Facebook’s latest data breach just got worse. The social network has put out more details about the attack which exploited a vulnerability in Facebook’s code between July 2017 and September 2018 impacting the view as feature that lets people preview how their profile appears for others. While Facebook claimed that fewer users — 30 million and not 50 million as originally thought — had their access tokens stolen by exploiting 400,000 accounts.
But if you thought that was good, comes the revelation that the attackers accessed name and contact details of 15 of the 30 million, and everything from gender to relationship status for another 14 million. Just 1 million of the 30 were lucky enough to not have any of their data compromised.
Facebook is already sending customised messages to the 30 million affected users to explain what has happened. It will also suggest steps to protect themselves. The only silver lining to this really dark cloud is that “Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts” have not been affected by this specific attack
Facebook is not releasing country-specific data on who has been affected where. All the company is saying is that they are taking it seriously and working with the FBI and other agencies to investigate.
So how did the attackers gain access to data from so many Facebook accounts?
In a press call, Guy Rosen, Facebook’s VP of Product Management, said the attackers “moved from account to account using an automated script collecting tokens, repeatedly exploiting the vulnerability using access tokens for about 400,000 people”. The attackers then used the list of friends they collected to “eventually steal access tokens for about 30 million people”.
So they accessed 400,000 accounts using the vulnerability in the View As feature. Starting with the accounts they controlled directly, the attackers moved to their friends and to their friends’ friends, and so forth — each time by stealing the access tokens, Rosen explained. “The 400,000 accounts are the ones where their script loaded the View As view that actually loads the Facebook profile for that person,” he said on the call.
What kind of information has been compromised?
Rosen said this will fall into three groups.
• As the attackers could use the vulnerability in View As they could see “things like posts on their Timelines, their list of Friends, Groups they’re members of, and the names of some recent Messenger conversations”. While Facebook claims the message content was not available to attackers, even this could have been seen if the person was Page admin and had received a message from someone. This is the first set of those hit.