Keeping up with Facebook privacy scandals is basically a full-time job these days. Two weeks ago, it announced a massive breach with scant details. Then, this past Friday, Facebook released more information, revising earlier estimates about the number of affected users and outlining exactly what types of user data were accessed. Here are the key details you need to know, as well as recommendations about what to do if your account was affected.
30 Million Accounts Affected
The number of users whose access tokens were stolen is lower than Facebook originally estimated. When Facebook first announced this incident, it stated that attackers may have been able to steal access tokens—digital “keys” that control your login information and keep you logged in—from 50 to 90 million accounts. Since then, further investigation has revised that number down to 30 million accounts.
The attackers were able to access an incredibly broad array of information from those accounts. The 30 million compromised accounts fall into three main categories. For 15 million users, attackers access names and phone numbers, emails, or both (depending on what people had listed).
For 14 million, attackers access those two sets of information as well as extensive profile details including:
- Username
- Gender
- Locale/language
- Relationship status
- Religion
- Hometown
- Self-reported current city
- Birthdate
- Device types used to access Facebook
- Education
- Work
- The last 10 places they checked into or were tagged in
- Website
- People or Pages they follow
- Their 15 most recent searches
For the remaining 1 million users whose access tokens were stolen, attackers did not access any information.
Facebook is in the process of sending messages to affected users. In the meantime, you can also check Facebook’s Help Center to find out if your account was among the 30 million compromised—and if it was, which of the three rough groups above it fell into. Information about your account will be at the bottom in the box titled “Is my Facebook account impacted by this security issue?”
What Should You Do If Your Account Was Hit?
The most worrying potential outcome of this hack for most people is what someone might be able to do with this mountain of sensitive personal information. In particular, adversaries could use this information to turbocharge their efforts to break into other accounts, particularly by using phishing messages or exploiting legitimate account recovery flows. With that in mind, the best thing to do is stay on top of some digital security basics: look out for common signs of phishing, keep your software updated, consider using a password manager, and avoid using easy-to-guess security questions that rely on personal information.
The difference between a clumsy, obviously fake phishing email and a frighteningly convincing phishing email is personal information. The information that attackers stole from Facebook is essentially a database connecting millions of people’s contact information to their personal information, which amounts to a treasure trove for phishers and scammers. Details about your hometown, education, and places you recently checked in, for example, could allow scammers to craft emails impersonating your college, your employer, or even an old friend.
In addition, the combination of email addresses and personal details could help someone break into one of your accounts on another service. All a would-be hacker needs to do is impersonate you and pretend to be locked out of your account—usually starting with the “Forgot your password?” option you see on log-in pages. Because so many services across the web still have insecure methods of account recovery like security questions, information like birthdate, hometown, and alternate contact methods like phone numbers could give hackers more than enough to break into weakly protected accounts.
Facebook stated that it has not seen evidence of this kind of information being used “in the wild” for phishing attempts or account recovery break-ins. Facebook has also assured users that no credit card information or actual passwords were stolen (which means you don’t need to change those) but for many that is cold comfort. Credit card numbers and passwords can be changed, but the deeply private insights revealed by your 15 most recent searches or 10 most recent locations cannot be so easily reset.
What Do We Still Need To Know?
Because it’s cooperating with the FBI, Facebook cannot discuss any findings about the hackers’ identity or motivations. However, from Facebook’s more detailed description of how they carried out the attack, it’s clear that the attackers were determined and coordinated enough to find an obscure, complex vulnerability in Facebook’s code. It’s also clear that they had the resources necessary to automatically exfiltrate data on a large scale.
We still don’t know what exactly the hackers were after: were they targeting particular individuals or groups, or did they just want to gather as much information as possible? It’s also unclear if the attackers abused the platform in ways beyond what Facebook has reported, or used the particular vulnerability behind this attack to launch other, more subtle attacks that Facebook has not yet found.
There is only so much individual users can do to protect themselves from this kind of attack and its aftermath. Ultimately, it is Facebook’s and other companies’ responsibility to not only protect against these kinds of attacks, but also to avoid retaining and making vulnerable so much personal information in the first place.