Facebook mass hack last month was so totally overblown – only 30 million people affected

Good news: 20m feared pwned are safe. Bad news: That's still 30m profiles snooped...

Facebook users can relax and get back to interacting with quality content and authentic individuals on the social network.

Last month's deliberate theft of private account records from the internet giant, initially believed to affect 50 million or maybe 90 million accounts, turns out to be nowhere near that bad. Cough.

On Friday, the data-harvesting biz said a mere 30 million people were robbed of their authentication tokens – which could and were used to log into their Facebook accounts. That's only 1.34 per cent of Facebook's total active users – which says more about the out-of-control size of the antisocial network than anything else.

"We now know that fewer people were impacted than originally thought," said Guy Rosen, VP of product management, during a conference call for the media on Friday morning, Pacific Time.

Initial worries that the token pilfering might have led to the compromise of third-party apps implementing Facebook Login turn out to be completely unfounded. Rosen said Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, advertising and developer accounts were not affected. Bullet dodged.

For one million of the token deprived, the attackers took no information. For 15 million, they obtained names, phone numbers, and email addresses, if present in their profiles. For the remaining 14 million, they accessed not only profile data fields, but quite a bit more:

Username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

Basically everything you need to, say, answer someone's security questions to gain control of their account on a website.

The social network previously confirmed to The Register that the accounts of Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg were among those affected.

The attackers, Rosen said, would not have been able to access any message contents, unless the victim happened to be a Facebook Page admin whose Page had received a message from a Facebook user.

The anatomy of a hack

As recounted by Rosen, the attackers took advantage of a vulnerability in Facebook's code that existed between July 2017 and September 2018.

On September 25, Facebook determined that a spike in activity, identified previously as unusual, represented an attack. The anomalous traffic began on September 14.

Facebook CEO Mark Zuckerberg

Facebook: Up to 90 million addicts' accounts slurped by hackers, no thanks to crappy code


Asked whether Facebook could provide any further insight into the identity, location, or intentions of the attacker(s), Rosen said Facebook has been working with the FBI to investigate the incident and the agency asked the company to refrain from discussing who might be responsible.

The synergy between three separate software bugs allowed the miscreants to misuse Facebook's View As feature – which lets users to see their accounts as someone else would – to steal the access tokens associated with the viewed account. Such tokens are what allow users to interact with Facebook without logging in ever time they send or receive data from the site.

With an initial set of accounts under their control, the attackers, said Rosen, exploited the vulnerable code to run a script that collected access tokens from their friends and the friends of their friends, representing a group of about 400,000 people. They then used the friend lists of those 400,000 seed accounts to steal access tokens from 30 million accounts.

On September 27, Rosen said Facebook closed the vulnerabilities, secured affected accounts, and reset access tokens for those accounts. He said Facebook is looking into the possibility of smaller scale attacks.

Expect a call

Facebook has posted a summary of the incident in its Help Center and plans to send customized messages to the 30 million people affected – that's the sort of thing you can do when you have access to people's data – explaining what information was nabbed and steps that can be taken to prevent further damage.

"People's privacy and security is incredibly important and we're sorry this happened," said Rosen.

That sorrow has limits. The Register asked Facebook whether it intends to pay for identity theft monitoring for the 30 million people affected, a common act of contrition following data thefts.

A Facebook spokesperson said, "Not at this time; the resources we are pointing people toward are based on the actual types of data accessed – including the steps they can take to help protect themselves from suspicious emails, text messages, or calls."

Nonetheless, Facebook may end up opening the corporate coffers to make things right. The company offered no details about how many of those affected reside in the EU where the data protection regime (GDPR) allows for penalties that bring tears to the eyes of accountants.

"We'll have to see what Facebook discloses about potential liability if any exists," said Pravin Kothari, CEO of CipherCloud, in an email to The Register. "The calculations of the potential fines under GDPR are a bit mind-boggling with any possible impact to millions of users." ®

Similar topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021