Facebook confirms 30 million people had personal data stolen in breach
Facebook has released some of the findings of its investigation into the security breach it discovered weeks ago, ultimately reporting that 30 million Facebook users had login access tokens stolen during the attack and that it is now working with the FBI to investigate the attack’s source.
Those tokens, which were stolen by taking advantage of three software bugs relating to the platform’s View As profile feature, essentially allow an attacker to hijack the Facebook profiles of affected individuals.
While Facebook developer accounts and Oculus profiles were not affected in the breach, the extent of the attack itself makes it something developers that use Facebook both for personal and professional reasons should be aware of. Facebook users can check if they had information stolen from the platform’s help center.
Facebook dives into how it tracked down the attack in the first place in the blog post, but ultimately says that 30 million individuals were affected by the breach. The attack started out with the theft of tokens belonging to 400,000 people, which were then used to steal access tokens from the Facebook friends of those 400,000 people and onward until 30 million were hit.
Of those, 15 million people had their name and contact information accessed while an additional 14 million people had that info plus more specific profile information like “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.” The remaining 1 million had tokens stolen but did not see their personal info accessed.