Facebook has revealed that millions of email addresses, phone numbers and other personal user information were compromised during a recent security breach.
The social media giant, which has more than two billion users worldwide, announced last month that engineers had discovered a “security issue” which affected 50 million accounts.
On Friday, the company’s vice president of product management Guy Rosen said “fewer people were impacted than we originally thought”, with access tokens stolen from around 30 million accounts.
Access tokens work as digital keys, letting those who hold them log into Facebook accounts without entering a password.
Shedding new light on the hack, Mr Rosen said the attackers used an “automated technique” to move from account to account stealing tokens of friends-of-friends, “totalling about 400,000 people”.
This pool of 400,000 users allowed them to steal access tokens from the full 30 million, he continued.
He wrote: “For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles).
“For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles.
“This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
“For 1 million people, the attackers did not access any information.”
Mr Rosen said a combination of three bugs in the View As feature, which lets users see what their profile looks like from the perspective of other accounts, made access tokens freely available to copy from the source code of the web page.
It was this vulnerability which allowed “an external actor” to obtain access tokens, giving them the ability to log into, and take over, users’ Facebook accounts and any of their other services, such as Spotify, Instagram or Tinder, which accept Facebook access tokens.
Messages between accounts were not compromised by the hackers, Mr Rosen said on Friday, except if the person was a page admin whose page had received a message.
Facebook staff first noticed an “unusual spike of activity” that began on September 14.
On September 25, the trend was identified as an attack, prompting programmers to close the vulnerability, which happened within two days, the tech chief said.
“We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack,” his blog continued.
Facebook users can check if they are affected by visiting the website’s help centre.
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules here