Facebook admits that 30 million accounts were affected by data breach
More information has come forward about the recent Facebook hack, in form of the unhelpfully titled security notice “An important update about Facebook’s recent security incident.” In it, Facebook admitted that hackers had gained access to over 30 million accounts. But it’s alright, because and I quote, they’re “very sorry this happened.” No hard feelings, right?
No clue what I’m talking about? That’s cool, here’s a quick rundown.
On 28 September, Facebook’s VP of Product Management, Guy Rosen, posted a security update, notifying us that three days earlier, the engineering team found a security bug that allowed hackers to gain access to an estimated 50 million Facebook accounts via their access tokens – the thing that keeps you logged into your account. Facebook responded by logging an additional 40 million users out of their accounts, as a precautionary measure.
Two weeks later, Rosen posted again, proving once and for all that he isn’t that great at titling security notices. In “An Update on the Security Issue,” Rosen stated that the correct number of accounts affected was actually closer to 30 million. Still a huge number, but not quite as bad as predicted.
So… what happened?
Well, apparently, the engineering team noticed “an unusual spike of activity” on 12 September, but it wasn’t evident that this was a hack until two weeks later. They discovered that the attackers had Facebook profiles of their own, which were connected to other accounts as “Facebook friends.”
For some reason that I can’t quite wrap my mind around, Pedro Canahuati, Vice President of Engineering, Security and Privacy, went into extreme detail when describing the security flaw that allowed the hack to occur. The full report is here, about halfway down the page. Basically, the vulnerability occurred during last year’s update to Facebook’s “View as” function, which allows you to view your own profile from the point of view of another user. In a weird twist of fate, “view as” was originally designed as a security measure.
“When using the View As feature to view your profile as a friend, the code did not remove the composer that lets people wish you happy birthday; the video uploader would generate an access token when it shouldn’t have; and when the access token was generated, it was not for you but the person being looked up,” was the official statement given by Canahuati. “That access token was then available in the HTML of the page, which the attackers were able to extract and exploit to log in as another user. The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens.”
Facebook has, apparently, fixed these bugs. Personally, I hope it did a good job, because it literally just gave a step-by-step explanation on how to hack into someone’s profile.
Alright, but what did the hackers find?
Excellent question. Buckle up.
15 million poor souls had their two-factor identification information stolen. This could have been a phone number, an email address, or both, depending on what information the user had given Facebook. (This isn’t the first time two-factor identification has caused privacy issues, by the way.)
Worried? Understandable, but don’t unbuckle yet, it gets worse.
The remaining 14 million accounts got hit hard. Guy Rosen tried to get through this part quickly, but not even powering through the list could hide that the hackers were able to see their “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”
Rosen follows this bombshell by clarifying that 1 million accounts didn’t get any information stolen at all. Phew. For a minute there, I was starting to get worried.
Was I affected?
If you have to ask, the answer is probably “no.” Everyone who was affected was logged out of their account and received a security notice when they logged back in. But at the same time, just because you got a notice, doesn’t mean you were hacked. Remember? Only 30 million people were affected, but they logged out 90 million accounts. You can check here to see if your account was compromised by the hack – just scroll down to the section headlined “Is my Facebook account impacted by this security issue?”
Is Facebook doing anything to keep this from happening again?
Well, Facebook is certainly claiming so. In addition to logging a bunch of people out of their accounts, Facebook also temporarily disabled the “view as” function, which, if you remember, was where the security vulnerability was. Other than that, the company has only stated that it’ll be continuing to investigate the issue alongside the FBI, the United States Federal Trade Commission, the Irish Data Protection Commission, and a couple other unnamed authorities.
So far, there’s nothing suggesting Facebook has any idea who’s behind this hack, but we’ll keep you in the loop if anything new happens.