as well as ways to protect themselves.
The company notes the attack did not affect its other services, including Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts. Facebook also advises it will be looking for other ways the attackers used Facebook, along as watching out for smaller-scale attacks, and will continue to cooperate with the FBI, U.S. FTC, the Irish Data Protection Commission, and other authorities.
According to Facebook, the attackers exploited a vulnerability in the social network’s code that existed between July 2017 and September 2018, which was the result of a “complex interaction of three distinct software bugs” that impacted the “View As” feature, which allowed users to see how their profile appears to other people.
The bug allowed attackers to steal Facebook access tokens, which could then be used to take over other accounts.
The attack itself was first spotted on September 14, 2018, after the site saw an unusual spike of activity, prompting an investigation that confirmed it was an attack on September 25. The vulnerability was closed within two days, with the attack also halted and user accounts secured by “restoring the access tokens for people who were potentially exposed.” Facebook also disabled View As at the same time.
Facebook believes the attackers had already gained control of a set of accounts, then set up an automated process to move between accounts and acquire the access tokens of friends connected to the accounts, as well as friends of those friends. Eventually amassing tokens for around 400,000 people, the process also loaded up the Facebook profiles of each account and any connected data, including posts, friend lists, group memberships, recent Messenger conversation contacts, and the contents of messages in groups where the user was a Page admin.
A subset of these 400,000 accounts was used to steal the access tokens for the aforementioned 30 million accounts.