A hot potato: Of the 50 million accounts Facebook initially reported had been affected, only 30 million had their access tokens stolen. An access token is a digital key that allows access to an account without a password – using it theoretically allows hackers access to all the information in the account. However, Facebook is now saying that of those 30 million, 15 million people had only their names and contact details exposed.
That’s some good news at least. In a blog post yesterday, Facebook’s Guy Rosen went into further details about how the hack worked and what information was disclosed. Unfortunately, he revealed that 14 million accounts had been breached fully with names, contact details, usernames, gender, language, relationship status, religion, city, birthplace, age, friend lists, recent searches and more exposed in the attack. No passwords, however.
Private messages weren’t stolen, except for messages a page admin received from their group. Contact details, birthplace and date of birth could possibly be used for financial theft, but the only use of the rest of the information is for public manipulation. It’s possible that advertisers or political operatives would purchase such information and use it for targeted advertising. Facebook says that the attack has nothing to do with the US midterm elections – quite likely considering that many accounts were not American – but on request of the FBI, aren’t revealing their suspects.
"We are sorry this happened. We know we will always face threats from people who want to access accounts and steal information.”
As Rosen explains, hackers used the “View as” feature to steal the access tokens from their friends, then “used an automated technique to move from account to account, so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people.”
The friends list from each of those 400,000 accounts was accessed, and a small portion of those friends were also hacked. But due to the high numbers of friends the average account has, that small portion was 30 million people. Many questions remain unanswered: was the selection of those accounts random? What was the hackers’ motive?
In the coming days Facebook will be sending out personalized messages to each of the accounts compromised, detailing the extent of the information stolen and advice on how to avoid any damage the data theft could cause. If you’re unsure if your account was affected, you can check at their Help Center.
All Facebook accounts that were hacked had already been secured within two days of Facebook discovering the attack, and no third-party apps were accessed, but you may like to add another layer of authentication if you're worried you reveal too much on your Facebook page.