Facebook published this October 12, 2018 an update on the attack that we presented to you just about two weeks ago in an article titled Facebook Hack – Over 90 Million Accounts Affected. Is Your Facebook Account Affected?. The attack exploited the access tokens “stolen” via a vulnerability in Facebook’s View As feature. The vulnerability was then used to compromise what was initially estimated as 50 million Facebook accounts and that caused Facebook to reset close to 90 million accounts access tokens.
The Update In A Nutshell
Facebook has narrowed down the number of compromised accounts to 30 million which are grouped in three different categories. Facebook will inform the members of each category about what type and amount of information was compromised for individual users via a notification in the user’s timeline. In their update, Facebook provides the scope of the attack:
The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information. People can check whether they were affected by visiting our Help Center.
The featured image of this article is the mockup of what the notifications are supposed to look like. Please go to Facebook’s newsroom for a detailed article providing the October 12, 2018 update.
What Do You Need To Do?
Facebook is collaborating with security agencies around the world including the FBI and the Irish Data Protection Commission to narrow down who the attackers are and what their intents are. Meanwhile, please beware of any email, phone calls, or other tactics that could be used to scam you via social engineering as the attackers start using the information they stole from your profile or those of your friends or friends’ friends on Facebook. Do you give away personal information unless you can ascertain you know who you are talking to and why you are giving away personal information. You will most likely need to maintain this level of alert for the next several years depending on what information about your or your connections was compromised.
If you have questions of information about the attack, please post them in the comment section of this article, but you can find most questions and answers currently available as part of this press call transcript published by Facebook.