Facebook revealed that hackers gained unauthorized access to more than 30 million accounts, 14 million of which contained sensitive information including gender, names, email addresses, phone numbers, location check-ins, and more. The attack had also disclosed the private messages of more than 400,000 users.
The revelation comes after two weeks of investigation. The company lowered its estimate of how many users had been hacked from an original approximation of at least 50 million to 30 million—and also reported how the attack could have happened.
According to the company, hackers exploited three vulnerabilities in the "View As" feature, which allows users to see what their profile looks like to other users, in order to obtain tokens that could be used to access user accounts. The vulnerabilities had been an issue since July 2017, but Facebook first identified an increase in questionable activity on Sept. 14 2018, which led to the discovery of the bugs and the subsequent attack on Sept. 25, 2018.
“With these access tokens an attacker could get into people’s accounts,” Guy Rosen, Facebook's vice president of product management, told reporters in a call on Friday. “We’re looking at approaches that could address this class of problem and, ensuring that we can catch them faster and minimize their impact.”
Information like names and birth dates can be used to access banking accounts or medical records over the phone, said John Simpson, director of privacy and technology at Consumer Watchdog, a consumer advocacy group. That type of information "can be tremendously empowering" to hackers. It can be parlayed into information that is used to scam individuals, resulting in potentially costly and damaging outcomes.
The social media company has set up a page for users to find out if they have been affected by the breach. To access the page, users simply need to be logged in and head to the security notice page linked here. If your account has not been hacked, Facebook will display the following message:
"Based on what we've learned so far, your Facebook account has not been impacted by this security incident. If we find more Facebook accounts were impacted, we will reset their access tokens and notify those accounts."
If your account has been hacked, Facebook will let you know which private information the hackers have accessed.
"While we don't know if the attackers will use any of the information they accessed, it appears the information may allow them or other third parties to use it to create and spread spam on and off Facebook," a message to an affected account reads. "We're actively working with law enforcement as we continue to investigate."
One option to safeguard your information in the future is to delete the sensitive information that Facebook has access to or delete your account.