The personal information of nearly 30 million Facebook users was exposed as part of a recent data breach, the social media giant’s investigation has found.
Facebook revealed in late September that up to 50 million users had been caught up in a data breach involving vulnerabilities in the platform’s ‘view as’ function, which allows a user to see their profile as someone else would.
As a result, 90 million accounts were logged out and the vulnerability was resolved.
Now Facebook vice president of product management Guy Rosen has said that 29 million users were actually impacted by the breach, which was discovered by the company in mid-September following an “unusual spike in activity”.
On 25 September, the company determined that this was an attack on its platform, and two days later the vulnerability was closed and the users were logged out of their accounts for safety reasons.
According to Rosen, the hackers exploited three flaws in the ‘view as’ system, and used an “automated technique” to move from account to account, obtaining the access tokens that keep the users logged in.
This technique led to the hackers gaining access to the personal info of 400,000 people, and were then able to use these friends lists to steal the access tokens of nearly 30 million users.
Rosen said that 14 million of these users had personal data including name, contact details, relationship status, birthday, pages they follow and the last 10 places they have checked in to exposed.
The other 15 million users had only their name and contact details accessed.
“People’s privacy and security is incredibly important and we are sorry this happened,” Rosen said. “We know that we will always face threats from those who want to take over accounts or steal information. And that is why we are continuing to invest so heavily in security and focusing on more proactive ways to protect people.
“We are fully committed to this work and we are going to do all we can to earn people’s trust.”
The attack is not believed to be related to the upcoming mid-term elections in the US, but Rosen said he was unable to provide any further detail on who was behind the attack and which countries were most impacted due to an ongoing FBI investigation.
There are also concerns that the type of data stolen could lead to further attacks, including phishing or identity theft. Users that were impacted by the breach will soon receive a message from Facebook telling them to be aware of “suspicious emails or text messages or things of that sort”.
Rosen said Facebook is now looking into ways to improve its processes to prevent similar beaches in the future.
“We are continuing to learn and understand what additional tools and what additional measures we take in order to ensure that we can not just address this class of problem - problems will always happen - but ensuring that we can move very fast to detect and very fast to address any problems that may occur,” he said.