The data breach first disclosed by Facebook in September has directly impacted the access tokens of 30 million accounts, the social media giant confirmed Friday.
Facebook recently admitted that hackers exploited a flaw in its “View As” feature, which lets users see what their profiles look like from other accounts (i.e., to check that their privacy settings are working and so on). While Facebook had originally pegged the number impacted at almost 50 million, after further investigation that number has dwindled down to 30 million.
The company said that bad actors had accessed private data, including potentially users’ names and contact details (phone number or email), gender, language, relationship status, religion and hometown, among other things.
“We have not ruled out the possibility of smaller-scale attacks, which we’re continuing to investigate,” said Guy Rosen, vice president of product management at Facebook, in a Friday post. “We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack.”
Facebook was also able to discuss more specifics about how the breach itself occurred.
The vulnerability in Facebook’s “View As” feature left the access tokens of Facebook accounts ripe for the taking. Access tokens are the digital keys that keep users logged into Facebook so they don’t need to re-enter their password every time they use the app. Hackers were able to access these, and from there could have taken over users’ accounts, Facebook said.
The attackers had already controlled a set of accounts that were connected to Facebook friends, said Rosen.
They then were able to use an automated technique to move from account to account so they could steal the access tokens of those friends, and then for friends of those friends, etc. This totaled about 400,000 people.
“In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles,” according to Rosen. “That includes posts on their timelines, their lists of friends, Groups they are members of and the names of recent Messenger conversations.”
Message content was not available to the attackers – except if a person in the group was a page administrator whose page had received a message from someone on Facebook. In that case, the messages were available to the attackers, said Rosen.
“The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people,” he said. “For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or pages they follow and the 15 most recent searches.”
For one million people, the attackers did not access any information, he said.
Users can check whether they were impacted by visiting Facebook’s Help Center; and Facebook will send customized messages to the 30 million impacted users to explain what information was accessed and how they can protect themselves, Rosen said.
Since the Cambridge Analytica scandal rocked Facebook in March, the company has been trying to take proactive steps to prioritize security. In March Facebook announced it would expand its bug bounty program in an attempt to thwart improper data handling third-party app developers. The social network then announced earlier this month it is expanding that program to sniff out vulnerabilities related to access-token exposure; and it will offer at least $500 for vulnerabilities found in third-party apps and websites that involve improper exposure of Facebook user access tokens.
Facebook has since fixed the vulnerability and reset the access tokens for the 90 million total accounts subject to the “View As” look-up in the last year. But experts worry that the possibility remains that the attackers could have used the access tokens to access APIs containing profile information, such as name or gender. And one of those APIs, the Single Sign-On API, is used by third-party apps or sites that users can log into using their Facebook credentials.
Others say questions still remain about the data breach – including who was behind the hack, and how Facebook will handle potential issues like GDPR’s data breach disclosure fines moving forward.
“Not knowing all of the detail of when the breach was discovered, who, exactly was impacted, who was responsible, etc., the possible outcomes may be worse than we know today,” Pravin Kothari, CEO of CipherCloud, said in an email. We’ll have to see what Facebook discloses about potential liability if any exists. The calculations of the potential fines under GDPR are a bit mind-boggling with any possible impact to millions of users.”