Facebook breach worse than first believed
Attack exposed gender, search history, phone numbers, location data
SAN FRANCISCO— Facebook said late Friday that an attack on its computer systems that was announced two weeks ago had affected 30 million users, about 20 million fewer than it estimated earlier.
But the personal information that was exposed was far more intimate than originally thought, adding to Facebook’s challenges as it investigates what was probably the most substantial breach of its network in the company’s history.
Detailed information was stolen from the Facebook profiles of about 14 million of the 30 million users. The data was as specific as the last 15 people or things they had searched for on Facebook and the last 10 physical locations they had “checked into.”
Other personal details were also exposed, like gender, religious affiliation, telephone number, email addresses and the types of computing devices used to reach Facebook.
Users’ names and contact information like telephone numbers were stolen from an additional 15 million profiles, Facebook said. The security tokens of about 1 million other people were stolen, but hackers did not get their profile information, the company said.
The hackers did not gain access to account passwords or credit card information, Facebook said. “We have been working around the clock to investigate the security issue we discovered and fixed two weeks ago so we can help people understand what information the attackers may have accessed,” Guy Rosen, vice president of product management, wrote in a blog post Friday. While Facebook has cautioned that the attack was not as large as it had originally anticipated — it forced 90 million users to log out so the security of their profiles would reset — the details of what was stolen worried security experts. The data can be used for all sorts of schemes by sophisticated hackers.
“Hackers have some sort of a goal,” said Oren J. Falkowitz, chief executive of the cybersecurity company Area 1 Security and a former National Security Agency official. “It’s not that their motivation is to attack Facebook, but to use Facebook as a lily pad to conduct other attacks.
“Once you’ve become a target, it never ends,” he added.
The breach was disclosed at the worst possible time for Facebook, which is grappling with a series of crises that have shaken user trust in the world’s largest social network.
Over the last year, Facebook has faced repeated criticism that it hasn’t been doing enough to protect the personal information of its more than 2 billion regular users.
Facebook first found hints of suspicious activity across its network in early September when security engineers noticed activity around the “View As” feature, a way for users to check on what information other people can see about them. It was built to give users move control over their privacy.
More than a week later, Facebook determined that the activity was an attack on its systems, focused on three interconnected vulnerabilities in the company’s software.
Those flaws were compounded by a bug in Facebook’s video-uploading program for birthday celebrations, a software feature that was introduced in 2017. The flaw allowed the attackers to steal so-called access tokens — digital keys that allow access to an account.