Facebook revealed on Friday that a hack in September allowed attackers to harvest millions of phone numbers and email addresses.
In a blog post, the company wrote:
First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people. In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.
The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.
Facebook also published a webpage where users can go to check if their accounts where impacted by the breach, and if so, to what degree their information was exposed.
The company said the breach is under investigation by the FBI, which asked Facebook “not to discuss who may be behind this attack.”
“We are still looking at other ways the people behind these attacks may have used Facebook, and we haven’t ruled out the possibility of smaller scale, low-level access attempts,” said Guy Rosen, Facebook vice president of product management, adding that the company had also notified the U.S. Federal Trade Commission and the Irish Data Protection Commission.
“People’s privacy and security are incredibly important, and we are sorry this happened,” Rosen said.
The company said the attack began on Sept. 14 and was not detected until Sept. 25. Within two days, the company fixed its vulnerabilities, stopped the attack and reset the access tokens for impacted users, Rosen said. Those impacted users will receive a note from Facebook on the service notifying them of the attack in the coming days, Rosen said.
Facebook discovered and disclosed the security breach in late September, saying at the time that the issue impacted 50 million accounts, with an additional 40 million deemed as “at-risk.” That number was reduced to 30 million, according to a blog post published by the company.
The company has been dealing with a myriad issues concerning the health of its service throughout 2018. Facebook on Thursday, for example, disclosed its decision to remove 559 Pages and 251 accounts that it claimed broke the company’s spam policies.
Shares of Facebook, which were already down slightly before the company’s announcement, fell to a day low of $151.30 per share.