| 2018-10-12 12:43:35|
FB 12:43 10/12 10/12/18
Facebook says 30M actually had tokens stolen in recent cybersecurity breach
Facebook in a blog post that it is sharing details about the recent security breach, noting that it has not ruled out the possibility of smaller-scale attacks, which it is continuing to investigate. The company noted that it saw an unusual spike of activity that began on September 14, 2018, and started an investigation. "On September 25, we determined this was actually an attack and identified the vulnerability," Facebook said. "Within two days, we closed the vulnerability, stopped the attack, and secured people's accounts by restoring the access tokens for people who were potentially exposed. As a precaution, we also turned off "View As." We're cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack." Of the 50M people whose access tokens the company believed were affected, about 30M actually had their tokens stolen. Facebook said that the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. In the process, however, this technique automatically loaded those accounts' Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers. The attackers used a portion of these 400,000 people's lists of friends to steal access tokens for about 30M people. For 15M people, attackers accessed two sets of information - name and contact details. For 14M people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1M people, the attackers did not access any information. Facebook said that it will send customized messages to the 30Mpeople affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls. This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts, the company noted.