Last month, Facebook witnessed its largest security breach which compromised 50 million user accounts, which was later fixed by its investigation team to avoid further misuse. On Friday, 12th October, Guy Rosen, VP of Product Management in Facebook, shared details of the attack for the users to know the actual reason behind the attack.
A snapshot of the attack
Facebook discovered the issue on September 25th where the attackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018. The attackers exploited a series of interactions of three distinct software bugs, which affected the ‘View As’ feature that lets people see what their own profile looks like to someone else.
Attackers stole FB access tokens to take over people’s accounts. These tokens allow an attacker to take full control of the victim’s account, including logging into third-party applications that use Facebook Login.
Deciphering the attack : 29 million users were affected, not 50 million
Guy Rosen, in his update stated, “We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.”
Here’s what happened
The attackers already had control over a set of accounts connected to Facebook users. They further used an automatic technique to move from one account to the other in order to steal the access tokens of those friends, friends of friends, and so on. This allowed them to reach about 400,000 users.
Guy writes, “this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations”.
The attackers used these 400,000 people’s lists of friends to further steal access tokens for about 30 million people. They broke down these 30 million into three batches; namely 15, 14 and 1 million, and carried out different accessing techniques for the first two batches. For the 1 million people, the attackers did not access any information.
- For 15 million people, attackers accessed just the name and contact details (phone number, email, or both, depending on what people had on their profiles).
- For 14 million people, the attackers not only accessed name and contact details, but also other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
Facebook will be sending customized messages to the 30 million affected people to explain to them the information the attacker might have accessed and how they can protect themselves from the after effects (getting suspicious calls, mails and messages).
Guy also clarified, “This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.”
Meanwhile, Facebook is co-operating with FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities to look for ways attackers used Facebook and other possibilities of smaller-scale attacks.
To know more about this in detail, visit Guy Rosen official blog post.