Millions of contact details, search history stolen in online attack: Facebook
The social media giant has said that only about 30 million users were “actually” affected
Published - Oct 13, 2018 10:12 AM Updated: Oct 13, 2018 10:12 AM
An online attack that was believed to have exposed the data of near 50 million Facebook users last month actually affected about 30 million users, the social media giant said as it released details of the leak on Friday night.
“We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen,” Facebook said.
Explaining in detail how the attack was carried out, the company said that first, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totalling about 400,000 people.
The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information, Facebook said.
Explaining how they detected the attack, Facebook said, “We saw an unusual spike of activity that began on September 14, 2018, and we started an investigation. On September 25, we determined this was actually an attack and identified the vulnerability. Within two days, we closed the vulnerability, stopped the attack, and secured people’s accounts by resetting the access tokens for people who were potentially exposed. As a precaution, we also turned off “View As.”
“We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack,” the company added.For more updates, be socially connected with us on
WhatsApp, Instagram, LinkedIn, Twitter, Facebook & Youtube