Facebook says the security breach that rattled users last month impacted fewer people than initially believed. It's still in millions of users but down to 30 million from 50 million users who were originally expected to be impacted.
In a post earlier today, the company said that the attackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018. This vulnerability in the code of View As (a feature that allows you to see how their profile looks to a specific set of people) enabled hackers to get access to a digital token that was used to log into millions of user accounts.
It allowed attackers to steal Facebook access tokens, which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
Facebook: Time for some
more bad news
In the world of Facebook, that number is actually a good news considering it's usually the other way around - we are given a number and then the investigations discover the impacted people are even more than originally reported.
But the real bad news is that the attackers did get access to personal user data of millions of users. This data includes but is not limited to:
- Contact info, including phone numbers and emails
- Relationship status
- Self-reported current city
- Device types used to access Facebook
- Last 10 places they checked into or were tagged in
- People or Pages they follow
- 15 most recent searches
While any kind of personal information has to be kept private and secure, the social networking giant is potentially going to deal with a lot more issues thanks to it keeping tabs on location and search history and then securing it in a way that a vulnerability allowed hackers to get access to this data too.
Facebook says that out of the 30 million impacted users, for 1 million people, the attackers did not access any information. The FBI is currently investigating the attack.
- For more details, head over to the company blog post.