Late last month, Facebook disclosed a massive security vulnerability that it claimed affected some 50 million login tokens, but details were somewhat thin on its impact pending further investigation. In a blog post today, the results are in some ways better and worse.
The company believes its initial estimate of 50 million compromised login tokens—it reset 90 million in total as a cautionary measure—was generous, and Facebook now believes the number of accounts impacted to be closer to 30 million. That’s the good news, if you can call it that.
For 400,000 of the accounts, which these attackers used to seed the process of gathering login tokens, personal information, such as “posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations” and, in one instance, actual message content, were compromised. Of the 30 million ensnared in the attack, Facebook believes that for around half, names and contact information—meaning phone numbers, email addresses, or both—were visible to the attackers; 14 million of that pool had that same information scraped as well as myriad other personal details, which Facebook believes could contain any of the following:
[U]sername, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches
Facebook believes only 1 million of the total compromised accounts had no personal information accessed whatsoever.
Beginning with a set of accounts controlled by the attackers, the exploit jumped from friends of those users to friends of friends, ballooning to the eventual total of 30 million accounts via an automated script. Facebook reaffirmed that third-party apps were not accessed using the stolen tokens, and that the vulnerability did not affect other services the company owns, like WhatsApp or Instagram.
The vulnerability had existed in Facebook’s code since July of 2017, and resulted in “an unusual spike of activity” September 14 of this year. It would be almost two weeks before the activity was determined to be a legitimate attack, and to have the exploit patched. Facebook is working alongside the FBI, and according to remarks by Vice President of Product Management Guy Rosen this afternoon, the agency’s investigation appears to be ongoing. When asked if any pattern exists among the victims or who might have been behind the attack, Facebook cited an FBI request not to disclose such information. Rosen did state the company does not believe the attack was directly related to the upcoming U.S. midterm elections.
According to Rosen, a tool in Facebook’s help center will now show users if they were affected and what information may have been exposed. Users will also see a “customized message” in the coming days to assist in preventative measures.