Facebook said today the number of users who had their Facebook authentication tokens stolen in a security breach that took place last month is actually 30 million, and not 50 million, as the company initially announced.
Attackers stole authentication tokens for these 30 million accounts, but they also stole additional data for 29 million, Facebook said.
- For 15 million users, attackers harvested name and contact details (phone number, email, or both, depending on what people had on their profiles).
- For 14 million users, attackers harvested the same info as above, plus username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
- For 1 million, attackers only collected access tokens.
The social network said it’s working with the FBI to identify the attackers, and could not reveal additional information about the source of the attacks.
But while answering questions in a phone conference today, Guy Rosen, Facebook’s VP of Product Management, said Facebook did not identify attempts to use any of the stolen tokens.
Even if the attackers had tried to use the tokens, they wouldn’t have worked, Rosen said, the reason being that Facebook had invalidated all the stolen tokens on September 28.
Rosen also said Facebook did not find any evidence suggesting the tokens were used with the Facebook Login feature either, which would have allowed the attacker to log into third-party apps via Facebook tokens.
The Facebook exec also went into more details on how the attack unfolded. He said attackers initially used accounts under their direct control, which they had likely created, to exploit the vulnerability in the “View As” feature and steal tokens for the friends of those original accounts. They then used the same vulnerability over and over again until they gathered tokens for around 400,000 accounts, which Rosen referred to as “seed accounts.”
Once they had the tokens for the seed accounts, Rosen said the attackers used the tokens to access the 400,000 accounts and deployed scripts to harvest even more tokens at a larger and automated scale.
This action triggered a massive traffic spike, which Facebook engineers detected on September 16, and following investigations into the source of the traffic concluded it was a coordinated attack on September 26, patched the View As vulnerability on September 27, and went public with the breach on September 28.
“In the coming days, we’ll send customized messages to the 30 million people affected to explain what information the attackers might have accessed, as well as steps they can take to help protect themselves, including from suspicious emails, text messages, or calls,” Rosen added separately, in a blog post.
Mockups of those messages are available below. Until then, Facebook also launched a Help Center page where everyone can go and see if they’re one of the 30 million unlucky users who had their token stolen.