Facebook on Friday revealed new details on a widespread security breach of user profiles, revising the number of accounts affected from about 50 million to 30 million.
Guy Rosen, Facebook’s vice president of product management, said in a blog post that Facebook is cooperating with the FBI in an ongoing investigation, and that the FBI had asked the company “not to discuss who may be behind this attack.”
“We have not ruled out the possibility of smaller-scale attacks, which we’re continuing to investigate,” Rosen wrote.
A vulnerability in Facebook’s code allowed attackers to steal digital access tokens – the keys that let people access their profiles without having to log in every time they visit the site. The hackers then used the tokens to move between accounts.
In disclosing the security incident on Sept. 28, the social media giant had said that some 50 million accounts could be affected. But further investigation revealed that about 30 million people had their access tokens stolen. Of that group of people, 15 million had their name and contact details, such as a phone number, email address or both, accessed. A separate group of 14 million people had that information accessed plus “other details people had on their profiles,” Rosen wrote. Additionally, one million people who had their tokens stolen did not have their information accessed.
The hackers began their attack with control of a set of accounts that were Facebook friends with other users. They used an automated script to move from account to account, stealing tokens for about 400,000 people. The hackers then used a subset of those accounts to carry out the broader attack, according to Facebook.
The vulnerability was fixed within two days of its discovery on Sept. 25 and the attack was stopped, according to Facebook. The company forced some 90 million users to log out in order to reset their access tokens. That action secured the accounts of those affected, Rosen told reporters, meaning users do not have to log out of their accounts again or reset their passwords. The breach did not affect third-party applications that share data with Facebook, he added.
Facebook said it saw an unusual uptick in activity starting Sept. 14. On Sept. 25, the company determined that an attacker was exploiting a vulnerability that “was the result of a complex interaction of three distinct software bugs,” Rosen wrote. That vulnerability existed from July 2017 to September 2018, according to Facebook.
There is no indication that the hack is related to the November midterm elections, Rosen told reporters.
“People’s privacy and security is incredibly important, and we are sorry this happened,” he said.
Rosen said Facebook is also working with the Federal Trade Commission and the Irish Data Protection Commission, among other authorities, in response to the security breach. The social media giant’s reporting to the Irish commission stems from breach-notification requirements under the European Union’s General Data Protection Regulation.
Users can check if they were affected via Facebook’s help center.