Credits: ABC News
Facebook has confirmed that a cyber attack disclosed last month exposed sensitive information, including search and location history, for 14m customers. Guy Rosen, vice-president of product management at Facebook, said on Friday that the cyber attack — the biggest security breach in the history of the world’s largest social network — had affected 30m users, far fewer than the 50m originally thought.
Facebook’s latest disclosure comes at a time of intense scrutiny for the social network from regulators and lawmakers over how it handles privacy and security, following a data breach involving the research firm Cambridge Analytica. It is also under pressure to curb the spread of disinformation on its platform, which has raised concerns over election integrity and public safety around the world.
Mr Rosen said that last month’s breach had exposed sensitive information for about half the 30m affected accounts. Facebook was co-operating with the FBI and providing information to regulators and policymakers in multiple countries around the world, he added. The social network said the FBI, which is conducting an active investigation, had advised it not to discuss who may be behind the attack.
“We don’t have a specific indication as to the intention of the hackers,” Mr Rosen said. Hackers exploited a flaw in Facebook’s “view as” feature, which was designed to let people see how their profiles appear to others, to steal the “access tokens” to accounts, according to the company.
Facebook said hackers had stolen tokens from 30m accounts. In the case of 14m users, hackers accessed a wide variety of information, including recent location check-ins, searches and nearly all of their profile details, from names, phone numbers and email addresses to birth dates, relationship statuses and religions. For another 15m people, hackers only accessed names and contact details, including phone numbers and email addresses.
No information was accessed for the remaining 1m accounts at issue. For the most part, hackers did not access people’s messages, but were able to see messages that administrators of Facebook pages received from others users contacting their pages, the company said.
Facebook said the hackers had not accessed financial information, such as credit card numbers, and did not appear to compromise Facebook Login, the service many people use to log on to other apps.
Facebook said it would message the 30m people affected with information on steps they can take to protect themselves. The personal information the hackers obtained “may allow them or other third parties to use it to create and spread spam on and off Facebook,” the company told affected users. It urged them to look out for unwanted phone calls, text messages or emails, and to be wary of phishing attempts using their email addresses.
The company declined to give a breakdown of the countries of origin for the affected accounts, but Ireland’s data regulator, which is investigating the attack under the EU’s General Data Protection Regulation, said: “Today’s update from Facebook is significant now that it is confirmed that the data of millions of users was taken by the perpetrators of the attack.” The social network also provided more details on Friday about how it discovered the attack, saying it began investigating a “an unusual spike of activity” on September 14. More than a week later, on September 25, it “determined this was actually an attack and identified the vulnerability”. It fixed the flaw two days later.