Facebook reveals security incident let hackers access 30m profiles

Facebook founder and CEO Mark Zuckerberg

At the end of September, Facebook revealed that as many as 90 million accounts may have been hacked, due to a 'security issue.’

Now, the tech giant has released an update on its investigation into the issue.

Facebook said: “Today, we’re sharing details about the attack we’ve found that exploited this vulnerability. We have not ruled out the possibility of smaller-scale attacks, which we’re continuing to investigate.”

In a blog, Facebook explained that the attackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018.

The vulnerability was the result of a ‘complex interaction’ between three software bugs, and impacted the “View As” feature, which lets you see what your profile looks like to someone else.

This vulnerability allowed attackers to steal Facebook access tokens, which they could then be used to take over people’s accounts.

Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.

How Facebook found the attack

Facebook discovered the attack after noticing an unusual spike of activity that began on September 14, 2018.

On September 25, the site determined this was an attack and identified the vulnerability.

Within two days, Facebook had closed the vulnerability, stopped the attack, and secured people’s accounts.

Facebook also turned off the 'View As' feature as an extra precaution.

How many people were affected?

Facebook now knows that fewer people were impacted than originally thought.

Of the 50 million people whose access tokens were believed to be affected, about 30 million actually had their tokens stolen.

How did it happen?

The attackers already controlled a set of accounts, which were connected to Facebook friends.

They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends.

In total, the attackers stole tokens of about 400,000 people.

However, in the process, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles.

This includes posts on their timelines, their lists of friends, Groups they were members of, and the names of recent Messenger conversations.

If a person in a group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.

The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people.

Facebook explained: "For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles).

"For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles.

"This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

How to tell if you were affected

You can check if you were affected by visiting Facebook's Help Center.

Facebook added: "In the coming days, we’ll send customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls."

Related Topics

Facebook Hackers