A flaw in Facebook’s “view as” feature gave a group of hackers an opportunity to gain unauthorized access to millions of accounts. The company released its most comprehensive statement yet on exactly what data was taken as part of the breach.
According to the statement, the hackers stole access tokens for 30 million accounts, allowing them to gain complete access to the profiles. Of those 30 million, the hackers accessed basic contact information (name and either email or phone number) for 14 million accounts, and additional information including gender, religion, location, device information, and the 15 most recent searches for another 15 million accounts. No information was accessed for the remaining one million accounts.
Guy Rosen, Facebook’s vice president of product management, said “We take these incidents really, really seriously”.
Facebook planned to notify all 30 million users through the Help Center in the coming days. Most importantly, Facebook said no data was taken from third-party apps linked to the accounts, including Facebook products like Instagram, Messenger and WhatsApp. At the same time, there may have been smaller but more invasive attacks during the same period that have yet to be uncovered by Facebook’s investigation.
FBI is actively investigating the hack, but declined to give further details, saying the bureau had “asked us not to discuss who may be behind this attack.”