The cyber attackers stole data from 29 million Facebook profiles, including names and contact details. (Reuters: Dado Ruvic)
Cyber attackers stole data from 29 million Facebook accounts using an automated program that moved from one friend to the next, but the social media company said its largest ever data theft hit fewer than the 50 million profiles it initially reported.
- Facebook says the users hacked are from a “fairly broad” number of countries
- The cyber attack started small and spread through “friends of friends”
- Facebook has a website to check if your account was breached
The company said it would message affected users over the coming days to tell them what type of information had been accessed in the attack.
The breach has left users more vulnerable to targeted phishing attacks and could deepen their unease about posting to a service whose privacy, moderation and security practices have been called into question by a series of scandals, cybersecurity experts and financial analysts said.
The attackers took profile details such as birth dates, employers, education history, religious preference, types of devices used, pages followed and recent searches and location check-ins from 14 million users.
For the other 15 million users, it was restricted to name and contact details.
An additional 1 million accounts were affected, but hackers didn’t get any information from them.
Facebook isn’t giving a breakdown of where these users are, but says the breach was “fairly broad”.
Facebook said third-party apps that use a Facebook login and Facebook apps like WhatsApp and Instagram were unaffected by the breach.
The social media company said the FBI is investigating, but asked the company not to discuss who may be behind the attack.
How the hackers hit so many accounts
The hackers began with a set of accounts they controlled, then used an automated process to access the digital keys for accounts that were “friends” with the accounts they had already compromised.
That expanded to “friends of friends,” extending their access to about 400,000 accounts, and went on from there to reach 30 million accounts.
The company said it has fixed the bugs and logged out affected users to reset those digital keys.
Facebook chief executive Mark Zuckerberg’s own account was compromised in the data breach. (Reuters: Charles Platiau/Pool)
At the time, chief executive Mark Zuckerberg — whose own account was compromised — said attackers would have had the ability to view private messages or post on someone’s account, but there’s no sign that they did.
Hackers stole neither personal messages nor financial data and did not use their access to accounts users’ accounts on other websites, the company said.
The vulnerability the hackers exploited existed from July 2017 through late last month, when Facebook noticed an unusual increase in use of its “view as” feature.
That feature allows users to check privacy settings by glimpsing what their profile looks like to others. But three errors in Facebook’s software enabled someone accessing “view as” to post and browse from the Facebook account of the other user.
The attackers used the “view as” flaw to breach the accounts of their friends, then used a tool they developed to expand to friends of friends and beyond.
Facebook patched the issue last month and asked 90 million users to log back into their accounts, many just as a precaution.
One of many problems facing the company
Security experts have said Facebook’s initial breach disclosure arrived earlier than it likely would have prior to the enactment in May of the European Union’s General Data Protection Regulation, which mandates notification within 72 hours of learning of a compromise.
Facebook’s lead EU data regulator, the Irish Data Protection Commissioner, last week opened an investigation into the breach. Authorities in other jurisdictions including the US states of Connecticut and New York are also looking into the attack.
Regulators around the world have launched inquiries into another matter: How profile details from 87 million Facebook users were improperly accessed by political data firm Cambridge Analytica.
Patrick Moorhead, founder of Moor Insights & Strategy, said the breach appeared similar to identity theft breaches that have occurred at companies including Yahoo and Target in 2013.
“Those personal details could be very easily be used for identity theft to sign up for credit cards, get a loan, get your banking password,” he said.
“Facebook should provide all those customers free credit monitoring to make sure the damage is minimized.”
How to check if you were hacked
The company has a website its 2 billion global users can use to check if their accounts have been accessed, and if so, exactly what information was stolen.
It will also provide guidance on how to spot and deal with suspicious emails or texts. Facebook will also send messages directly to those people affected by the hack.