More than 100,000 Australians were caught up in a Facebook privacy breach late last year that impacted 29 million people around the world, documents have revealed.
Emails between Facebook and the Office of the Australian Information Commissioner, released under the Freedom of Information Act, reveal that the social media giant believes up to 111,813 Australian users had their personal information breached in September last year.
Late last year, Facebook revealed it had been the target of a “network incident” where hackers exploited three intersecting bugs, allowing them to see the access tokens used to keep a user logged in across devices when they switch their profile to the “view as” mode, which allows them to see their profile as someone else would.
With access to the tokens, the hackers would access parts of information stored on the account, including names, contact information and locations they have visited.
Facebook wrote to the OAIC on 29 September 2018 to inform it of an “attack” on its systems by an “external actor”.
In October the company provided a voluntary update, outlining that it believes up to 111,813 Australian users had been impacted.
“We have been working extensively to determine whether the potentially affected accounts were misused or whether any information was accessed by the attacker,” Facebook wrote to the OAIC. “Following further investigations it appears information was obtained by the attacker.”
Nearly 50,000 of the impacted users may have had their full name, email address and phone number accessed, while more than 60,000 also may have had their gender, locale, relationship status, work history, website, search queries and recently checked in locations accessed.
About 1,500 of the impacted users may have had posts on their timeline, friends list and names of recent Messenger conversations also accessed.
Facebook claimed it did not believe that the hackers had accessed other more sensitive information such as passwords, identity documentation, financial information or payment card information.
In the emails to the OAIC, Facebook also claimed it did not believe that the breach was eligible to be reported under Australia’s Mandatory Data Breach Notification scheme, which was launched last year.
There was another Facebook privacy breach this month, after it was revealed that passwords had been stored in plain text on the company’s internal systems.