Nearly 30 million Facebook users' phone numbers and email addresses were accessed by hackers in the biggest security breach in the company's history, Facebook said Friday. The social network has put out more details about the attack which exploited a vulnerability in Facebook's code between July 2017 and September 2018 impacting the view as feature that lets people preview how their profile appears for others.
Facebook on Friday provided an update on a recent breach to say that 30 million people had their Facebook access tokens stolen rather than the previously announced 50 million. For those 400,000, the attackers could see what the users see as they look at their own profiles. "It allowed attackers to steal Facebook access tokens, which they could then use to take over people?s accounts".
The social media service plans to send messages to people whose accounts were hacked.
Facebook Vice President Guy Rosen told reporters that the Federal Bureau of Investigation asked the company to limit descriptions of the attackers due to an ongoing inquiry, a report in ABC stated. Facebook said it has turned off the "View As" feature as a security precaution.More news: Kanye West returns to social media with 10-minute 'mind control' rant
What may have motivated the attackers is still unclear; despite mounting concerns about election security as US officials count down to a highly contested midterm election, Facebook said there was no indication the hack was specifically related to the USA electoral process. They then used the same vulnerability over and over again until they gathered tokens for around 400,000 accounts, which Rosen referred to as "seed accounts".
These details were exposed sometime between September 14 and September 25 this year, when the company first discovered the security breach due to a sudden uptick in activity. Between the Cambridge Analytica scandal and a number of smaller incidents that followed once Facebook started investigating all third-party apps using its APIs this past spring, as well as the newly disclosed vulnerability, the company is now facing heavy scrutiny over its data management practices.
Beginning with a set of accounts controlled by the attackers, the exploit jumped from friends of those users to friends of friends, ballooning to the eventual total of 30 million accounts via an automated script. But three errors in Facebook's software enabled someone accessing "view as" to post and browse from the Facebook account of the other user.
The breach could affect users' willingness to use Facebook products.
Last month, Facebook reset the tokens of almost 50 million accounts that it believed were affected and, as a precaution, also reset the tokens for another 40 million accounts that had used "View As" in the past year.
Photo Credit: Facebook. Customised messages that people will see depending on how they were impactedFacebook has, however, confirmed that this attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.