A couple of weeks ago, Facebook disclosed an unprecedented data breach at the company. Access tokens obtained through a bug in the site’s “View as …” feature allowed hackers to sift through accounts and access sensitive data. Up to 90 million people were logged out of their accounts and had those tokens reset as a result of the bug’s discovery. Facebook is still investigating, and cooperating with the FBI, but in a conference call today, the company revealed some, uh, not-as-bad news: Only 30 million people got hacked.
For 15 million people, attackers accessed two sets of information — name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.
This is very bad for Facebook. It’s embarrassing for it. Mark Zuckerberg should take out another full-page ad apologizing for this immense screwup. Instead, Facebook is doing all it can to sweep this under the rug, once again only notifying affected users (full disclosure: I was one of them) with an innocuous link at the top of their News Feed.
In a conference call today, Facebook’s Guy Rosen said that the company was working with the FBI, but had been advised not to comment on who the perpetrators might be. They do not believe the breach was related to the upcoming midterm elections.
This was clearly an intentional, malicious theft of user data from Facebook, and some of that data is very granular. Identifying info like user birth dates where they’re from, where they’ve been tagged, and devices they use puts users at risk of getting scammed. Particularly distressing is that the hackers accessed the last 15 searches from millions of users, a hodgepodge of text strings that could be embarrassing and revealing.