Facebook: Hackers accessed data from 29 million users
Programming bugs let the attackers take over accounts.
An online attack that forced Facebook to log out 90 million users last month directly affected 29 million people on the social network, the company said Friday as it released new details about an incident that has regulators and law enforcement on high alert.
Through a series of interrelated bugs in Facebook’s programming, unnamed attackers stole the names and contact information of 15 million users, Facebook said. The contact information included a mix of phone numbers and email addresses.
An additional 14 million users were affected more deeply, by having additional details taken related to their profiles such as their recent search history, gender, educational background, geolocation data, birth dates, and lists of people and pages they follow.
Facebook said last month that it detected the attack when it noticed an uptick in user activity. An investigation soon found that the activity was linked to the theft of security codes that, under normal circumstances, allow Facebook users to navigate away from the site while remaining logged in.
The bugs that allowed the attack to occur gave hackers the ability to effectively take over Facebook accounts on a widespread basis, Facebook said when it disclosed the breach. The attackers began with a relatively small number of accounts that they directly controlled, exploiting flaws in the platform’s “View As” feature to gain access to other users’ profiles. (The “View As” feature is designed to allow users to view their own profiles as though they are somebody else.)
Facebook said it is cooperating with authorities on its investigation, but said the FBI had advised the company not to discuss who may be behind the attack.
Facebook has also established a web page that will inform users who are logged in whether their accounts were affected.
What may have motivated the attackers is still unclear; despite mounting concerns about election security as U.S. officials count down to a highly contested midterm election, Facebook said there was no indication the hack was related.
“We don’t have a specific indication as to the intention of the hackers,” said Guy Rosen, Facebook’s VP of product management.