In September, a group of hackers used a flaw in Facebook’s “view as” feature to gain unauthorized access to millions of accounts — and today, the company released its most comprehensive statement yet on exactly what data was taken as part of the breach.
According to today’s statement, the hackers stole access tokens for 30 million accounts (revised down from an initial estimate of 50 million), allowing them to gain complete access to the profiles. Of those 30 million, the hackers accessed basic contact information (name and either email or phone number) for 14 million accounts, and additional information including gender, religion, location, device information, and the 15 most recent searches for another 15 million accounts. No information was accessed for the remaining one million accounts.
“We take these incidents really, really seriously,” said Guy Rosen, Facebook’s vice president of product management, told reporters in a call afterwards.
Facebook has pledged to notify all 30 million users through the Help Center in the coming days. Crucially, Facebook said no data was taken from third-party apps linked to the accounts, including Facebook products like Instagram, Messenger and WhatsApp. At the same time, there may have been smaller but more invasive attacks during the same period that have yet to be uncovered by Facebook’s investigation. There’s also no indication that the hackers posted any content while logged in.
The statement also gives new detail into the timeline of the attack. The first spike of activity registered on September 14th, but it wasn’t until 11 days later that Facebook identified the activity as a malicious attack. The vulnerability was closed two days later and reported to users and privacy officials in accordance with the GDPR and other breach disclosure laws.
Facebook also confirmed that the FBI is actively investigating the hack, but declined to give further details, saying the bureau had “asked us not to discuss who may be behind this attack.” Because of the nature of the “View As” bug, it is likely that Facebook has significant knowledge of the accounts where the attack originated, if not the perpetrators themselves.