The massive data breach Facebook reported at the end of September isn’t quite as big as the company thought it might be. That might sound good, but it isn’t likely to comfort the tens of millions of consumers whose personal data they entrusted to the social-media juggernaut has been stolen.
In a blog post on October 12, Facebook lowered its September 28 estimate of more than 50 million affected users to 30 million users.
The company logged out 90 million of its 2.5 billion users, all of whom had recently interacted with Facebook’s “View As” feature, after discovering that hackers had taken advantage of code vulnerabilities introduced in July 2017 to steal user data.
READ MORE ON FACEBOOK AND PRIVACY
Facebook was breached. Here’s what we know (and don’t)
What’s in your Facebook data? More than you think
Ready to #DeleteFacebook? Follow these 7 steps
How to recover from a Facebook hack
7 ways to boost your Facebook privacy
How to block Facebook (and others) from your microphone
Facebook, EFF security experts sound off on protecting the vulnerable
Facebook’s Stamos on protecting elections from hostile hackers (Q&A)
When asked by reporters on a phone call on Friday about where the hacked users were based, Guy Rosen, Facebook’s vice president of product management, said the attack was geographically broad.
“Nothing is more important to us than the security of people’s information, and that’s how we’ve approached this investigation,” he said, adding that Facebook plans to double its security and safety team to 20,000 employees in the coming year.
While Facebook was not forthcoming with a geographic breakdown of affected users, the Irish Data Protection Commission told The Parallax that “10 percent of the 30 million users affected by the data breach were EU users,” as first reported on Tuesday by CNBC. The Irish agency is leading the European investigation, as Facebook’s European offices are based there. Under the European Union’s General Data Protection Regulation, which went into effect this year, Facebook could be fined as much as $1.63 billion.
Contradicting the fears of some security researchers, Rosen said that thus far, Facebook “has not found any evidence” that its Facebook Login feature was breached. Facebook Login deploys a “single sign-on” technology that allows users to log in to non-Facebook services with their Facebook credentials instead of creating a separate log-in pairing.
Rosen said other unaffected Facebook services include “Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.”
He also refuted the idea that the breach was connected to U.S. elections, as was Facebook’s Cambridge Analytica imbroglio.
“We have no reason to believe this specific attack was related to the midterms,” he said. However, Rosen cautioned that other, smaller attacks might have occured since the July 2017 introduction of the code vulnerabilities.
The FBI has asked Facebook not to divulge any details on who the suspected hackers are, Rosen said, adding that the company is working with the Federal Bureau of Investigation, the Federal Trade Commission, the Irish Data Protection Commission, and “other authorities.” And it’s not clear how the hackers intend to use the data they stole, he said, though they haven’t seen it for sale on the Dark Web “yet.”
In the immediate aftermath of the breach, the biggest question for Facebook users has been whether they were affected and what they can do about it. While some may dismiss the data stolen from their accounts as trivial, malicious hackers often have used data stolen in breaches to advance their financial scams or thefts of lucrative corporate data. Facebook itself has a long history of mishandling data belonging to its users and employees.
Here’s how you can tell whether your data was stolen—and what you should do about it.
Who was affected
The 30 million Facebook users whose data was stolen in the breach fall into one of four groups. Facebook said the hackers used a small group of accounts they controlled to steal access tokens—small bits of computer code that keep you logged into your account, even when you navigate from the Facebook site or app to other accounts.
They kept leapfrogging from account to account, across friends, and friends of friends, until they had access to approximately 400,000 accounts.
Of that first group of 400,000 accounts, the hackers could access “posts on their timelines, their lists of friends, groups they are members of, and the names of recent Messenger conversations.” Unless the person was a Facebook Page administrator, the message content remained protected.
The hackers then used those 400,000 accounts to access a total of 30 million accounts in varying ways.
Although the hackers stole the access tokens of the second group, comprised of about 1 million accounts, they were not able to access the accounts. Facebook has not explained why.
The hackers accessed the names, along with emails and/or phone numbers of the third group, about 15 million users.
The hackers’ attack on the fourth group, comprised of about 14 million users, was the most invasive. Along with names and contact information, Facebook says the hackers stole data regarding their “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birth date, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”
How to tell if you were affected (and what to do about it)
Step 1: Make sure you’re logged into Facebook, then go to this Help Center page about the September breach: https://www.facebook.com/help/securitynotice.
Toward the bottom of the page, you should see a light-blue box with the heading, “Is my Facebook account impacted by this security issue?”
People who were not affected will see a message that reads, “Our investigation is still ongoing, but based on what we’ve learned so far, the attackers did not gain access to information associated with your Facebook account.”
Step 2: Facebook users whose data was stolen will see a different message.
“Based on what we’ve learned so far in our investigation, attackers accessed the following Facebook account information.” Facebook says affected users should also have seen a warning atop their News Feed.
Step 3: If Facebook says you were in one of the affected groups, you do not need to change your password or credit card info. Those data points were not stolen in the breach, the company says.
However, given the history of stolen data showing up in Internet scams, as well as extortion and phishing attempts, Facebook users whose data was stolen should watch out for spam and scam emails, text messages, and phone calls. This Facebook security page can help consumers determine whether an email or link sent from Facebook is legitimate, though historically, the answer to that question is usually “No.”
In addition to paying even more attention to potential scams, affected Facebook users should add two-factor authentication to their accounts. If you already use it with Facebook but receive a one-time SMS code to verify your account, you should consider switching to an authentication app or a physical multifactor key, given that the hackers stole Facebook user phone numbers. (The company also was recently caught using two-factor authentication phone numbers for marketing purposes.)
It’s also a good idea to add two-factor authentication to non-Facebook accounts, because scammers can use the data stolen from Facebook to trick online services, cell phone providers, and financial institutions into giving them account access.
If all of this makes you want to end your relationship with Facebook, we have a 7-step guide to help you break up.
Update at 12:38 p.m. PDT: Added number of European Facebook users affected by the breach.