How much damage did Facebook’s recent data breach cause?

Hackers stole detailed personal information from 14 million people — and more.
15 October 2018

Facebook lost personal data on 14 million people. Source: Shutterstock.

Recently, Facebook declared that hackers leveraged a vulnerability on their interface and made away with data from 50 million users.

At the time, the company made the announcement within 72 hours of discovering the breach in order to meet the guidelines of prevailing data security laws such as the General Data Protection Regulation (GDPR). However, at the time, the company hadn’t made a full assessment of what went wrong and the full extent of the breach.

However, a new announcement provides details of the company’s evaluation of the attack — and it’s quite extensive although it affected 60 percent of the number that Facebook initially reported.

“Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen,” said Facebook VP of Product Management, Guy Rosen.

According to the report, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people.

The attackers then used a portion of the 400,000 people’s lists of friends to steal access tokens for about 30 million people.

For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles).

For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles.

This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

For the remaining 1 million people, the attackers did not access any information.

In the coming days, Facebook will send customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls.

Although the breach has been disclosed quickly, it could deliver a serious blow to the users of the website as it is desperately trying to regain trust with its users — after the Cambridge Analytica scandal came to light and the events and proceedings that followed.