Facebook reveals true size of hack
Facebook has revealed that hackers accessed a wide swath of information – ranging from emails and phone numbers to more personal details like sites visited and places checked into – from millions of accounts as part of a security breach the company disclosed two weeks ago.
Twenty-nine million accounts had some form of information stolen, Facebook revealed yesterday. Originally, it said 50 million accounts were affected but that it didn’t know if they had been misused.
The news comes at a jittery time ahead of the US midterm elections, as Facebook is fighting off misuse of its site on a number of fronts. The company said yesterday there was no evidence the hack was is related to the midterms.
Facebook said hackers accessed names, email addresses or phone numbers from the hacked accounts. For 14 million of them, the hackers got even more data, such as home town, birthdate, the last 10 places they checked into, or the 15 most recent searches.
An additional 1 million accounts were affected, but the hackers didn’t get from them.
Facebook did not provide a breakdown of where the affected users were, but said the breach was ‘‘fairly broad’’. It plans to send messages to people whose accounts were hacked.
The company said third-party apps that used a Facebook login and Facebook apps like WhatsApp and Instagram were unaffected by the breach.
Facebook said the FBI was investigating but had asked the company not to discuss who might be behind the attack. It had not ruled out the possibility of smallerscale attacks that used the same vulnerability.
Facebook said the attackers gained the ability to ‘‘seize control’’ of the user accounts by stealing digital keys the company uses to keep users logged in. They could do so by exploiting three distinct bugs any information in Facebook’s code.
The hackers began with a set of accounts they controlled, then used an automated process to access the digital keys for accounts that were ‘‘friends’’ with the accounts they had already compromised. That expanded to ‘‘friends of friends’’, extending the hackers’ access to about 400,000 accounts, and went on from there to reach 30 million accounts.
There is no evidence that the hackers made any posts or undertook any other activity using the hacked accounts.
The company said it had fixed the bugs and logged out affected users to reset the digital keys.
Facebook CEO Mark Zuckerberg – whose own account was compromised – said the attackers would have had the ability to view private messages or post on someone’s account, but there were no signs that they did.
The company has a website its 2 billion global users can use to check if their accounts have been accessed, and if so, exactly what information was stolen. It will also provide guidance on how to spot and deal with suspicious emails or texts.
Patrick Moorhead, founder of tech industry analysis firm Moor Insights & Strategy, said the breach appeared similar to identity theft breaches that have occurred at companies including Yahoo and Target in 2013.
‘‘Those personal details could be very easily be used for identity theft to sign up for credit cards, get a loan, get your banking password etc,’’ he said. ‘‘Facebook should provide all those customers free credit monitoring to make sure the damage is minimised.’’
Thomas Rid, a professor at Johns Hopkins University, also said the evidence, particularly the size of the breach, seemed to point to a criminal motive rather than a sophisticated state operation, which usually targeted fewer people.
‘‘This doesn’t sound very targeted at all,’’ he said. ‘‘Usually when you’re looking at a sophisticated government operation, then a couple of thousand people hacked is a lot, but they usually know who they’re going after.’’
Those personal details could be very easily be used for identity theft.