The hackers did not affect Facebook-owned Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps or advertising or developer accounts, the company said.
Attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of the users, it allows users to see how others see their profile.
Earlier this month Facebook revealed attackers chained three bugs to breach into the Facebook platform.
“We now know that fewer people were impacted than we originally thought,” said Facebook vice president of product management Guy Rosen in a conference call.
Attackers accessed the names, phone numbers and email addresses of 15 million users, while for another 14 million users hackers also accessed usernames, profile details (i.e. gender, relationship status, hometown, birthdate, city, and devices), and their 15 most recent searches.
For the remaining one million users affected by the Facebook Data Breach whose “access tokens” were stolen, no data was accessed.
The hackers started on September 14 with 400,000 “seed accounts” they were controlling directly then they expanded their activity to their networks.
“First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people.” Rosen added.
“In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.”
Facebook is cooperating with the US authorities, the Irish Data Protection Commission and other authorities regarding the breach.
Rosen confirmed Facebook had “no reason to believe this attack was related to the mid-term elections” in the US.
(Security Affairs – Facebook data breach, hacking)