Social network revises down the number of accounts affected, but still doesn’t offer fraud protection
Facebook has reduced the number of people it thinks were impacted by the data breach earlier this month.
Facebook had initially revealed that 50 million accounts were accessed, after hackers exploited flaws in the social network’s code.
But now it has revised this figure down to 30 million accounts, but the social networking giant is still not offering victims of its latest data breach any fraud ID protection.
Facebook had offered up more information on the data breach late on Friday. It said it had been “working around the clock to investigate the security issue.”
“We have not ruled out the possibility of smaller-scale attacks, which we’re continuing to investigate,” wrote Facebook’s head of product management, Guy Rosen, in a blog post.
“As we’ve said, the attackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018,” he wrote. “The vulnerability was the result of a complex interaction of three distinct software bugs and it impacted “View As,” a feature that lets people see what their own profile looks like to someone else.”
“We now know that fewer people were impacted than we originally thought,” Rosen wrote. “Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.”
Rosen said that for 15 million people, the attackers had accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles).
In addition, the attackers could see the posts and lists of friends and groups of about 400,000 users.
But the most severely impacted users (a group of around 14 million) saw the attackers access the same two sets of information, as well as other details they had on their profiles.
This unfortunately “included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”
The remaining one million people did not see the attackers access any personal information.
Users can go here to find out if they have been directly affected, but the social networking giant is still not offering affected users any form of free identity fraud protection service.
“This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts,” said Rosen. “As we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks, we’ll continue to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities.”
The data breach raises the nightmare possibility for Facebook’s management of a General Data Protection Regulation (GDPR) fine in Europe.
The Irish Data Protection Commission, which is acting as the lead investigator on this side of the pond as Facebook has its European headquarters in Ireland, last week opened an investigation into the breach.
Similar investigations are also reportedly underway in the US states of Connecticut and New York.
In Europe, the hack could result in Facebook being issued with a maximum fine of up to $1.63bn (£1.25bn), which is approximately 4 percent of its annual global revenue.