According to the company, the FBI has asked for now not to disclose who could be behind the attack.
Facebook told that hackers stole access keys (tokens) to the pages of 30 million users through a bug in the function of viewing the page on behalf of another person. This allowed attackers to gain access to private data, including phone numbers and email addresses.
The social network said that the attack has reached such proportions due to the effect of the “virus”. First, hackers got access to 400 thousand accounts that were connected to friends, and then used the automatic method of moving from account to account and stolen tokens.
In the process, the attackers received “reflections” of the profiles of these users, including posts from their feeds, lists of friends, groups in which they are composed and names from recent conversations in Messenger. As noted in the company, the content of the messages themselves remained inaccessible, unless it is about communication on behalf of the group in which the user was the administrator.
Thanks to the friends list of 400 thousand users, hackers were able to steal tokens from 30 million people. The attackers took over the personal data of users, including phone numbers, email addresses and more.
What information did hackers steal from 30 million Facebook users?
- For 15 million – names, email addresses and phone numbers.
- For 14 million – gender, language, relationship status, religion, hometown, city of residence, date of birth, education, work, last 10 geolocation marks, last 15 search queries, people and pages on which users are subscribed, addresses of personal sites (if indicated), the types of devices used for authorization on Facebook.
- About a million users, hackers have not received any information.
In the near future, Facebook will start sending security alerts to affected users, which will appear at the top of the news feed. Using them, users will be able to find out what data their hackers have taken hold of and what can be done now. In addition, a page appeared on Facebook where you can check whether the attack has affected the user.
According to Facebook, the attack did not affect other services of the company, including Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party applications, as well as advertising accounts or developer profiles. The company noted that it cooperates with the FBI to investigate the incident and the bureau asked the social network not to disclose the names of those who may be behind the attack.
On September 28, Facebook announced that it had discovered a vulnerability through which hackers could take possession of access keys to 90 million user pages. Then, just in case, the social network “threw out” from the site of all users who could potentially be affected by an error in order to update their access tokens.