Facebook Just Shared New Disturbing Details About its Massive Data Breach

“We have no reason to believe this attack was related to the midterms.”

Alexander Pohl/NurPhoto via ZUMA Press

Facts matter: Sign up for the free Mother Jones Daily newsletter. Support our nonprofit reporting. Subscribe to our print magazine.

Two weeks ago, Facebook warned that attackers may have accessed the accounts of up to 50 million users. Today, the company provided an update reporting that instead of 50 million accounts, only 30 million were accessed. But that the breach exposed a mass of private information including phone numbers, email addresses, and even recent location check-ins. 

Initially, the attackers were able to control 400,000 accounts through a vulnerability in Facebook’s “view as” feature, which allows users to see how their profile looks to other members. They quickly moved from account to account using automated script to collect the “access tokens”—which allow users to login on trusted devices without entering their password—for 30 million users. Attackers then accessed the name and either the phone numbers or email contacts (sometimes both) for 15 million users. For 14 million others, attackers accessed that basic information as well as ten most recent check-ins, gender, location, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, people or pages they follow, and 15 of the most recent searches.

The initial attack was discovered on September 21, when the company noticed a suspicious uptick in user login activity. They found that a breach was made possible by a vulnerability introduced in July 2017 through a video upload feature. Guy Rosen, vice president of product at Facebook, emphasized on a press call Friday that the exposed accounts were secured on September 27, when Facebook went public with the security breach. From now on, users would not have to log out and log back in again. 

The company also verified Friday that the “attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.” There was a possibility that administrators of groups had their messages viewed, but messages of no individual users were exposed. Credit card numbers were also not compromised.

Facebook users will see messages like these in the coming days

But many questions still remain, the most important being who was behind the attack and what was the intended use of the breached information. “We have no reason to believe this attack was related to the midterms,” Rosen told reporters. He also stated that the company hasn’t ruled out “smaller scale” attacks that might have taken place in addition to the unusual behavior discovered in September. (A spokesperson for Facebook tells Mother Jones that the company is still investigating the initial vulnerability.) Rosen added that the FBI “asked them not to share any information that could compromise their investigation.” 

The company confirmed that it is cooperating with the US Federal Trade Commission and the Irish Data Protection Commission but declined to share a breakdown of affected users by country. The company assured its more than 2 billion users that it continues to invest in its security infrastructure, hiring 20,000 new employees this year for the task. 

Those who want to see if and how their accounts might have been affected can go to Facebook’s Help Center. The site will also be sending out customized notifications to users in the coming days.

THE TRUTH...

is the first thing despots go after. An unwavering commitment to it is probably what draws you to Mother Jones' journalism. And as we're seeing in the US and the world around, authoritarians seek to poison the discourse and the way we relate to each other because they can't stand people coming together around a shared sense of the truth—it's a huge threat to them.

Which is also a pretty great way to describe Mother Jones' mission: People coming together around the truth to hold power accountable.

And right now, we need to raise about $400,000 from our online readers over the next two months to hit our annual goal and make good on that mission. Read more about the information war we find ourselves in and how people-powered, independent reporting can and must rise to the challenge—and please support our team's truth-telling journalism with a donation if you can right now.

payment methods

THE TRUTH...

is the first thing despots go after. An unwavering commitment to it is probably what draws you to Mother Jones' journalism. And as we're seeing in the US and the world around, authoritarians seek to poison the discourse and the way we relate to each other because they can't stand people coming together around a shared sense of the truth—it's a huge threat to them.

Which is also a pretty great way to describe Mother Jones' mission: People coming together around the truth to hold power accountable.

And right now, we need to raise about $400,000 from our online readers over the next two months to hit our annual goal and make good on that mission. Read more about the information war we find ourselves in and how people-powered, independent reporting can and must rise to the challenge—and please support our team's truth-telling journalism with a donation if you can right now.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate