Facebook Clarifies Extent of Data Breach30 Million Affected; 14 Million Had Extensive Information Exposed
Facebook now says that 20 million fewer accounts were breached than it originally believed, but the attackers accessed extensive sensitive personal information on nearly half of those affected.
In a statement released Friday, Facebook revised the total affected to 30 million, down from its original estimate of 50 million announced two weeks ago.
For 14 million people, the attackers accessed extensive details, including their 15 most recent searches, the last 10 places they checked into or were tagged in and the device types they used to access Facebook. For another 15 million account holders, the hackers accessed only name and contact details - phone number, email address or both. The attackers did not gain access to any information for another 1 million people whose accounts were affected.
Facebook says the hackers did not gain access to financial information, such as credit card numbers, according to USA Today.
FBI Investigation Continues
On a call with reporters on Friday, Guy Rosen, Facebook's vice president of product management, said that the FBI is investigating the breach and that the agency has requested the company "not to discuss who may be behind this attack" or to share other details that could compromise its investigation, CNN reports.
But Gartner analyst Avivah Litan told Information Security Media Group on Sept. 28 that a nation-state likely was involved in the hack.
"This Facebook data is mainly useful to either advertisers or nation-states. I doubt advertisers hacked Facebook, so I imagine this is the work of a nation-state building out its population maps for citizenry of various countries," Litan said.
Facebook said that it may still not know the full extent of the attack and wasn't ruling out the possibility of other "smaller-scale attacks" linked to the breach, CNN reports. The company said it will continue to investigate "other ways the people behind this attack used Facebook."
Access Tokens Stolen
In its original announcement on Sept. 28, Facebook noted: "Attackers exploited a vulnerability in Facebook's code that impacted 'View As,' a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens, which they could then use to take over people's accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app."
The social media giant has turned off the "View As" function.
While Facebook has invalidated 90 million users' single sign-on access tokens, researchers warn that most access token hijacking victims still lack any reliable "single sign-off" capabilities that will revoke attackers' access to hyper-connected web services and mobile apps (see: Facebook Breach: Single Sign-On of Doom).
And the attackers may still be able to access victims' accounts at some third-party web services and mobile apps (see Facebook Can't Reset All Breach Victims' Access Tokens).
Seth Ruden, principal fraud consultant at payment systems company ACI Worldwide, says the impact of the Facebook breach involving single sign-on could be significant.
"Assume that if you had Facebook log you into another account with payment information on file, financial transactions may have been made on your behalf - that's the potential impact of this event. Think Uber, Tinder, Expedia access and you get the scale. Further, this might mean you also lose access to these other accounts when the demographic elements are accessible to and able to be changed by an attacker, to allow for the fraud to last over a longer period."
Julie Conroy, research director at Aite Group, an advisory firm, says the Facebook breach "further reinforces the fact that everyone - consumers, businesses - has to assume that our data is in the dark web. Aite hosted a financial crime forum a couple weeks ago, and a theme that kept coming up over and over was the prevalence and success of social engineering attacks. It's breaches like this that keep on coming and make all of this so easy for the criminals."
(Nick Holland, director of banking and payments, contributed to this story.)