Earlier this year, Facebook came under fire for sharing heaps of data for over 87 million users with Cambridge Analytica. As if the company wasn’t already having a tough time regaining the trust of its user base, Facebook’s now announced that information for around 30 million people was exposed during an attack it shut down in September.
Here’s everything you need to know.
Between July 2017 and September 2018, attackers accessed Facebook and created a security vulnerability that allowed them to retrieve access tokens to take over people’s accounts.
Facebook says it noticed “an unusual spike of activity” on September 14, and on September 25, determined that it was being attacked.
Within two days, we closed the vulnerability, stopped the attack, and secured people’s accounts by restoring the access tokens for people who were potentially exposed.
Facebook originally estimated that up to 50 million users had their information exposed, but that number has since dropped down to around 30 million. Of that number, 15 million users had their name and contact info (phone number and/or email) compromised while another 14 million lost that and their gender, Facebook username, location, language, relationship status, hometown, religion, current area of residence, birthdate, devices used to access Facebook, work, education, and more.
For the remaining 1 million, Facebook says that no information was compromised.
This attack did not affect Facebook Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, any third-party apps, or developer/advertising accounts.
Facebook is working with the FBI to determine exactly how this happened, and per the official press release, the FBI’s asked Facebook “not to discuss who may be behind the attack.”
The 30 million affected users will see customized messages on the Facebook app and website to let them know what info of theirs was stolen, and the company’s Help Center has also been updated with new information about the attack.
Facebook says it’ll be reaching out to users to tell them what next steps they should take, but as always with these attacks, there are a few things you can do right now to ensure you’re taking the right steps.
For starters, it’s never a bad idea to reset your password when something like this happens. Also, if you’re still not using a password manager or two-factor authentication, now’s a good time to change that.