Facebook announced that the recent data breach it has suffered is a little less massive than initially thought: “only” 30 million users have been affected.
But, although highly personal information has been harvested from the profiles of 14 millions of the victims, Facebook has told the BBC that it does not plan, at this time, to provide them with free identity theft protection services.
On Friday, while still insisting on calling this data breach a “security incident,” the company’s VP of Product Management Guy Rosen explained that “the attackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018,” that allowed them to steal Facebook access tokens, which they could then use to take over people’s accounts.
“First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people,” he pointed out.
“In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations.”
All in all, the attackers accessed the name and contact details (phone number, email) of 15 million users, and the name and contact details, username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches of 14 million users.
One million users got lucky – the attackers did not access any of their information.
What’s next for the victims?
Those 14 million users that had their profile thoroughly mined for personal information are now in grave danger: the attackers can use the information to mount identity theft attacks; extremely targeted phishing attacks via email, SMS, or phone calls; or attempt to hijack their various accounts (the information can come in handy when guessing passwords, answering security questions or impersonating the victim in communications with user support staff).
Unfortunately for them, Facebook will not be offering identity theft protection services to any of them at this time.
Instead, they’ll get customized messages explaining “what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls,” and they will be pointed to the social network’s Help Center. Users can visit the page to immediately find out whether they’ve been affected by the breach.
“We have not ruled out the possibility of smaller-scale attacks, which we’re continuing to investigate,” Rosen also added.